<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Thanks again, Dolph.<div><br></div><div>First, is there some good documentation on how to write a custom driver? I'm wondering specifically about how a "keystone user-list" is mapped to a specific function in identity/backend/mydriver.py. I suppose this mapping is why I was getting the 500 error about the action not being implemented.</div><div><br></div><div>Secondly, before poking around with writing a custom driver, I was decided to simply inherit ldap.Identity, as follows:</div><div><br></div><div>
<p class="p1">class Identity(ldap.Identity):</p>
<p class="p1"> def __init__(self):</p>
<p class="p1"> super(Identity, self).__init__()</p>
<p class="p1"> LOG.debug('My authentication module loaded')</p>
<p class="p2"><br></p>
<p class="p1"> def authenticate(self, user_id, password):</p>
<p class="p1"> LOG.debug('in auth function')</p>
<p class="p1"><br></p><p class="p1">When I get a list of users, I never get the debug output. Further, I removed the authenticate method from the Identity class in ldap.py and list-users STILL worked. Unsure how this is possible. It seems we're never hitting the authenticate method, which is why overriding it in my custom driver doesn't make much of a difference in reaching my goal for local users.</p><p class="p1"><br></p><p class="p1">Is there another method I'm supposed to be overriding?</p><p class="p1"><br></p><p class="p1">I appreciate the help -- I know these are likely silly questions to seasoned keystone developers.</p><p class="p1"><br></p><br><div><hr id="stopSpelling">From: dolph.mathews@gmail.com<br>Date: Mon, 27 Jan 2014 22:35:18 -0600<br>To: openstack-dev@lists.openstack.org<br>Subject: Re: [openstack-dev] extending keystone identity<br><br><div dir="ltr">From your original email, it sounds like you want to extend the existing LDAP identity driver implementation, rather than writing a custom driver from scratch, which is what you've written. The TemplatedCatalog driver sort of follows that pattern with the KVS catalog driver, although it's not a spectacular example.</div>
<div class="ecxgmail_extra"><br><br><div class="ecxgmail_quote">On Mon, Jan 27, 2014 at 9:11 PM, Simon Perfer <span dir="ltr"><<a href="mailto:simon.perfer@hotmail.com" target="_blank">simon.perfer@hotmail.com</a>></span> wrote:<br>
<blockquote class="ecxgmail_quote" style="border-left:1px #ccc solid;padding-left:1ex;">
<div><div dir="ltr">I dug a bit more and found this in the logs:<div><br></div><div>
(keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you have requested has not been implemented.<BR><br><BR>Despite basing my (super simple) code on the SQL or LDAP backends, I must be doing something wrong.<BR>
<br><BR>-->> I've placed my backend code in <span style="font-size:12pt;">/usr/share/pyshared/keystone/identity/backends/nicira.py or </span><span style="font-size:12pt;">/usr/share/pyshared/keystone/common/nicira.py</span><BR>
<span style="font-size:12pt;"><br></span><BR><span style="font-size:12pt;">-->> I DO see the "my authenticate module loaded" in the log</span><BR><span style="font-size:12pt;"><br></span><BR>I would appreciate any help in figuring out what I'm missing. Thanks!<BR>
<br><BR><div class="ecxhm ecxHOEnZb">
<br></div><div><div class="ecxhm ecxHOEnZb"><hr>From: <a href="mailto:simon.perfer@hotmail.com" target="_blank">simon.perfer@hotmail.com</a><br>To: <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>
Date: Mon, 27 Jan 2014 21:58:43 -0500</div><div><div class="h5"><br>Subject: Re: [openstack-dev] extending keystone identity<br><br>
<div dir="ltr">Dolph, I appreciate the response and pointing me in the right direction.<div><br></div><div>Here's what I have so far:</div><div><br></div><div><imports here></div><div>
<span style="font-size:12pt;">CONF = config.CONF</span><BR>
LOG = logging.getLogger(__name__)<BR>
<br><BR>
class Identity(identity.Driver):<BR>
def __init__(self):<BR>
super(Identity, self).__init__()<BR>
LOG.debug('My authentication module loaded')<BR>
<br><BR>
def authenticate(self, user_id, password, domain_scope=None):<BR>
LOG.debug('in authenticate method')<BR><br><BR>When I request a user-list via the python-keystoneclient, we never make it into the authenticate method (as is evident by the missing debug log).<BR>
<br><BR>Any thoughts on why I'm not hitting this method?<BR><br><BR><br><div><hr>From: <a href="mailto:dolph.mathews@gmail.com" target="_blank">dolph.mathews@gmail.com</a><br>Date: Mon, 27 Jan 2014 18:14:50 -0600<br>
To: <a href="mailto:openstack-dev@lists.openstack.org" target="_blank">openstack-dev@lists.openstack.org</a><br>Subject: Re: [openstack-dev] extending keystone identity<br><br><div dir="ltr"><div>_check_password() is a private/internal API, so we make no guarantees about it's stability. Instead, override the public authenticate() method with something like this:</div>
<div><br></div><div> def authenticate(self, user_id, password, domain_scope=None):</div>
<div> if user_id in SPECIAL_LIST_OF_USERS:</div><div> # compare against value from keystone.conf</div><div> pass</div><div> else:</div><div> return super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope)</div>
<div><br><div>On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer <span dir="ltr"><<a href="mailto:simon.perfer@hotmail.com" target="_blank">simon.perfer@hotmail.com</a>></span> wrote:<br>
<blockquote style="border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex;">
<div><div dir="ltr"><div><span style="font-size:12pt;">I'm looking to create a simple Identity driver that will look at usernames. A small number of specific users should be authenticated by looking at a hard-coded password in keystone.conf, while any other users should fall back to LDAP authentication.</span></div>
<div><br></div><div>I based my original driver on what's found here:</div><div><br></div><div><a href="http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/" target="_blank">http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/</a></div>
<div><br></div><div>As can be seen in the github code (<a href="https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py" style="font-size:12pt;" target="_blank">https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py</a>), there's a _check_password() method which is supposedly called at some point.</div>
<div><br></div><div>I've based my driver on this ldapauth.py file, and created an Identity class which subclasses sql.Identity. Here's what I have so far:</div><div><br></div><div>
CONF = config.CONF<br>LOG = logging.getLogger(__name__)<br><br><br>class Identity(sql.Identity):<br> def __init__(self):<br> super(Identity, self).__init__()<br> LOG.debug('My authentication module loaded')<br>
<br><br> def _check_password(self, password, user_ref):<br> LOG.debug('Authenticating via my custom hybrid authentication')<br><br><br> username = user_ref.get('name')<br>
<br> LOG.debug('Username = %s' % username)<br><br><br>I can see from the syslog output that we never enter the _check_password() function.<br></div><div><br></div><div>Can someone point me in the right direction regarding which function calls the identity driver? Also, what is the entry function in the identity drivers? Why wouldn't check_password() be called, as we see in the github / blog example above?</div>
<div><br></div><div>THANKS!</div> </div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div></div>
<br>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></div> </div>
<br>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a></div></div></div></div> </div></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br></div>
<br>_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</div></div> </div></body>
</html>