[Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity

Tim Bell Tim.Bell at cern.ch
Thu Oct 24 07:15:20 UTC 2013 

I think we also need a standard way to pass specify the X.509 certificate location and the authentication method to be using (X.509, Kerberos, etc.)

Do we have a slot at the summit for this discussion ? It would be good to finalise the necessary parts so we can help out with the implementation.

Tim

> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: 24 October 2013 04:23
> To: openstack at lists.openstack.org
> Subject: Re: [Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity
> 
> On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote:
> > The havana configuration reference contains a section on how to
> > configure keystone to accept x.509 certificates. How does one map
> > x.509 credentials to keystone IDs, projects, roles and privileges?
> I think there is more work to be done here.  To start with, you use Apache and mod_nss or mod_ssl, and it will hand environment variables
> over to the WSGI application.   The external module is currently only
> making use of  the REMOTE_USER env var.  I have a patch to make things a little more general purpose:
> 
> https://review.openstack.org/#/c/52732/
> 
> Jenkins and the Keystone reviewers agree that this needs more work.
> However, the base idea is that we need to put the env vars in the context, and then let external use them.  The envvars exposed by X509
> client authentication are here:
> 
> http://www.freeipa.org/page/Environment_Variables#X.509_Authentication
> 
> I'd expec most people would be interested in some variation of
>   SSL_CLIENT_S_DN or SSL_CLIENT_S_DN_x509 as the username or userid.
> 
> 
> However, that does not contain sufficient information to map to roles.
> You still need to do another lookup to some store to get the equivalent of "groups" for this document.  If the information that you want is
> embedded in the X509 you need to extract it.  The entire cert is in there in  SSL_CLIENT_CERT in PEM format.  There may be more
> variables than that in your deployment.
> 
> >
> > _______________________________________________
> > Mailing list:
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe :
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

More information about the Openstack mailing list