[Openstack] Keystone External Authentication clarification
Adam Young
ayoung at redhat.com
Thu Jan 23 15:11:26 UTC 2014
On 01/21/2014 08:58 AM, Joe Topjian wrote:
> Hello,
>
> One of the new features advertised in the Havana release of Keystone
> was external authentication via REMOTE_USER. I'm beginning to assume
> that I should take that at face value: Keystone has external auth, but
> that's it. OpenStack as a whole cannot currently utilize it.
>
> Is this an incorrect assumption?
>
> For example, I set up Keystone behind Apache just like the developer
> docs say. Everything worked.
>
> Now I wanted to test external authentication. Just for practice, I
> tried http basic auth. I was successful in obtaining a token:
>
> curl --user joe:foobar -d '{"auth":{}}' -H "Content-type:
> application/json" http://localhost:5000/v2.0/tokens
>
> But I don't think it's possible to use the command line tools (nova,
> glance et al) to work with a single token.
They don't nothing has changed WRT token consumption. The only thing
that is different is how the origianl token was issued: using
REMOTE_USER versus the embedded userid and password inside the JSON
resquest to http://keystone:5000/v2.0/tokens
So it is purely for protecting Keeystone: the rest of the ser
> I also don't see how Horizon can utilize an http-auth protected
> Keystone without modification.
It can't: if you wanted to do Kerberos, you would need something like
S4U2Proxy, far beyond the scope of that the Keystone team can provide.
The AUTH URL needs to point to Keystone. From there, Nova etc need to
use the Service catalog. Everything should work the same.
>
> Am I wrong? If so, can someone point me to, at least, a proof of
> concept if not a production example?
>
> Is it correct to say that if I want Keystone to authenticate users
> against an unsupported/custom database while still retaining
> compatibility with all other OpenStack components, then I should write
> a custom backend such as described here:
>
> https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/
>
>
> Thanks,
> Joe
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140123/05eb7939/attachment.html>
More information about the Openstack
mailing list