<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 01/21/2014 08:58 AM, Joe Topjian
wrote:<br>
</div>
<blockquote
cite="mid:CA+y7hvgt6zS9b9XYxeQJCxSGe0c3XCXFAVAuM6ycQms7OEJ8dA@mail.gmail.com"
type="cite">
<div dir="ltr">Hello,
<div><br>
</div>
<div>
<div>One of the new features advertised in the Havana release
of Keystone was external authentication via REMOTE_USER. I'm
beginning to assume that I should take that at face value:
Keystone has external auth, but that's it. OpenStack as a
whole cannot currently utilize it.</div>
<div><br>
</div>
<div>Is this an incorrect assumption?</div>
<div><br>
</div>
<div>For example, I set up Keystone behind Apache just like
the developer docs say. Everything worked.</div>
<div><br>
</div>
<div>Now I wanted to test external authentication. Just for
practice, I tried http basic auth. I was successful in
obtaining a token:</div>
<div><br>
</div>
<div>curl --user joe:foobar -d '{"auth":{}}' -H "Content-type:
application/json" <a moz-do-not-send="true"
href="http://localhost:5000/v2.0/tokens">http://localhost:5000/v2.0/tokens</a><br>
</div>
<div><br>
</div>
<div>But I don't think it's possible to use the command line
tools (nova, glance et al) to work with a single token. </div>
</div>
</div>
</blockquote>
They don't nothing has changed WRT token consumption. The only
thing that is different is how the origianl token was issued: using
REMOTE_USER versus the embedded userid and password inside the JSON
resquest to <a class="moz-txt-link-freetext" href="http://keystone:5000/v2.0/tokens">http://keystone:5000/v2.0/tokens</a><br>
<br>
So it is purely for protecting Keeystone: the rest of the ser<br>
<br>
<blockquote
cite="mid:CA+y7hvgt6zS9b9XYxeQJCxSGe0c3XCXFAVAuM6ycQms7OEJ8dA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div>I also don't see how Horizon can utilize an http-auth
protected Keystone without modification. <br>
</div>
</div>
</div>
</blockquote>
<br>
It can't: if you wanted to do Kerberos, you would need something
like S4U2Proxy, far beyond the scope of that the Keystone team can
provide. <br>
<br>
The AUTH URL needs to point to Keystone. From there, Nova etc need
to use the Service catalog. Everything should work the same.<br>
<br>
<blockquote
cite="mid:CA+y7hvgt6zS9b9XYxeQJCxSGe0c3XCXFAVAuM6ycQms7OEJ8dA@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
<div><br>
</div>
<div>Am I wrong? If so, can someone point me to, at least, a
proof of concept if not a production example?</div>
<div><br>
</div>
</div>
<div>Is it correct to say that if I want Keystone to
authenticate users against an unsupported/custom database
while still retaining compatibility with all other OpenStack
components, then I should write a custom backend such as
described here:</div>
<div><br>
</div>
<div><a moz-do-not-send="true"
href="https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/">https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/</a><br>
</div>
<div><br>
</div>
<div><br>
</div>
<div>Thanks,</div>
<div>Joe</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>