<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 06/13/2014 11:22 AM, Michael Hearn
wrote:<br>
</div>
<blockquote
cite="mid:CAO1MeZjYk7OKP3r8GBR4PtEyp-V8XhahQgQFSGBB2YygLd-y+w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Horizon gurus<br>
<br>
</div>
<div>Release: icehouse<br>
</div>
<div>Token Type : PKI<br>
</div>
<div>Identity Backend: LDAP<br>
<br>
<br>
</div>
<div>Monitoring the authentication traffic generated by Horizon
to LDAP, I was surprised to see that after the initial logon,
and under the 'Project' tab, I was still seeing calls out to
LDAP each time I entered a link related to a service (images,
volumes, images and snapshots etc...).<br>
<br>
</div>
<div>My assumption was that after the initial logon the token
would be used to satisfy authentication requirements (until it
expired). <br>
<br>
</div>
<div>I ran some debugging and confirmed that the underlying
python scripts e.g.
/usr/share/openstack-dashboard/openstack_dashboard/api/*
pickup the same token although curiously at first glance it
looks like a UUID based token and not a PKI token. <br>
<br>
</div>
<div>So, my questions are: <br>
</div>
<div>i. Should Horizon honour token authentication as I enter
different services - mitigating the need to authN against ldap
until token expires?<br>
</div>
</div>
</blockquote>
the auth is done in Keystone. Horizon holds on to the token, but
might, in fact, fetch a new token based on something like changing
projects.<br>
<br>
<blockquote
cite="mid:CAO1MeZjYk7OKP3r8GBR4PtEyp-V8XhahQgQFSGBB2YygLd-y+w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>ii. Am I seeing a compressed PKI token when pulling data
from
/user/share/openstack-dashboard/openstack_dashboard/api/glance.py
or cinder.py etc....<br>
</div>
</div>
</blockquote>
<br>
compressed tokens are not in deployment yet. If it is 32 chars
long, you are either seeing the Hash ofr a signed token, or a uuid
token, depending on how keystone is set up.<br>
<br>
<blockquote
cite="mid:CAO1MeZjYk7OKP3r8GBR4PtEyp-V8XhahQgQFSGBB2YygLd-y+w@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>
</div>
<div> <br>
</div>
<div><br>
</div>
<div>Cheers<br>
</div>
Mike</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Mailing list: <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
Post to : <a class="moz-txt-link-abbreviated" href="mailto:openstack@lists.openstack.org">openstack@lists.openstack.org</a>
Unsubscribe : <a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack</a>
</pre>
</blockquote>
<br>
</body>
</html>