[ops][keystone] Does anyone use external auth?
Currently, one of the default auth methods for keystone is 'external', meaning keystone offloads authentication to an HTTPD auth module like mod_ssl or mod_auth_kerb and gets the user's identity from the REMOTE_USER variable passed in by the web server: https://docs.openstack.org/keystone/latest/admin/external-authentication.htm... The 'external' auth method existed before federation. The biggest problem with external auth now is that it is effectively single-domain, there's no way to parse anything besides a user identifier from the REMOTE_USER variable, and keystone is barreling full steam ahead to a multidomain world. The 'external' auth method conflicts with the 'mapped' auth method as mentioned in the "Caution" notice in the above document for the same reason. Moreover, we should be able to achieve the same behavior with just federation, e.g. you can create a federated IdP representing your SSL CA, and continue to use mod_ssl with a mapping to properly parse all the attributes coming in from the auth module. We'd like to start discouraging, deprecating, and removing external auth in keystone. So our question to operators is: are you currently using external auth? If so, which HTTPD auth modules are you using? And is it a use case that we can't support with federated auth? Colleen (cmurphy)
https://www.youtube.com/watch?v=7BSnhRZ8nhs mentions they use mod_auth_oidc. Not sure that is still true. But may want to reach out to them. Thanks, Kevin ________________________________________ From: Colleen Murphy [colleen@gazlene.net] Sent: Tuesday, July 30, 2019 1:28 PM To: openstack-discuss@lists.openstack.org Subject: [ops][keystone] Does anyone use external auth? Currently, one of the default auth methods for keystone is 'external', meaning keystone offloads authentication to an HTTPD auth module like mod_ssl or mod_auth_kerb and gets the user's identity from the REMOTE_USER variable passed in by the web server: https://docs.openstack.org/keystone/latest/admin/external-authentication.htm... The 'external' auth method existed before federation. The biggest problem with external auth now is that it is effectively single-domain, there's no way to parse anything besides a user identifier from the REMOTE_USER variable, and keystone is barreling full steam ahead to a multidomain world. The 'external' auth method conflicts with the 'mapped' auth method as mentioned in the "Caution" notice in the above document for the same reason. Moreover, we should be able to achieve the same behavior with just federation, e.g. you can create a federated IdP representing your SSL CA, and continue to use mod_ssl with a mapping to properly parse all the attributes coming in from the auth module. We'd like to start discouraging, deprecating, and removing external auth in keystone. So our question to operators is: are you currently using external auth? If so, which HTTPD auth modules are you using? And is it a use case that we can't support with federated auth? Colleen (cmurphy)
On Tue, Jul 30, 2019, at 13:45, Fox, Kevin M wrote:
https://www.youtube.com/watch?v=7BSnhRZ8nhs mentions they use mod_auth_oidc. Not sure that is still true. But may want to reach out to them.
The video shows that they're using federated authentication, which provides them with the ability to create a rich attribute mapping and connect their OpenIDC IdP to keystone while still using the auth module in front of keystone. The 'external' auth method only provides a subset of that functionality, which is simply the ability to accept the auth module's parameters as a valid authentication. Colleen
Thanks, Kevin ________________________________________ From: Colleen Murphy [colleen@gazlene.net] Sent: Tuesday, July 30, 2019 1:28 PM To: openstack-discuss@lists.openstack.org Subject: [ops][keystone] Does anyone use external auth?
Currently, one of the default auth methods for keystone is 'external', meaning keystone offloads authentication to an HTTPD auth module like mod_ssl or mod_auth_kerb and gets the user's identity from the REMOTE_USER variable passed in by the web server:
https://docs.openstack.org/keystone/latest/admin/external-authentication.htm...
The 'external' auth method existed before federation. The biggest problem with external auth now is that it is effectively single-domain, there's no way to parse anything besides a user identifier from the REMOTE_USER variable, and keystone is barreling full steam ahead to a multidomain world. The 'external' auth method conflicts with the 'mapped' auth method as mentioned in the "Caution" notice in the above document for the same reason. Moreover, we should be able to achieve the same behavior with just federation, e.g. you can create a federated IdP representing your SSL CA, and continue to use mod_ssl with a mapping to properly parse all the attributes coming in from the auth module.
We'd like to start discouraging, deprecating, and removing external auth in keystone. So our question to operators is: are you currently using external auth? If so, which HTTPD auth modules are you using? And is it a use case that we can't support with federated auth?
Colleen (cmurphy)
participants (2)
-
Colleen Murphy
-
Fox, Kevin M