[openstack-dev] [keysstone] External authentication
Ralf Haferkamp
rhafer at suse.de
Tue Oct 2 16:07:01 UTC 2012
On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
> On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
[..]
> >>>BTW, has anybody else been working on this already? Does this even sound like a
> >>>feature worth adding?
>
>
> Yes, I have, but you are aehad of me. Please post your patch. It
> is the right approach.
I have just pushed the code to the "external-branch" in my github clone at:
https://github.com/rhafer/keystone/tree/external-auth
Feel free to review and comment. It still needs quite a bit of testing. But the
basics seem to work for me. Currently, to use external authentication you need
to POST something like this to the /tokens URL (as with username/password
authentication the "tenantName" is optional):
{
"auth": {
"external": "True",
"tenantName": "test"
}
}
Of course you need keystone be backed by apache and apache configured to do
somekind of authentication (up to now I just tested with mod_auth_kerb).
Additionally the ExternalAuthMiddleware needs to be added to keystone's service
pipelines in keystone.conf
I didn't have time yet to implement anything on the client side. Up to now I
just used curl for testing. E.g. this works to request a scoped token using
kerberos authentication:
curl -u : --negotiate http://<keystone-server>:5000/v2.0/tokens \
-d '{"auth": {"external": "True", "tenantName": "test"}}' \
-H "Content-type: application/json"
Feedback is very welcome. Regards,
Ralf
More information about the OpenStack-dev
mailing list