[openstack-dev] [keysstone] External authentication
Ralf Haferkamp
rhafer at suse.de
Tue Oct 2 16:33:11 UTC 2012
On Tue, Oct 02, 2012 at 11:17:38AM -0500, Dolph Mathews wrote:
> I'm curious about the "external" attribute in that request body (JSON
> supports native booleans, btw, so it should preferrably read {"external":
> true})... regardless, how are you using that attribute in your
> implementation?
Not at all. Currently the code just checks for the presence of the "external"
key. It just needed a value to be valid JSON :/. And I am still undecided
if I should really require that "external" attribute or just "assume" that
external authentication is desired if "external_user" is present in the context
and no username/password or token is provided.
> What happens if it's some value other than "True"? I
> expected to see something in your ExternalAuthMiddleware about it, but it
> must be somewhere else -- link?
>
> I'm particularly asking because if there's a use case here that can be
> generalized, I'd like to include it in
> https://github.com/openstack/identity-api/blob/master/openstack-identity-api/src/markdown/identity-api-v3.md
That depends on if we really need to indicated the request of "external
authentication" to keystone via the POSTed document. The more I think about the
more I tend towards not needing it. But that would raise the question how and
unscoped token is requested when using external authentication. Just POSTing
and empty "auth" dict might work?
Ralf
> On Tue, Oct 2, 2012 at 11:07 AM, Ralf Haferkamp <rhafer at suse.de> wrote:
>
> > On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
> > > On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
> > [..]
> > > >>>BTW, has anybody else been working on this already? Does this even
> > sound like a
> > > >>>feature worth adding?
> > >
> > >
> > > Yes, I have, but you are aehad of me. Please post your patch. It
> > > is the right approach.
> >
> > I have just pushed the code to the "external-branch" in my github clone at:
> > https://github.com/rhafer/keystone/tree/external-auth
> >
> > Feel free to review and comment. It still needs quite a bit of testing.
> > But the
> > basics seem to work for me. Currently, to use external authentication you
> > need
> > to POST something like this to the /tokens URL (as with username/password
> > authentication the "tenantName" is optional):
> >
> > {
> > "auth": {
> > "external": "True",
> > "tenantName": "test"
> > }
> > }
> >
> > Of course you need keystone be backed by apache and apache configured to do
> > somekind of authentication (up to now I just tested with mod_auth_kerb).
> > Additionally the ExternalAuthMiddleware needs to be added to keystone's
> > service
> > pipelines in keystone.conf
> >
> > I didn't have time yet to implement anything on the client side. Up to now
> > I
> > just used curl for testing. E.g. this works to request a scoped token using
> > kerberos authentication:
> >
> > curl -u : --negotiate http://<keystone-server>:5000/v2.0/tokens \
> > -d '{"auth": {"external": "True", "tenantName": "test"}}' \
> > -H "Content-type: application/json"
> >
> > Feedback is very welcome. Regards,
> > Ralf
> >
> >
> > _______________________________________________
> > OpenStack-dev mailing list
> > OpenStack-dev at lists.openstack.org
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> >
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
--
Ralf Haferkamp
SUSE LINUX Products GmbH,
GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer
HRB 16746 (AG Nuernberg)
More information about the OpenStack-dev
mailing list