[openstack-dev] [keysstone] External authentication
Ralf Haferkamp
rhafer at suse.de
Tue Oct 2 17:58:52 UTC 2012
On Tue, Oct 02, 2012 at 01:06:44PM -0400, Adam Young wrote:
> On 10/02/2012 12:07 PM, Ralf Haferkamp wrote:
> >On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
> >>On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
> >[..]
> >>>>>BTW, has anybody else been working on this already? Does this even sound like a
> >>>>>feature worth adding?
> >>
> >>Yes, I have, but you are aehad of me. Please post your patch. It
> >>is the right approach.
> >I have just pushed the code to the "external-branch" in my github clone at:
> >https://github.com/rhafer/keystone/tree/external-auth
> >
> >Feel free to review and comment. It still needs quite a bit of testing. But the
> >basics seem to work for me. Currently, to use external authentication you need
> >to POST something like this to the /tokens URL (as with username/password
> >authentication the "tenantName" is optional):
> >
> > {
> > "auth": {
> > "external": "True",
> > "tenantName": "test"
> > }
> > }
>
> Good first take. However, I would prefer to add an else block on:
Yes, this seems to make sense. I'll rework the code accordingly. (It might take a
little while though as I'll be afk for a few days)
> if auth is None
> if 'REMOTE_USER' in context:
> #assume external request for unscoped token
> if 'passwordCredentials' in auth:
> #UserID and Password passed explicitly here will trump REMOTE_USER
> elif 'token' in auth:
> ...
> else
> if 'REMOTE_USER' in context:
> if 'tenantName' in auth:
> # allocate scoped token
> #not 100% sure I want to allow this, but that is a different discussion
I was thinking about that as well, but then I could not really come up with a
reason for not allowing it :). Do have one?
> else:
> #assume external request for unscoped token
> #don't fail just because there is an auth block.
>
>
>
>
> >
> >Of course you need keystone be backed by apache and apache configured to do
> >somekind of authentication (up to now I just tested with mod_auth_kerb).
> >Additionally the ExternalAuthMiddleware needs to be added to keystone's service
> >pipelines in keystone.conf
>
> Fantastic. Thanks for doing that.
>
> >
> >I didn't have time yet to implement anything on the client side. Up to now I
> >just used curl for testing. E.g. this works to request a scoped token using
> >kerberos authentication:
> >
> > curl -u : --negotiate http://<keystone-server>:5000/v2.0/tokens \
> > -d '{"auth": {"external": "True", "tenantName": "test"}}' \
> > -H "Content-type: application/json"
> Yeah, lets Iron out the API before chasing the CLI.
>
> Nice work.
thanks for the feedback,
Ralf
More information about the OpenStack-dev
mailing list