[openstack-dev] [keysstone] External authentication
Adam Young
ayoung at redhat.com
Thu Oct 25 14:03:14 UTC 2012
On 10/25/2012 09:47 AM, Ralf Haferkamp wrote:
> On Tue, Oct 02, 2012 at 01:06:44PM -0400, Adam Young wrote:
>> On 10/02/2012 12:07 PM, Ralf Haferkamp wrote:
>>> On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
>>>> On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
>>> [..]
>>>>>>> BTW, has anybody else been working on this already? Does this even sound like a
>>>>>>> feature worth adding?
>>>> Yes, I have, but you are aehad of me. Please post your patch. It
>>>> is the right approach.
>>> I have just pushed the code to the "external-branch" in my github clone at:
>>> https://github.com/rhafer/keystone/tree/external-auth
>>>
>>> Feel free to review and comment. It still needs quite a bit of testing. But the
>>> basics seem to work for me. Currently, to use external authentication you need
>>> to POST something like this to the /tokens URL (as with username/password
>>> authentication the "tenantName" is optional):
>>>
>>> {
>>> "auth": {
>>> "external": "True",
>>> "tenantName": "test"
>>> }
>>> }
>> Good first take. However, I would prefer to add an else block on:
>>
>> if auth is None
>> if 'REMOTE_USER' in context:
>> #assume external request for unscoped token
>> if 'passwordCredentials' in auth:
>> #UserID and Password passed explicitly here will trump REMOTE_USER
>> elif 'token' in auth:
>> ...
>> else
>> if 'REMOTE_USER' in context:
>> if 'tenantName' in auth:
>> # allocate scoped token
>> #not 100% sure I want to allow this, but that is a different discussion
>> else:
>> #assume external request for unscoped token
>> #don't fail just because there is an auth block.
> I finally found some time to rework my code according to your suggestion. See
> here again:
> https://github.com/rhafer/keystone/tree/external-auth
>
> Currently the code will just allocate an unscoped token if no "auth" block is
> present and REMOTE_USER is set. If the auth block is present and contains a
> valid "tenantName" or "tenantId" a scoped toked will be returned. I guess
> that's what you intended, right?
>
> Also there seems to be some code duplication in the different code paths
> (username/password auth vs. token auth). And I added more with external auth
> support :(. I'll check if I can reduce that a bit.
>
Someone picked up the colors and ran with them already:
https://review.openstack.org/#/c/14775/
More information about the OpenStack-dev
mailing list