[openstack-dev] [keysstone] External authentication

Adam Young ayoung at redhat.com
Thu Oct 25 14:43:34 UTC 2012 

WRT to your comment:

"I'd prefer if it would be possible to explicitly enable/disable 
REMOTE_USER authentication?"

I'd prefere to postpone that.  If you don't set up the web server for 
external auth explicitly,  you will never get it here.  An additional 
config value is overkill.

However, we are reworking the authentication function to be a 
confgurable stack.  At that point, the end user will have the ability to 
enable/disable the REMOTE_USER rule by specifying that it should/should 
not be used.

Any additional questions, come talk in #openstack-dev on Freenode


On 10/25/2012 09:59 AM, Ralf Haferkamp wrote:
> On Thu, Oct 25, 2012 at 03:47:42PM +0200, Ralf Haferkamp wrote:
>> On Tue, Oct 02, 2012 at 01:06:44PM -0400, Adam Young wrote:
>>> On 10/02/2012 12:07 PM, Ralf Haferkamp wrote:
>>>> On Thu, Sep 27, 2012 at 01:52:25PM -0400, Adam Young wrote:
>>>>> On 09/27/2012 04:15 AM, Ralf Haferkamp wrote:
> [..]
>>> Good first take.  However, I would prefer to add an else block on:
>>>
>>>   if auth is None
>>>    if 'REMOTE_USER' in context:
>>>       #assume external request for unscoped token
>>>    if 'passwordCredentials' in auth:
>>>      #UserID and Password passed explicitly here will trump REMOTE_USER
>>>    elif 'token' in auth:
>>>      ...
>>>    else
>>>       if 'REMOTE_USER' in context:
>>> 	if 'tenantName' in auth:
>>> 	   # allocate scoped token
>>>             #not 100% sure I want to allow this, but that is a different discussion
>>>          else:
>>> 	   #assume external request for unscoped token
>>>             #don't fail just because there is an auth block.
>> I finally found some time to rework my code according to your suggestion. See
>> here again:
>> https://github.com/rhafer/keystone/tree/external-auth
>>
>> Currently the code will just allocate an unscoped token if no "auth" block is
>> present and REMOTE_USER is set. If the auth block is present and contains a
>> valid "tenantName" or "tenantId" a scoped toked will be returned. I guess
>> that's what you intended, right?
>>
>> Also there seems to be some code duplication in the different code paths
>> (username/password auth vs. token auth). And I added more with external auth
>> support :(. I'll check if I can reduce that a bit.
>>
> Gah, I just saw that there is already in similar patch in review
> (https://review.openstack.org/#/c/14775/) currently. Most have overlooked that.
> So I guess I'd better look into that one. Sorry for the noise.
>

More information about the OpenStack-dev mailing list