[openstack-dev] [keysstone] External authentication

Ralf Haferkamp rhafer at suse.de
Tue Sep 25 09:20:27 UTC 2012


I've been thinking about adding support for External Authentication to
keystone. By "External Authentication" I mean that e.g. when I run keystone
behind apache it would be nice if I could just let apache handle the
authentication (via mod_auth_kerb for example) and have keystone issue a Token
based on the information that apache provides about the authenticated user
(e.g. the username is usually passed via the REMOTE_USER env variable).

I am currently wondering how the client should indicate to the server that
External Auth should be used? One could add another parameter to the JSON doc
that's POSTed during keystone authentication instead of the username/password
tuple, but is that really needed or should keystone just check of the presence
of specific ENV variables (e.g. REMOTE_USER as set by apache2) when external
auth is enabled. In my current prototype implementation I do just that. What
would be the preferable approach here?

BTW, has anybody else been working on this already? Does this even sound like a
feature worth adding?


More information about the OpenStack-dev mailing list