[openstack-dev] Testing keystone auth middleware

Bhandaru, Malini K malini.k.bhandaru at intel.com
Sat May 4 02:43:35 UTC 2013


Thanks Dolph for the irc response and the doc link.

I did manage to switch to uuid tokens (if you use devstack, set it in the localrc file, the stack.sh and buddy scripts clobber any local changes to /etc/keystone/keystone.conf file)

But authentication still fails.
Given that keystone auth middleware strips all headers but X-Auth-Token

for a curl token response such as :
curl -d '{"auth":{"passwordCredentials":{"username": "nova", "password": "orange"}}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens

{"access": {"token": {"issued_at": "2013-05-04T02:15:47.369965", "expires": "2013-05-05T02:15:47Z", "id": "b768f63b70a74970b3648c032f164540"}, "serviceCatalog": [], "user": {"username": "nova", "roles_links": [], "id": "1f9c72dc74f84055a9d4ddc2155de7d8", "roles": [], "name": "nova"}, "metadata": {"is_admin": 0, "roles": []}}}


what should the value for X-Auth-Token be?
I was passing in : b768f63b70a74970b3648c032f164540"
Should I instead be sending in the above json response {"access" ...} ?

Even that failed.

I'll dig some more with debug statements.

Regards
Malini
________________________________
From: Dolph Mathews [dolph.mathews at gmail.com]
Sent: Friday, May 03, 2013 4:11 PM
To: OpenStack Development Mailing List
Subject: Re: [openstack-dev] Testing keystone auth middleware


On Fri, May 3, 2013 at 2:30 PM, Bhandaru, Malini K <malini.k.bhandaru at intel.com<mailto:malini.k.bhandaru at intel.com>> wrote:

Hello Keystone gurus!



We have a currently standalone wsgi application, barbican (key manager), and want to integrate with keystone for auth.

Followed the docs on this and have updated the api-paste.ini etc.



In a typically use case, barbican will get an authenticated user request, thus the auth related headers in request will be

Appropriately populated. What do I need to stuff into request headers to mimic this?

Keystone is configured with PKI.



headers = {'X-Auth-User': “nova”,

                   'X-Auth-Key': “secret”,

                   'X-Auth-Project-Id': <service-project_id>}

I assume I got your questions answered in IRC, but for anyone else interested, the headers to mimic are documented in auth_token:

  https://github.com/openstack/python-keystoneclient/blob/master/keystoneclient/middleware/auth_token.py#L56




And making the http request with the above headers.

But I get a 401 unauthorized.



Or ??

headers['X-User-Id'] = "nova"

headers['X-Tenant-Id'] = "service"

headers['X-Roles'] = "admin"

headers['X-Identity-Status'] = 'Confirmed'





The parameters below work when used as environment variables to use “keystone” cli to retriever user-list etc.



[filter:keystone_authtoken]

paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory

signing_dir = .

auth_host = localhost

auth_port = 35357

auth_protocol = http

admin_tenant_name = service

admin_user = barbican

admin_password = secret





_______________________________________________
OpenStack-dev mailing list
OpenStack-dev at lists.openstack.org<mailto:OpenStack-dev at lists.openstack.org>
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev





More information about the OpenStack-dev mailing list