[openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana
David Chadwick
d.w.chadwick at kent.ac.uk
Tue Oct 29 17:19:29 UTC 2013
What is the semantic of "domain" in the current implementation? Until we
know this we cant devise a solution.
Will the developed solution cater for me logging in via Google using my
kent email address (as opposed to my gmail one)? In this case there
could be 2 domains (depending upon the semantic of domain)
regards
David
On 29/10/2013 15:52, Fox, Kevin M wrote:
> Has the case been considered where REMOTE_USER is used with
> authentication mechanisms where the username is an email address? It
> will have to keep the @domain part because that's the only thing that
> makes it unique.
>
> Thanks, Kevin ________________________________________ From: Álvaro
> López García [alvaro.lopez.garcia at cern.ch] Sent: Tuesday, October 29,
> 2013 5:59 AM To: OpenStack dev Subject: [openstack-dev] [keystone]
> Support for external authentication (i.e. REMOTE_USER) in Havana
>
> Hi there,
>
> I've been working on this bug [1,2] related with the pluggable
> external authentication support in Havana. For those not familiar
> with it, Keystone can rely on the usage of the REMOTE_USER env
> variable, assuming that the user has been authenticated upstream (by
> an httpd server). This REMOTE_USER variable is supposed to store the
> username information that Keystone is going to use.
>
> In the Havana external authentication plugins, the REMOTE_USER
> variable is *always* split by the "@" character, assuming that the @
> is being used as the domain separator (i.e.
> REMOTE_USER=username at domain).
>
> Now there are two plugins available:
>
> - ExternalDefault: Only the leftmost part of the REMOTE_USER after
> the split is considered. The domain information is obtainted from
> the default domain configured in keystone.conf.
>
> - ExternalDomain: The rightmost part is considered the domain, and
> the leftover is considered the username.
>
> The change in [2] aims to solve this problem: ExternalDefault will
> not split the username by an "@" since we are going to use the
> default domain so we assume that no domain will be appended.
>
> However, this will work only if we are using a WSGI filter that is
> aware of the semantics: the filter should know if ExternalDefault is
> used so that the domain information is not appended, but append it
> if ExternalDomain is used. Moreover, if somebody is using directly
> the REMOTE_USER variable from Apache without any WSGI filter (for
> example using X509 auth with mod_ssl and the SSLUsername directive
> [3]) the REMOTE_USER will contain only the username and no domain at
> all.
>
> Does anybody have any concerns about this? Should we pass down the
> domain information by any other mean?
>
> [1] https://bugs.launchpad.net/keystone/+bug/1211233 [2]
> https://review.openstack.org/#/c/50362/ [3]
> http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername --
> Álvaro López García
> aloga at ifca.unican.es Instituto de Física de Cantabria
> http://alvarolopez.github.io Ed. Juan Jordá, Campus UC
> tel: (+34) 942 200 969 Avda. de los Castros s/n 39005 Santander
> (SPAIN)
> _____________________________________________________________________
>
>
"Everyone knows that debugging is twice as hard as writing a program in
> the first place. So if you are as clever as you can be when you write
> it, how will you ever debug it?" -- Brian Kernighan
>
> _______________________________________________ OpenStack-dev mailing
> list OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
> _______________________________________________ OpenStack-dev mailing
> list OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
More information about the OpenStack-dev
mailing list