[openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana

Álvaro López García alvaro.lopez.garcia at cern.ch
Wed Oct 30 22:28:04 UTC 2013


Hi Adam.

On Wed 30 Oct 2013 (11:08), Adam Young wrote:
> On 10/30/2013 05:38 AM, Álvaro López García wrote:
>
> (...)
>
> >Please take
> >into account that external authentication and the REMOTE_USER stuff
> >can be used without any federation at all. For example if an org
> >is providing their users with X509 certificates and they want to
> >use that for authentication instead of username/password. In this case
> >there would be no authz, no mapping, etc., just authn.
> 
> Oh, no, not at all...Authenticaion is not authorization.
> Authorization is based on authentication plus.  It is that plus that
> is important.

After re-reading my email I realise that I didn't explain myself.
Of course I didn't want to say that there will be no authz at all.
What I meant is that we should  consider that there are 
organizations that will rely in LDAP or sql after the user logs in,
and they just want to authN their users externally. In this cases,
there is no _external_ authZ.

> Yes, it may still be an LDAP call after the user logs in with the
> X509, we are not going to break that.  But even in a non-federate
> case, it is likely that Authoriuzation attributes will be coming
> from the Web front end.

This is exactly what I meant. We should not break this, since this is
something that is working right now (I'm aware of several deployments
relying on this).

-- 
Álvaro López García                              aloga at ifca.unican.es
Instituto de Física de Cantabria         http://alvarolopez.github.io
Ed. Juan Jordá, Campus UC                      tel: (+34) 942 200 969
Avda. de los Castros s/n
39005 Santander (SPAIN)
_____________________________________________________________________
"Fancy optimizers have fancy bugs." -- Rob Pike



More information about the OpenStack-dev mailing list