[openstack-dev] [Keystone] How to check admin authentication?
divius.inside at gmail.com
Mon Mar 2 08:53:42 UTC 2015
2015-02-27 17:27 GMT+01:00 Dolph Mathews <dolph.mathews at gmail.com>:
> On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur <dtantsur at redhat.com>
>> Hi all!
>> This (presumably) pretty basic question tortures me for several months
>> already, so I kindly seek for help here.
>> I'm working on a Flask-based service  and I'd like to use Keystone
>> tokens for authentication. This is an admin-only API, so we need to check
>> for an admin role. We ended up with code  first accessing Keystone with
>> a given token and (configurable) admin tenant name, then checking 'admin'
>> role. Things went well for a while.
>> Now I'm writing an Ironic driver accessing API of . Pretty naively I
>> was trying to use an Ironic service user credentials, that we use for
>> accessing all other services. For TripleO-based installations it's a user
>> with name 'ironic' and a special tenant 'service'. Here is where problems
>> are. Our code perfectly authenticates a mere user (that has tenant
>> 'admin'), but asks Ironic to go away.
>> We've spent some time researching documentation and keystone middleware
>> source code, but didn't find any more clues. Neither did we find a way to
>> use keystone middleware without rewriting half of project. What we need is
>> 2 simple things in a simple Flask application:
>> 1. validate a token
>> 2. make sure it belongs to admin
> I'm not really clear on what problem you're having, because I'm not sure
> if you care about an "admin" username, "admin" tenant name, or "admin" role
> name. If you're implementing RBAC, you only really need to care about the
> user have an "admin" role in their list of roles.
Yeah, I guess that's what I need.
> You can wrap your flask application with a configured instance of
> auth_token middleware; this is about the simplest way to do it, and this
> also demos the environment variables exposed to your application that you
> can use to validation authorization:
Thanks a lot, I will give it a try!
>> I'll thankfully appreciate any ideas how to fix our situation.
>> Thanks in advance!
>>  https://github.com/stackforge/ironic-discoverd
>>  https://github.com/stackforge/ironic-discoverd/blob/master/
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
-- Dmitry Tantsur
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OpenStack-dev