[openstack-dev] [Keystone] How to check admin authentication?

Kiall Mac Innes kiall at macinnes.ie
Mon Mar 2 11:12:05 UTC 2015

On 02/03/15 08:53, Dmitry Tantsur wrote:
> 2015-02-27 17:27 GMT+01:00 Dolph Mathews <dolph.mathews at gmail.com 
> <mailto:dolph.mathews at gmail.com>>:
>     On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur
>     <dtantsur at redhat.com <mailto:dtantsur at redhat.com>> wrote:
>         Hi all!
>         This (presumably) pretty basic question tortures me for
>         several months already, so I kindly seek for help here.
>         I'm working on a Flask-based service [1] and I'd like to use
>         Keystone tokens for authentication. This is an admin-only API,
>         so we need to check for an admin role. We ended up with code
>         [2] first accessing Keystone with a given token and
>         (configurable) admin tenant name, then checking 'admin' role.
>         Things went well for a while.
>         Now I'm writing an Ironic driver accessing API of [1]. Pretty
>         naively I was trying to use an Ironic service user
>         credentials, that we use for accessing all other services. For
>         TripleO-based installations it's a user with name 'ironic' and
>         a special tenant 'service'. Here is where problems are. Our
>         code perfectly authenticates a mere user (that has tenant
>         'admin'), but asks Ironic to go away.
>         We've spent some time researching documentation and keystone
>         middleware source code, but didn't find any more clues.
>         Neither did we find a way to use keystone middleware without
>         rewriting half of project. What we need is 2 simple things in
>         a simple Flask application:
>         1. validate a token
>         2. make sure it belongs to admin
>     I'm not really clear on what problem you're having, because I'm
>     not sure if you care about an "admin" username, "admin" tenant
>     name, or "admin" role name. If you're implementing RBAC, you only
>     really need to care about the user have an "admin" role in their
>     list of roles.
> Yeah, I guess that's what I need.

It's probably worth calling out that, the Keystone middleware itself 
doesn't have any concept of "admin" built in (and this is a good 
thing!). Your nova admins may be a totally different group of people to 
your Swift admins. Instead, the Keystone middleware will simply tell you 
the facts about the user/tenant making the API call, their username, 
tenant_id/project_id, the list of roles assigned to them etc. Given this 
information, most OpenStack projects use the oslo policy library to take 
this info, apply some rules, and then allow you to ask "Can the user 
perform action X?" rather than "Is this user an admin?".

For a small internal project, this kind of flexibility may not matter, 
and it's certainly not required to use the KS middleware.. But if you're 
trying to dig through the various projects codebase's to see how things 
are done, knowing this will help :)

>     You can wrap your flask application with a configured instance of
>     auth_token middleware; this is about the simplest way to do it,
>     and this also demos the environment variables exposed to your
>     application that you can use to validation authorization:
>     https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41
> Thanks a lot, I will give it a try!

If you happen to be using paste-deploy with Flask, Designate has some 
code that does just that..

We use a piece of WSGI Middleware[1] to read the info provided by the 
keystone middleware and attach it to the Request object for later use, 
and the api-paste.ini itself[2] to wire up the KS middleware, our 
KeystoneContextMiddleware" and the Flask app itself.


Good luck!

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20150302/5e0e6039/attachment.html>

More information about the OpenStack-dev mailing list