[Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity

Adam Young ayoung at redhat.com
Thu Oct 24 02:23:01 UTC 2013


On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote:
> The havana configuration reference contains a section on how to 
> configure keystone to accept x.509 certificates. How does one map 
> x.509 credentials to keystone IDs, projects, roles and privileges?
I think there is more work to be done here.  To start with, you use 
Apache and mod_nss or mod_ssl, and it will hand environment variables 
over to the WSGI application.   The external module is currently only 
making use of  the REMOTE_USER env var.  I have a patch to make things a 
little more general purpose:

https://review.openstack.org/#/c/52732/

Jenkins and the Keystone reviewers agree that this needs more work. 
However, the base idea is that we need to put the env vars in the 
context, and then let external use them.  The envvars exposed by X509 
client authentication are here:

http://www.freeipa.org/page/Environment_Variables#X.509_Authentication

I'd expec most people would be interested in some variation of
  SSL_CLIENT_S_DN or SSL_CLIENT_S_DN_x509 as the username or userid.


However, that does not contain sufficient information to map to roles.  
You still need to do another lookup to some store to get the equivalent 
of "groups" for this document.  If the information that you want is 
embedded in the X509 you need to extract it.  The entire cert is in 
there in  SSL_CLIENT_CERT in PEM format.  There may be more variables 
than that in your deployment.

>
> _______________________________________________
> Mailing list: 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : 
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack





More information about the Openstack mailing list