[Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity
Adam Young
ayoung at redhat.com
Thu Oct 24 02:23:01 UTC 2013
On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote:
> The havana configuration reference contains a section on how to
> configure keystone to accept x.509 certificates. How does one map
> x.509 credentials to keystone IDs, projects, roles and privileges?
I think there is more work to be done here. To start with, you use
Apache and mod_nss or mod_ssl, and it will hand environment variables
over to the WSGI application. The external module is currently only
making use of the REMOTE_USER env var. I have a patch to make things a
little more general purpose:
https://review.openstack.org/#/c/52732/
Jenkins and the Keystone reviewers agree that this needs more work.
However, the base idea is that we need to put the env vars in the
context, and then let external use them. The envvars exposed by X509
client authentication are here:
http://www.freeipa.org/page/Environment_Variables#X.509_Authentication
I'd expec most people would be interested in some variation of
SSL_CLIENT_S_DN or SSL_CLIENT_S_DN_x509 as the username or userid.
However, that does not contain sufficient information to map to roles.
You still need to do another lookup to some store to get the equivalent
of "groups" for this document. If the information that you want is
embedded in the X509 you need to extract it. The entire cert is in
there in SSL_CLIENT_CERT in PEM format. There may be more variables
than that in your deployment.
>
> _______________________________________________
> Mailing list:
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe :
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list