[Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity
Tim Bell
Tim.Bell at cern.ch
Thu Oct 24 07:15:20 UTC 2013
I think we also need a standard way to pass specify the X.509 certificate location and the authentication method to be using (X.509, Kerberos, etc.)
Do we have a slot at the summit for this discussion ? It would be good to finalise the necessary parts so we can help out with the implementation.
Tim
> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: 24 October 2013 04:23
> To: openstack at lists.openstack.org
> Subject: Re: [Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity
>
> On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote:
> > The havana configuration reference contains a section on how to
> > configure keystone to accept x.509 certificates. How does one map
> > x.509 credentials to keystone IDs, projects, roles and privileges?
> I think there is more work to be done here. To start with, you use Apache and mod_nss or mod_ssl, and it will hand environment variables
> over to the WSGI application. The external module is currently only
> making use of the REMOTE_USER env var. I have a patch to make things a little more general purpose:
>
> https://review.openstack.org/#/c/52732/
>
> Jenkins and the Keystone reviewers agree that this needs more work.
> However, the base idea is that we need to put the env vars in the context, and then let external use them. The envvars exposed by X509
> client authentication are here:
>
> http://www.freeipa.org/page/Environment_Variables#X.509_Authentication
>
> I'd expec most people would be interested in some variation of
> SSL_CLIENT_S_DN or SSL_CLIENT_S_DN_x509 as the username or userid.
>
>
> However, that does not contain sufficient information to map to roles.
> You still need to do another lookup to some store to get the equivalent of "groups" for this document. If the information that you want is
> embedded in the X509 you need to extract it. The entire cert is in there in SSL_CLIENT_CERT in PEM format. There may be more
> variables than that in your deployment.
>
> >
> > _______________________________________________
> > Mailing list:
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to : openstack at lists.openstack.org
> > Unsubscribe :
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
More information about the Openstack
mailing list