Open Stack

It depends on webserver.

e.g

1) If you use Apache as webserver and run keystone via mod-wsgi, Apache populates the following headers in env variables.  http://httpd.apache.org/docs/trunk/mod/mod_ssl.html.    Again this will work only if you terminate SSL in Apache
2) If you terminate SSL in loadbalancer, then in every load balancer you can configure your own environment variables and ask it to populate there.


One way of doing it.

 1) Add your middleware to populate your ssl environment variables in context. This depends on webserver and load balancer and where the ssl is terminated. If SSL is terminated in Apache it is fairly easy.


We are using v3 api and you need domainid/domnain_name and userid/username information in SSL cert.  We have username in CN and domain name in OU.


Thanks
Haneef



-----Original Message-----
From: Tim Bell [mailto:Tim.Bell at cern.ch] 
Sent: Thursday, October 24, 2013 12:15 AM
To: Adam Young; openstack at lists.openstack.org
Cc: Jose Castro Leon
Subject: Re: [Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity


I think we also need a standard way to pass specify the X.509 certificate location and the authentication method to be using (X.509, Kerberos, etc.)

Do we have a slot at the summit for this discussion ? It would be good to finalise the necessary parts so we can help out with the implementation.

Tim

> -----Original Message-----
> From: Adam Young [mailto:ayoung at redhat.com]
> Sent: 24 October 2013 04:23
> To: openstack at lists.openstack.org
> Subject: Re: [Openstack] [openstack][keystone] Using X.509 External Authentication with OpenStack Identity
> 
> On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote:
> > The havana configuration reference contains a section on how to
> > configure keystone to accept x.509 certificates. How does one map
> > x.509 credentials to keystone IDs, projects, roles and privileges?
> I think there is more work to be done here.  To start with, you use Apache and mod_nss or mod_ssl, and it will hand environment variables
> over to the WSGI application.   The external module is currently only
> making use of  the REMOTE_USER env var.  I have a patch to make things a little more general purpose:
> 
> https://review.openstack.org/#/c/52732/
> 
> Jenkins and the Keystone reviewers agree that this needs more work.
> However, the base idea is that we need to put the env vars in the context, and then let external use them.  The envvars exposed by X509
> client authentication are here:
> 
> http://www.freeipa.org/page/Environment_Variables#X.509_Authentication
> 
> I'd expec most people would be interested in some variation of
>   SSL_CLIENT_S_DN or SSL_CLIENT_S_DN_x509 as the username or userid.
> 
> 
> However, that does not contain sufficient information to map to roles.
> You still need to do another lookup to some store to get the equivalent of "groups" for this document.  If the information that you want is
> embedded in the X509 you need to extract it.  The entire cert is in there in  SSL_CLIENT_CERT in PEM format.  There may be more
> variables than that in your deployment.
> 
> >
> > _______________________________________________
> > Mailing list:
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> > Post to     : openstack at lists.openstack.org
> > Unsubscribe :
> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> 
> 
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack at lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack