[Openstack] Keystone External Authentication clarification

Joe Topjian joe at topjian.net
Tue Jan 21 13:58:02 UTC 2014


Hello,

One of the new features advertised in the Havana release of Keystone was
external authentication via REMOTE_USER. I'm beginning to assume that I
should take that at face value: Keystone has external auth, but that's it.
OpenStack as a whole cannot currently utilize it.

Is this an incorrect assumption?

For example, I set up Keystone behind Apache just like the developer docs
say. Everything worked.

Now I wanted to test external authentication. Just for practice, I tried
http basic auth. I was successful in obtaining a token:

curl --user joe:foobar -d '{"auth":{}}' -H "Content-type: application/json"
http://localhost:5000/v2.0/tokens

But I don't think it's possible to use the command line tools (nova, glance
et al) to work with a single token. I also don't see how Horizon can
utilize an http-auth protected Keystone without modification.

Am I wrong? If so, can someone point me to, at least, a proof of concept if
not a production example?

Is it correct to say that if I want Keystone to authenticate users against
an unsupported/custom database while still retaining compatibility with all
other OpenStack components, then I should write a custom backend such as
described here:

https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/


Thanks,
Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140121/d683b5bf/attachment.html>


More information about the Openstack mailing list