[Openstack] Does Horizon honour Tokens
Adam Young
ayoung at redhat.com
Fri Jun 13 15:49:24 UTC 2014
On 06/13/2014 11:22 AM, Michael Hearn wrote:
> Horizon gurus
>
> Release: icehouse
> Token Type : PKI
> Identity Backend: LDAP
>
>
> Monitoring the authentication traffic generated by Horizon to LDAP, I
> was surprised to see that after the initial logon, and under the
> 'Project' tab, I was still seeing calls out to LDAP each time I
> entered a link related to a service (images, volumes, images and
> snapshots etc...).
>
> My assumption was that after the initial logon the token would be used
> to satisfy authentication requirements (until it expired).
>
> I ran some debugging and confirmed that the underlying python scripts
> e.g. /usr/share/openstack-dashboard/openstack_dashboard/api/* pickup
> the same token although curiously at first glance it looks like a UUID
> based token and not a PKI token.
>
> So, my questions are:
> i. Should Horizon honour token authentication as I enter different
> services - mitigating the need to authN against ldap until token expires?
the auth is done in Keystone. Horizon holds on to the token, but might,
in fact, fetch a new token based on something like changing projects.
> ii. Am I seeing a compressed PKI token when pulling data from
> /user/share/openstack-dashboard/openstack_dashboard/api/glance.py or
> cinder.py etc....
compressed tokens are not in deployment yet. If it is 32 chars long,
you are either seeing the Hash ofr a signed token, or a uuid token,
depending on how keystone is set up.
>
>
> Cheers
> Mike
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140613/ffa14bad/attachment.html>
More information about the Openstack
mailing list