[Openstack] Does Horizon honour Tokens

Adam Young ayoung at redhat.com
Fri Jun 13 15:49:24 UTC 2014


On 06/13/2014 11:22 AM, Michael Hearn wrote:
> Horizon gurus
>
> Release:   icehouse
> Token Type :   PKI
> Identity Backend:   LDAP
>
>
> Monitoring the authentication traffic generated by Horizon to LDAP,  I 
> was surprised to see that after the initial logon, and under the 
> 'Project' tab, I was still seeing calls out to LDAP each time I 
> entered a link related to a service (images, volumes, images and 
> snapshots etc...).
>
> My assumption was that after the initial logon the token would be used 
> to satisfy authentication requirements (until it expired).
>
> I ran some debugging and confirmed that the underlying python scripts 
> e.g. /usr/share/openstack-dashboard/openstack_dashboard/api/* pickup 
> the same token although curiously at first glance it looks like a UUID 
> based token and not a PKI token.
>
> So, my questions are:
> i. Should Horizon honour token authentication as I enter different 
> services - mitigating the need to authN against ldap until token expires?
the auth is done in Keystone.  Horizon holds on to the token, but might, 
in fact, fetch a new token based on something like changing projects.

> ii. Am I seeing a compressed PKI token when pulling data from 
> /user/share/openstack-dashboard/openstack_dashboard/api/glance.py or 
> cinder.py etc....

compressed tokens are not in deployment yet.  If it is 32 chars long, 
you are either seeing the Hash ofr a signed token, or a uuid token, 
depending on how keystone is set up.

>
>
> Cheers
> Mike
>
>
> _______________________________________________
> Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
> Post to     : openstack at lists.openstack.org
> Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack/attachments/20140613/ffa14bad/attachment.html>


More information about the Openstack mailing list