On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote:
The havana configuration reference contains a section on how to
configure keystone to accept x.509 certificates. How does one map
x.509 credentials to keystone IDs, projects, roles and privileges?
I think there is more work to be done here. To start with, you use
Apache and mod_nss or mod_ssl, and it will hand environment variables
over to the WSGI application. The external module is currently only
making use of the REMOTE_USER env var. I have a patch to make things a
little more general purpose:
https://review.openstack.org/#/c/52732/
Jenkins and the Keystone reviewers agree that this needs more work.
However, the base idea is that we need to put the env vars in the
context, and then let external use them. The envvars exposed by X509
client authentication are here:
http://www.freeipa.org/page/Environment_Variables#X.509_Authentication
I'd expec most people would be interested in some variation of
SSL_CLIENT_S_DN or SSL_CLIENT_S_DN_x509 as the username or userid.
However, that does not contain sufficient information to map to roles.
You still need to do another lookup to some store to get the equivalent
of "groups" for this document. If the information that you want is
embedded in the X509 you need to extract it. The entire cert is in
there in SSL_CLIENT_CERT in PEM format. There may be more variables
than that in your deployment.
_______________________________________________
Mailing list:
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe :
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
