I think we also need a standard way to pass specify the X.509 certificate location and the authentication method to be using (X.509, Kerberos, etc.)
Do we have a slot at the summit for this discussion ? It would be good to finalise the necessary parts so we can help out with the implementation. Tim > -----Original Message----- > From: Adam Young [mailto:ayo...@redhat.com] > Sent: 24 October 2013 04:23 > To: openstack@lists.openstack.org > Subject: Re: [Openstack] [openstack][keystone] Using X.509 External > Authentication with OpenStack Identity > > On 10/23/2013 06:35 PM, Colin Leavett-Brown wrote: > > The havana configuration reference contains a section on how to > > configure keystone to accept x.509 certificates. How does one map > > x.509 credentials to keystone IDs, projects, roles and privileges? > I think there is more work to be done here. To start with, you use Apache > and mod_nss or mod_ssl, and it will hand environment variables > over to the WSGI application. The external module is currently only > making use of the REMOTE_USER env var. I have a patch to make things a > little more general purpose: > > https://review.openstack.org/#/c/52732/ > > Jenkins and the Keystone reviewers agree that this needs more work. > However, the base idea is that we need to put the env vars in the context, > and then let external use them. The envvars exposed by X509 > client authentication are here: > > http://www.freeipa.org/page/Environment_Variables#X.509_Authentication > > I'd expec most people would be interested in some variation of > SSL_CLIENT_S_DN or SSL_CLIENT_S_DN_x509 as the username or userid. > > > However, that does not contain sufficient information to map to roles. > You still need to do another lookup to some store to get the equivalent of > "groups" for this document. If the information that you want is > embedded in the X509 you need to extract it. The entire cert is in there in > SSL_CLIENT_CERT in PEM format. There may be more > variables than that in your deployment. > > > > > _______________________________________________ > > Mailing list: > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > Post to : openstack@lists.openstack.org > > Unsubscribe : > > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > > > _______________________________________________ > Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack > Post to : openstack@lists.openstack.org > Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack _______________________________________________ Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack Post to : openstack@lists.openstack.org Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
