Hello,
One of the new features advertised in the Havana release of Keystone was
external authentication via REMOTE_USER. I'm beginning to assume that I
should take that at face value: Keystone has external auth, but that's it.
OpenStack as a whole cannot currently utilize it.
Is this an incorrect assumption?
For example, I set up Keystone behind Apache just like the developer docs
say. Everything worked.
Now I wanted to test external authentication. Just for practice, I tried
http basic auth. I was successful in obtaining a token:
curl --user joe:foobar -d '{"auth":{}}' -H "Content-type: application/json"
http://localhost:5000/v2.0/tokens
But I don't think it's possible to use the command line tools (nova, glance
et al) to work with a single token. I also don't see how Horizon can
utilize an http-auth protected Keystone without modification.
Am I wrong? If so, can someone point me to, at least, a proof of concept if
not a production example?
Is it correct to say that if I want Keystone to authenticate users against
an unsupported/custom database while still retaining compatibility with all
other OpenStack components, then I should write a custom backend such as
described here:
https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/
Thanks,
Joe
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
