Re: [Openstack] Keystone External Authentication clarification

Thu, 23 Jan 2014 07:26:58 -0800 

On 01/21/2014 08:58 AM, Joe Topjian wrote:

Hello,
One of the new features advertised in the Havana release of Keystone was external authentication via REMOTE_USER. I'm beginning to assume that I should take that at face value: Keystone has external auth, but that's it. OpenStack as a whole cannot currently utilize it. 

Is this an incorrect assumption?
For example, I set up Keystone behind Apache just like the developer docs say. Everything worked.
Now I wanted to test external authentication. Just for practice, I tried http basic auth. I was successful in obtaining a token:
curl --user joe:foobar -d '{"auth":{}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens
But I don't think it's possible to use the command line tools (nova, glance et al) to work with a single token.
They don't nothing has changed WRT token consumption. The only thing that is different is how the origianl token was issued: using REMOTE_USER versus the embedded userid and password inside the JSON resquest to http://keystone:5000/v2.0/tokens 

So it is purely for protecting Keeystone:  the rest of the ser
I also don't see how Horizon can utilize an http-auth protected Keystone without modification.
It can't: if you wanted to do Kerberos, you would need something like S4U2Proxy, far beyond the scope of that the Keystone team can provide.
The AUTH URL needs to point to Keystone. From there, Nova etc need to use the Service catalog. Everything should work the same.
Am I wrong? If so, can someone point me to, at least, a proof of concept if not a production example?
Is it correct to say that if I want Keystone to authenticate users against an unsupported/custom database while still retaining compatibility with all other OpenStack components, then I should write a custom backend such as described here: 

https://thestaticvoid.com/post/2013/06/04/customizing-the-openstack-keystone-authentication-backend/


Thanks,
Joe


_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack



_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to     : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack

Reply via email to