On 06/13/2014 11:22 AM, Michael Hearn wrote:
Horizon gurus
Release: icehouse
Token Type : PKI
Identity Backend: LDAP
Monitoring the authentication traffic generated by Horizon to LDAP, I
was surprised to see that after the initial logon, and under the
'Project' tab, I was still seeing calls out to LDAP each time I
entered a link related to a service (images, volumes, images and
snapshots etc...).
My assumption was that after the initial logon the token would be used
to satisfy authentication requirements (until it expired).
I ran some debugging and confirmed that the underlying python scripts
e.g. /usr/share/openstack-dashboard/openstack_dashboard/api/* pickup
the same token although curiously at first glance it looks like a UUID
based token and not a PKI token.
So, my questions are:
i. Should Horizon honour token authentication as I enter different
services - mitigating the need to authN against ldap until token expires?
the auth is done in Keystone. Horizon holds on to the token, but might,
in fact, fetch a new token based on something like changing projects.
ii. Am I seeing a compressed PKI token when pulling data from
/user/share/openstack-dashboard/openstack_dashboard/api/glance.py or
cinder.py etc....
compressed tokens are not in deployment yet. If it is 32 chars long,
you are either seeing the Hash ofr a signed token, or a uuid token,
depending on how keystone is set up.
Cheers
Mike
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
_______________________________________________
Mailing list: http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
Post to : openstack@lists.openstack.org
Unsubscribe : http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack
