Has the case been considered where REMOTE_USER is used with authentication mechanisms where the username is an email address? It will have to keep the @domain part because that's the only thing that makes it unique.
Thanks, Kevin ________________________________________ From: Álvaro López García [alvaro.lopez.gar...@cern.ch] Sent: Tuesday, October 29, 2013 5:59 AM To: OpenStack dev Subject: [openstack-dev] [keystone] Support for external authentication (i.e. REMOTE_USER) in Havana Hi there, I've been working on this bug [1,2] related with the pluggable external authentication support in Havana. For those not familiar with it, Keystone can rely on the usage of the REMOTE_USER env variable, assuming that the user has been authenticated upstream (by an httpd server). This REMOTE_USER variable is supposed to store the username information that Keystone is going to use. In the Havana external authentication plugins, the REMOTE_USER variable is *always* split by the "@" character, assuming that the @ is being used as the domain separator (i.e. REMOTE_USER=username@domain). Now there are two plugins available: - ExternalDefault: Only the leftmost part of the REMOTE_USER after the split is considered. The domain information is obtainted from the default domain configured in keystone.conf. - ExternalDomain: The rightmost part is considered the domain, and the leftover is considered the username. The change in [2] aims to solve this problem: ExternalDefault will not split the username by an "@" since we are going to use the default domain so we assume that no domain will be appended. However, this will work only if we are using a WSGI filter that is aware of the semantics: the filter should know if ExternalDefault is used so that the domain information is not appended, but append it if ExternalDomain is used. Moreover, if somebody is using directly the REMOTE_USER variable from Apache without any WSGI filter (for example using X509 auth with mod_ssl and the SSLUsername directive [3]) the REMOTE_USER will contain only the username and no domain at all. Does anybody have any concerns about this? Should we pass down the domain information by any other mean? [1] https://bugs.launchpad.net/keystone/+bug/1211233 [2] https://review.openstack.org/#/c/50362/ [3] http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername -- Álvaro López García al...@ifca.unican.es Instituto de Física de Cantabria http://alvarolopez.github.io Ed. Juan Jordá, Campus UC tel: (+34) 942 200 969 Avda. de los Castros s/n 39005 Santander (SPAIN) _____________________________________________________________________ "Everyone knows that debugging is twice as hard as writing a program in the first place. So if you are as clever as you can be when you write it, how will you ever debug it?" -- Brian Kernighan _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev _______________________________________________ OpenStack-dev mailing list OpenStack-dev@lists.openstack.org http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev