What is the semantic of "domain" in the current implementation? Until we
know this we cant devise a solution.
Will the developed solution cater for me logging in via Google using my
kent email address (as opposed to my gmail one)? In this case there
could be 2 domains (depending upon the semantic of domain)
regards
David
On 29/10/2013 15:52, Fox, Kevin M wrote:
Has the case been considered where REMOTE_USER is used with
authentication mechanisms where the username is an email address? It
will have to keep the @domain part because that's the only thing that
makes it unique.
Thanks, Kevin ________________________________________ From: Álvaro
López García [alvaro.lopez.gar...@cern.ch] Sent: Tuesday, October 29,
2013 5:59 AM To: OpenStack dev Subject: [openstack-dev] [keystone]
Support for external authentication (i.e. REMOTE_USER) in Havana
Hi there,
I've been working on this bug [1,2] related with the pluggable
external authentication support in Havana. For those not familiar
with it, Keystone can rely on the usage of the REMOTE_USER env
variable, assuming that the user has been authenticated upstream (by
an httpd server). This REMOTE_USER variable is supposed to store the
username information that Keystone is going to use.
In the Havana external authentication plugins, the REMOTE_USER
variable is *always* split by the "@" character, assuming that the @
is being used as the domain separator (i.e.
REMOTE_USER=username@domain).
Now there are two plugins available:
- ExternalDefault: Only the leftmost part of the REMOTE_USER after
the split is considered. The domain information is obtainted from
the default domain configured in keystone.conf.
- ExternalDomain: The rightmost part is considered the domain, and
the leftover is considered the username.
The change in [2] aims to solve this problem: ExternalDefault will
not split the username by an "@" since we are going to use the
default domain so we assume that no domain will be appended.
However, this will work only if we are using a WSGI filter that is
aware of the semantics: the filter should know if ExternalDefault is
used so that the domain information is not appended, but append it
if ExternalDomain is used. Moreover, if somebody is using directly
the REMOTE_USER variable from Apache without any WSGI filter (for
example using X509 auth with mod_ssl and the SSLUsername directive
[3]) the REMOTE_USER will contain only the username and no domain at
all.
Does anybody have any concerns about this? Should we pass down the
domain information by any other mean?
[1] https://bugs.launchpad.net/keystone/+bug/1211233 [2]
https://review.openstack.org/#/c/50362/ [3]
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslusername --
Álvaro López García
al...@ifca.unican.es Instituto de Física de Cantabria
http://alvarolopez.github.io Ed. Juan Jordá, Campus UC
tel: (+34) 942 200 969 Avda. de los Castros s/n 39005 Santander
(SPAIN)
_____________________________________________________________________
"Everyone knows that debugging is twice as hard as writing a program in
the first place. So if you are as clever as you can be when you write
it, how will you ever debug it?" -- Brian Kernighan
_______________________________________________ OpenStack-dev mailing
list OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________ OpenStack-dev mailing
list OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
