Re: [Openstack] [keystone] How to validate token without admin privileges
On Thu, Jun 20, 2013 at 9:47 PM, Adam Young ayo...@redhat.com wrote: PKI based Tokens can be verified without talking to Keystone. See the auth_token middleware and cms.py files in python-keystoneclient to see how that is done. I will look into it. Thanks a lot! ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
[Openstack] [keystone] How to validate token without admin privileges
Hi, I'm new to OpenStack. I'm looking at deploying two 3rd party services along OpenStack and would like to use Keystone for they authentication mechanism. Service A will authenticate and get a token from keystone and use it for REST requests to service B. Those two services don't use WSGI, just the REST API. Is there a way for service B to validate the token with keystone without having an admin role or the admin token? Sorry for the noob question. The only thing I found in the doc is the GET method that requires admin permissions: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html And from what I read in the compute admin docs the OpenStack services seem to rely on admin credentials or token. Regards, Janus ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [keystone] How to validate token without admin privileges
AFAIK, that is right we need admin privileges to check validity. Other thing which is surprising, if a service creates a token.. it requires admin privileges to delete that token. I would not expect all services to be aware of admin credentials. Thanks, -Ravi. On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard jgv...@gmail.com wrote: Hi, I'm new to OpenStack. I'm looking at deploying two 3rd party services along OpenStack and would like to use Keystone for they authentication mechanism. Service A will authenticate and get a token from keystone and use it for REST requests to service B. Those two services don't use WSGI, just the REST API. Is there a way for service B to validate the token with keystone without having an admin role or the admin token? Sorry for the noob question. The only thing I found in the doc is the GET method that requires admin permissions: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html And from what I read in the compute admin docs the OpenStack services seem to rely on admin credentials or token. Regards, Janus ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp -- Ravi ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [keystone] How to validate token without admin privileges
Thanks Ravi and Haitao. The only workaround I found is to create a new token from the one I want to validate with: curl -X POST -d '{ auth:{ token:{ id:non-admin-token }, tenantName:testproject }}' -H Content-Type:application/json -H Accept: application/json http://localhost:5000/v2.0/tokens | python -mjson.tool But since it keeps creating tokens it could spam the db if there were a lot of requests and it requires knowing the tenant name if one wants to get the roles in the response. On Thu, Jun 20, 2013 at 4:05 PM, Haitao Jiang jianghai...@gmail.com wrote: Janus I think you can use curl and Keystone API to validate your token: curl -s -H X-Auth-Token: your token http://keystone:5000/v2.0 | python -mjson.tool I think you can also validate the token against a tenant by using belongsTo. Maybe there are better ways. Best Haitao On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard jgv...@gmail.com wrote: Hi, I'm new to OpenStack. I'm looking at deploying two 3rd party services along OpenStack and would like to use Keystone for they authentication mechanism. Service A will authenticate and get a token from keystone and use it for REST requests to service B. Those two services don't use WSGI, just the REST API. Is there a way for service B to validate the token with keystone without having an admin role or the admin token? Sorry for the noob question. The only thing I found in the doc is the GET method that requires admin permissions: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html And from what I read in the compute admin docs the OpenStack services seem to rely on admin credentials or token. Regards, Janus ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp
Re: [Openstack] [keystone] How to validate token without admin privileges
We are moving to an RBAC system for enforcing access to the APIs. So, where as in the past we enforced is admin when checking a token, in the future, you can specify your own policy rule. PKI based Tokens can be verified without talking to Keystone. See the auth_token middleware and cms.py files in python-keystoneclient to see how that is done. On 06/20/2013 04:36 PM, Janus Godard wrote: Thanks Ravi and Haitao. The only workaround I found is to create a new token from the one I want to validate with: curl -X POST -d '{ auth:{ token:{ id:non-admin-token }, tenantName:testproject }}' -H Content-Type:application/json -H Accept: application/json http://localhost:5000/v2.0/tokens | python -mjson.tool But since it keeps creating tokens it could spam the db if there were a lot of requests and it requires knowing the tenant name if one wants to get the roles in the response. On Thu, Jun 20, 2013 at 4:05 PM, Haitao Jiang jianghai...@gmail.com wrote: Janus I think you can use curl and Keystone API to validate your token: curl -s -H X-Auth-Token: your token http://keystone:5000/v2.0 | python -mjson.tool I think you can also validate the token against a tenant by using belongsTo. Maybe there are better ways. Best Haitao On Thu, Jun 20, 2013 at 12:36 PM, Janus Godard jgv...@gmail.com wrote: Hi, I'm new to OpenStack. I'm looking at deploying two 3rd party services along OpenStack and would like to use Keystone for they authentication mechanism. Service A will authenticate and get a token from keystone and use it for REST requests to service B. Those two services don't use WSGI, just the REST API. Is there a way for service B to validate the token with keystone without having an admin role or the admin token? Sorry for the noob question. The only thing I found in the doc is the GET method that requires admin permissions: http://docs.openstack.org/api/openstack-identity-service/2.0/content/GET_validateToken_v2.0_tokens__tokenId__Token_Operations.html And from what I read in the compute admin docs the OpenStack services seem to rely on admin credentials or token. Regards, Janus ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp ___ Mailing list: https://launchpad.net/~openstack Post to : openstack@lists.launchpad.net Unsubscribe : https://launchpad.net/~openstack More help : https://help.launchpad.net/ListHelp