external authentication v2 and v3 mismatch
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Fix Released
|
Medium
|
Dolph Mathews |
Bug Description
This is regarding external auth handling between v2 and v3.
I want to write an external auth handler that supports email addresses as user names and works with both v2 and v3. It has to set REMOTE_USER to something. My users are named like <email address hidden>, and domain is just the default.
External auth handling for v2 doesn't do anything with @ [0]. So I'd set the REMOTE_USER to <email address hidden> and it'll work with v2, but <email address hidden>@default will not work.
External auth handling for v3 with the Default external auth handler removes everything after first @ [1]. So I'd set the REMOTE_USER to <email address hidden>@domain and it'll work, but <email address hidden> doesn't.
ExternalDefault external auth handler requires @ [2]. So I'd set the REMOTE_USER to <email address hidden>@domain, but <email address hidden> doesn't.
So to summarize, v2 will work with <email address hidden>, but v3 doesn't. V3 will work with <email address hidden>@domain but that doesn't work with v2.
So I'm not sure how an external auth handler is supposed to be written that supports email addresses and both v2 and v3 auth.
Changed in keystone: | |
assignee: | nobody → Brant Knudson (blk-u) |
description: | updated |
Changed in keystone: | |
assignee: | Brant Knudson (blk-u) → Alvaro Lopez (aloga) |
status: | New → In Progress |
Changed in keystone: | |
assignee: | Alvaro Lopez (aloga) → Adam Young (ayoung) |
Changed in keystone: | |
assignee: | Adam Young (ayoung) → Dolph Mathews (dolph) |
Changed in keystone: | |
milestone: | none → icehouse-2 |
status: | Fix Committed → Fix Released |
Changed in keystone: | |
importance: | Undecided → Medium |
Changed in keystone: | |
milestone: | icehouse-2 → 2014.1 |
How does [0] not "allow" @? It specifically handles the REMOTE_USER as a username in the default domain and doesn't care whether it's an email address or not.