x509 configured domains are redundant with auto-generated identity provider domains
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
In Progress
|
Low
|
Guang Yee |
Bug Description
In order to set up x509 authentication, operators need to specify trusted issuers in their keystone configuration [0] and they need to specify a REMOTE_DOMAIN attribute through their chosen SSL library [1]. The REMOTE_DOMAIN is then passed into keystone via the request environment and optionally used to namespace the user from REMOTE_USER.
Several releases ago, keystone merged support for auto-generating a domain for each identity provider resource [2]. There is also support for specifying a domain for an identity provider when creating it. The purpose of this very similar to the REMOTE_DOMAIN from SSL, in that federated users coming from a specific identity provider have a domain for their user to be namespaced to.
If keystone can use the domain from the configured x509 identity provider, then we might not need to have operators specify REMOTE_DOMAIN in their apache configuration. This also means that users presenting certificates from different trusted_issuers can be mapped into different domains, instead of all being lumped into the REMOTE_DOMAIN.
[0] http://
[1] https:/
[2] https:/
tags: | added: x509 |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
importance: | Medium → Low |
I think the doc is wrong. We should never recommend external auth be used with X.509 certificate based authentication. X.509 certificate based auth should always us the federation mechanism. External is based on a single attribute, REMOTE_USER, which is very limited.