Cannot Use existing auth plugins with new methods

Bug #1343709 reported by Adam Young on 2014-07-18
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Adam Young

Bug Description

Auth plugins hard code the "method" that is used to name them in the config file. This prevents reuse, and forces a new Plugin for each mod_auth mechanism in Apache HTTPD. Since there is already a handful of "external" plugins, we will have a cross-preoduct of auth plugins; one for each mechanism X mapping scheme.

This was discussed at the Hackathon


Remove method name from auth plugins (so the method name is owned by keystone.conf)

One place where this shows up is that the "kerberos" method requires a new AuthPlugin for existing functionality, such as using the Default Domain. The same is true for SAML, or OpenID connect.

Fix proposed to branch: master

Changed in keystone:
assignee: nobody → Adam Young (ayoung)
status: New → In Progress

Neither kerberos nor the default domain are mentioned on the hackathon etherpad. What is the bug?

Changed in keystone:
status: In Progress → Incomplete
Changed in keystone:
status: Incomplete → In Progress
Adam Young (ayoung) on 2014-07-18
description: updated
Changed in keystone:
milestone: none → juno-3
importance: Undecided → Critical
Changed in keystone:
assignee: Adam Young (ayoung) → Morgan Fainberg (mdrnstm)
assignee: Morgan Fainberg (mdrnstm) → Adam Young (ayoung)
Adam Young (ayoung) on 2014-07-18
Changed in keystone:
importance: Critical → High
Adam Young (ayoung) on 2014-07-18
summary: - Cannot Use Default Domain with Kerberos
+ Cannot Use existing auth plugins with new methods
Dolph Mathews (dolph) wrote :

High business priority does not equate to a high impact bug - this is proposing to add configuration flexibility that was previously only achievable with a 3 line python file (to extend an existing plugin and change it's method attribute).

Changed in keystone:
importance: High → Wishlist

Submitter: Jenkins
Branch: master

commit 1a610dcc25cb95b1013c40dbf8d70136ac36fa3a
Author: Adam Young <email address hidden>
Date: Thu Jul 17 21:18:42 2014 -0400

    Do not require method attribute on plugins

    Removes the condition that an authentication plugin knows the "method"
    name that is going to be used to call it. This condition prevents
    different mechanisms like "kerberos" and "saml" from using the same
    backend plugin.

    The client should not know how the server is enforcing the Kerberos
    authentication, mod_auth_kerb or embedded Kerberos, but the
    mod_auth_kerb implementation needs to use the same implementation as an
    X509 implementation.

    Closes-Bug: #1343709

    Change-Id: I6c7d44d3809e5e88cc50c50b6df6f3a154df7ab2

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx) on 2014-09-04
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx) on 2014-10-16
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers