x509 authentication doesn't work with auto-provisioning
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
OpenStack Identity (keystone) |
Triaged
|
Medium
|
Unassigned |
Bug Description
Keystone supports the ability to authenticate users who have an x509 certificate [0]. Attributes from the certificate are parsed using an SSL library and are passed to keystone (mod_ssl in the apache case). Keystone uses the certificate attributes like attributes from a SAML assertion and runs it through a mapping.
Keystone also supports auto-provisioning through mappings [1]. This is a mapping with a special syntax that let's keystone know it should create the underlying projects and role assignments for that user, in addition to the shadow user.
It appears that none of the auto-provisioning works when authenticating with x509 certificates. The following are the steps I took to determine this.
1. ) Deploy devstack with the tls-proxy service enabled
disable_
enable_service key
enable_service tls-proxy
enable_service horizon
enable_service mysql
enable_service tempest
enable_service rabbit
2.) Remove http-services-
$ sudo rm /etc/apache2/
For some reason, this doesn't work with keystone and SSL.
3.) Configure SSL for keystone in Apache configuration
<VirtualHost *:443>
SSLEngine On
SSLCertific
SSLCACertif
SSLOptions +StdEnvVars
SSLVerifyClient optional
SSLUserName SSL_CLIENT_S_DN_CN
SetEnv REMOTE_DOMAIN openstack
</Virtualhost>
4.) Configure x509 authentication in keystone.conf
[tokenless_auth]
# trusted issuer comes from the Issuer of the SSLCACertificat
# from the Apache configuration, where $CERT_PATH is SSLCACertificat
# Use openssl to figure out the Issuer and reformat the ordering of the string
# to be as follows.
trusted_issuer = CN=Root CA,OU=DevStack Certificate Authority,
[auth]
methods = password,
external = Domain
5.) Create a certificate request, private key, and certificate for a user
$ openssl req -out john.csr -new -newkey rsa:2048 -nodes -keyout john.key
When prompted for the organization (O) enter the domain for the user.
A domain with the same name as the organizational unit will need to be
created in keystone. The common name of the certificate request will be
the user's username within keystone, depending on the specific mapping.
$ openssl x509 -req -in john.csr -CA $ROOT_CA -CAkey $ROOT_KEY -days 365 -out john.pem -CAcreateserial
6.) Create the identity provider and mapping in keystone
The identity provider ID is the hashed trusted_issuer string from the configuration file:
./hash 'CN=Root CA,OU=DevStack Certificate Authority,
ad9b5af1ba36ffc
https:/
$ openstack identity provider create ad9b5af1ba36ffc
$ openstack mapping create x509map --rules rules.json
$ openstack federation protocol create x509 --mapping x509map --identity-provider ad9b5af1ba36ffc
The following is the rules.json I used:
https:/
7.) Authenticate for a token
When I authenticate for a token using the certificate I created, I get an unscoped token. Also, none of the auto-provisioned resources are created through the mapping. The expected behavior is that the auto-provisioning feature would handle the creation of those resources and I'd be able to get a scoped token.
https:/
[0] https:/
description: | updated |
summary: |
- Tokenless authentication doesn't work with auto-provisioning + x509 authentication doesn't work with auto-provisioning |
description: | updated |
tags: | added: x509 |
Changed in keystone: | |
status: | New → Triaged |
importance: | Undecided → Medium |
This might not be specific to this bug, but I did notice that we are calling the external authentication plugin twice, which we probably don't need to do.
I was reading the code and noticed we special case the external authentication plugin, but then we also rely on a factory to return the authentication plugin needed based on the methods supplied in the request.
Here are the logging changes I made:
https:/ /pasted. tech/pastes/ 9df194511c3fbd5 09f216eb88b70ef 4ee0479dad. raw
And this is the logs I captured when authenticating with an x509 certificate:
https:/ /pasted. tech/pastes/ a2197a098d9ad1d 5397561ef0e63f3 876078ffb2. raw
I'm not sure yet if this causes issues in how the requests are handled, but it doesn't look like it. More-or-less a performance issue and extra, un-needed calls.