x509 configured domains are redundant with auto-generated identity provider domains

Bug #1813335 reported by Lance Bragstad
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
In Progress
Guang Yee

Bug Description

In order to set up x509 authentication, operators need to specify trusted issuers in their keystone configuration [0] and they need to specify a REMOTE_DOMAIN attribute through their chosen SSL library [1]. The REMOTE_DOMAIN is then passed into keystone via the request environment and optionally used to namespace the user from REMOTE_USER.

Several releases ago, keystone merged support for auto-generating a domain for each identity provider resource [2]. There is also support for specifying a domain for an identity provider when creating it. The purpose of this very similar to the REMOTE_DOMAIN from SSL, in that federated users coming from a specific identity provider have a domain for their user to be namespaced to.

If keystone can use the domain from the configured x509 identity provider, then we might not need to have operators specify REMOTE_DOMAIN in their apache configuration. This also means that users presenting certificates from different trusted_issuers can be mapped into different domains, instead of all being lumped into the REMOTE_DOMAIN.

[0] http://git.openstack.org/cgit/openstack/keystone/tree/keystone/conf/tokenless_auth.py?id=e647d6f69762523d0dfa28137a9f11010b550e72#n18
[1] https://docs.openstack.org/keystone/latest/admin/external-authentication.html#configuration
[2] https://review.openstack.org/#/c/399684/

Tags: x509
tags: added: x509
Changed in keystone:
status: New → Triaged
importance: Undecided → Medium
importance: Medium → Low
Revision history for this message
Guang Yee (guang-yee) wrote :

I think the doc is wrong. We should never recommend external auth be used with X.509 certificate based authentication. X.509 certificate based auth should always us the federation mechanism. External is based on a single attribute, REMOTE_USER, which is very limited.

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.opendev.org/669959

Changed in keystone:
assignee: nobody → Guang Yee (guang-yee)
status: Triaged → In Progress
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Change abandoned on keystone (master)

Change abandoned by "Gage Hugo <email address hidden>" on branch: master
Review: https://review.opendev.org/c/openstack/keystone/+/669959
Reason: Abandoning since there hasn't been any recent activity, if anyone wants to continue this work, please feel free to restore this or create a new change.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers