port cert validation from keystone master to redux

Bug #928047 reported by Joseph Heck on 2012-02-07
This bug affects 2 people
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Adam Young

Bug Description

enable validation using client certificates instead of credentials

termie (termie) wrote :

i need to look at this to find out how complex it is

Alan Pevec (apevec) wrote :

milestone-proposed branch was removed, old docs is now at

Joseph Heck (heckj) on 2012-03-08
tags: added: blueprint
Adam Young (ayoung) on 2012-03-20
Changed in keystone:
assignee: nobody → Adam Young (ayoung)
Adam Young (ayoung) on 2012-03-30
description: updated
Adam Young (ayoung) wrote :

Since Client side authentication was never fully supported, this is not really a port, but rather a new feature.

I am going to propose the following.

For SSL and other authentication support, Keystone will be run in Apache HTTPD, not eventlet

HTTPD can provide a form of authentication other than in the credentials. Expect to see PKI Client Certificates and Kerberos, although variations of Basic auth will be permitted.

The HTTPD server will forward the authenticated user via the

   WSGIPassAuthorization On

directive. This will be available in the wsgi code via req.environ.get('REMOTE_USER') and will be store in the context dictionary. We add an option to keystone.conf which specifies whether it should accept external authentication. If external auth is supported, then the authenticate call will use the REMOTE_USER value instead of looking for the username field in the authentication request.

Either an additional Pipeline component of external_auth will replace the filter:token_auth, or the token_auth filter will be extended to support external_auth in place of token auth.

Joseph Heck (heckj) wrote :

marking the bug as invalid, converting to blueprint: https://blueprints.launchpad.net/keystone/+spec/pki

Changed in keystone:
status: Confirmed → Invalid
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers