OpenStack Identity (Keystone)

Comment 4 for bug 928047

Adam Young (ayoung) wrote :

Since Client side authentication was never fully supported, this is not really a port, but rather a new feature.

I am going to propose the following.

For SSL and other authentication support, Keystone will be run in Apache HTTPD, not eventlet

HTTPD can provide a form of authentication other than in the credentials. Expect to see PKI Client Certificates and Kerberos, although variations of Basic auth will be permitted.

The HTTPD server will forward the authenticated user via the

   WSGIPassAuthorization On

directive. This will be available in the wsgi code via req.environ.get('REMOTE_USER') and will be store in the context dictionary. We add an option to keystone.conf which specifies whether it should accept external authentication. If external auth is supported, then the authenticate call will use the REMOTE_USER value instead of looking for the username field in the authentication request.

Either an additional Pipeline component of external_auth will replace the filter:token_auth, or the token_auth filter will be extended to support external_auth in place of token auth.