OpenStack Identity (keystone)

Cannot Use existing auth plugins with new methods

Bug #1343709 reported by Adam Young
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
OpenStack Identity (keystone)
Fix Released
Wishlist
Adam Young
OpenStack Identity (keystone) 2014.2 "juno"

Bug Description

Auth plugins hard code the "method" that is used to name them in the config file. This prevents reuse, and forces a new Plugin for each mod_auth mechanism in Apache HTTPD. Since there is already a handful of "external" plugins, we will have a cross-preoduct of auth plugins; one for each mechanism X mapping scheme.

This was discussed at the Hackathon

From: https://etherpad.openstack.org/p/keystone-juno-hackathon

Remove method name from auth plugins (so the method name is owned by keystone.conf)

One place where this shows up is that the "kerberos" method requires a new AuthPlugin for existing functionality, such as using the Default Domain. The same is true for SAML, or OpenID connect.

See original description
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix proposed to keystone (master)

Fix proposed to branch: master
Review: https://review.openstack.org/107873

Changed in keystone:
assignee: nobody → Adam Young (ayoung)
status: New → In Progress
Revision history for this message
Dolph Mathews (dolph) wrote : Re: Cannot Use Default Domain with Kerberos

Neither kerberos nor the default domain are mentioned on the hackathon etherpad. What is the bug?

Changed in keystone:
status: In Progress → Incomplete
OpenStack Infra (hudson-openstack)
Changed in keystone:
status: Incomplete → In Progress
Adam Young (ayoung)
description: updated
Changed in keystone:
milestone: none → juno-3
importance: Undecided → Critical
OpenStack Infra (hudson-openstack)
Changed in keystone:
assignee: Adam Young (ayoung) → Morgan Fainberg (mdrnstm)
assignee: Morgan Fainberg (mdrnstm) → Adam Young (ayoung)
Adam Young (ayoung)
Changed in keystone:
importance: Critical → High
Adam Young (ayoung)
summary: - Cannot Use Default Domain with Kerberos
+ Cannot Use existing auth plugins with new methods
Revision history for this message
Dolph Mathews (dolph) wrote :

High business priority does not equate to a high impact bug - this is proposing to add configuration flexibility that was previously only achievable with a 3 line python file (to extend an existing plugin and change it's method attribute).

Changed in keystone:
importance: High → Wishlist
Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to keystone (master)

Reviewed: https://review.openstack.org/107873
Committed: https://git.openstack.org/cgit/openstack/keystone/commit/?id=1a610dcc25cb95b1013c40dbf8d70136ac36fa3a
Submitter: Jenkins
Branch: master

commit 1a610dcc25cb95b1013c40dbf8d70136ac36fa3a
Author: Adam Young <email address hidden>
Date: Thu Jul 17 21:18:42 2014 -0400

    Do not require method attribute on plugins

    Removes the condition that an authentication plugin knows the "method"
    name that is going to be used to call it. This condition prevents
    different mechanisms like "kerberos" and "saml" from using the same
    backend plugin.

    The client should not know how the server is enforcing the Kerberos
    authentication, mod_auth_kerb or embedded Kerberos, but the
    mod_auth_kerb implementation needs to use the same implementation as an
    X509 implementation.

    Closes-Bug: #1343709

    Change-Id: I6c7d44d3809e5e88cc50c50b6df6f3a154df7ab2

Changed in keystone:
status: In Progress → Fix Committed
Thierry Carrez (ttx)
Changed in keystone:
status: Fix Committed → Fix Released
Thierry Carrez (ttx)
Changed in keystone:
milestone: juno-3 → 2014.2
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.