On 11/14/2013 10:52 AM, Álvaro López García wrote:
Hi all,

During the review of [1] I had a look at the tests that are related
with external authentication (i.e. the usage of REMOTE_USER) in
Keystone and I realised that there is a bunch of them that are setting
"external" as one of the authentication methods. However, in
keystone.auth.controllers there is an explicit call to the "external"
methods whenever REMOTE_USER is set [2].

Should we call the external authentication only when "external" is set
(i.e. in [3]) regardless of the REMOTE_USER presence in the context?
I'd like to. We made a decision to make the user explicitly enable External authentication in the config, but there is no reason that it would have to extend to the request body itself. In theory we could do token creation request with no Body at all, the same way we do role assignments:

To create a project scoped token
PUT /auth/tokens/domain/<domid>/project<projectid>

And to create a domain token
PUT /auth/tokens/domain/<domid>


Would work very well with Basic-Auth or other External formats. Then the Body would only have to contain any mitigating factors, like a shorter expiry or reduced set of roles.






_______________________________________________
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Reply via email to