Phase one for dealing with Federation can be done with CORS support solely for Keystone/Horizon integration:

1.  Horizon Login page creates Javascript to do AJAX call to Keystone
2.  Keystone generates a token
3.  Javascript reads token out of response and sends it to Horizon.

This should support Kerberos, X509, and Password auth; the Keystone team is discussing how to advertise mechanisms, lets leave the onus on us to solve that one and get back in a timely manner.

For Federation, the handshake is a little more complex, and there might be a need for some sort of popup window for the user to log in to their home SAML provider. Its several more AJAX calls, but the end effect should be the same: get a standard Keystone token and hand it to Horizon.

This would mean that Horizon would have to validate tokens the same way as any other endpoint. That should not be too hard, but there is a little bit of "create a user, get a token, make a call" logic that currently lives only in keystonemiddleware/auth_token; Its a solvable problem.

This approach will support the straight Javascript approach that Richard Jones discussed; Keystone behind a proxy will work this way without CORS support. If CORS can be sorted out for the other services, we can do straight Javascript without the Proxy. I see it as phased approach with this being the first phase.

OpenStack-dev mailing list

Reply via email to