Hi all!

This (presumably) pretty basic question tortures me for several months already, so I kindly seek for help here.

I'm working on a Flask-based service [1] and I'd like to use Keystone tokens for authentication. This is an admin-only API, so we need to check for an admin role. We ended up with code [2] first accessing Keystone with a given token and (configurable) admin tenant name, then checking 'admin' role. Things went well for a while.

Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I was trying to use an Ironic service user credentials, that we use for accessing all other services. For TripleO-based installations it's a user with name 'ironic' and a special tenant 'service'. Here is where problems are. Our code perfectly authenticates a mere user (that has tenant 'admin'), but asks Ironic to go away.

We've spent some time researching documentation and keystone middleware source code, but didn't find any more clues. Neither did we find a way to use keystone middleware without rewriting half of project. What we need is 2 simple things in a simple Flask application:
1. validate a token
2. make sure it belongs to admin

I'll thankfully appreciate any ideas how to fix our situation.
Thanks in advance!


[1] https://github.com/stackforge/ironic-discoverd
[2] https://github.com/stackforge/ironic-discoverd/blob/master/ironic_discoverd/utils.py#L50-L65

OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe

Reply via email to