2015-02-27 17:27 GMT+01:00 Dolph Mathews <[email protected]>: > > On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur <[email protected]> > wrote: > >> Hi all! >> >> This (presumably) pretty basic question tortures me for several months >> already, so I kindly seek for help here. >> >> I'm working on a Flask-based service [1] and I'd like to use Keystone >> tokens for authentication. This is an admin-only API, so we need to check >> for an admin role. We ended up with code [2] first accessing Keystone with >> a given token and (configurable) admin tenant name, then checking 'admin' >> role. Things went well for a while. >> >> Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I >> was trying to use an Ironic service user credentials, that we use for >> accessing all other services. For TripleO-based installations it's a user >> with name 'ironic' and a special tenant 'service'. Here is where problems >> are. Our code perfectly authenticates a mere user (that has tenant >> 'admin'), but asks Ironic to go away. >> >> We've spent some time researching documentation and keystone middleware >> source code, but didn't find any more clues. Neither did we find a way to >> use keystone middleware without rewriting half of project. What we need is >> 2 simple things in a simple Flask application: >> 1. validate a token >> 2. make sure it belongs to admin >> > > I'm not really clear on what problem you're having, because I'm not sure > if you care about an "admin" username, "admin" tenant name, or "admin" role > name. If you're implementing RBAC, you only really need to care about the > user have an "admin" role in their list of roles. >
Yeah, I guess that's what I need. > > You can wrap your flask application with a configured instance of > auth_token middleware; this is about the simplest way to do it, and this > also demos the environment variables exposed to your application that you > can use to validation authorization: > > > https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41 > Thanks a lot, I will give it a try! > > >> >> I'll thankfully appreciate any ideas how to fix our situation. >> Thanks in advance! >> >> Dmitry. >> >> [1] https://github.com/stackforge/ironic-discoverd >> [2] https://github.com/stackforge/ironic-discoverd/blob/master/ >> ironic_discoverd/utils.py#L50-L65 >> >> ____________________________________________________________ >> ______________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: [email protected]?subject: >> unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > > > __________________________________________________________________________ > OpenStack Development Mailing List (not for usage questions) > Unsubscribe: [email protected]?subject:unsubscribe > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev > > -- -- -- Dmitry Tantsur --
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
