On 02/03/15 08:53, Dmitry Tantsur wrote:
2015-02-27 17:27 GMT+01:00 Dolph Mathews <dolph.math...@gmail.com
<mailto:dolph.math...@gmail.com>>:
On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur
<dtant...@redhat.com <mailto:dtant...@redhat.com>> wrote:
Hi all!
This (presumably) pretty basic question tortures me for
several months already, so I kindly seek for help here.
I'm working on a Flask-based service [1] and I'd like to use
Keystone tokens for authentication. This is an admin-only API,
so we need to check for an admin role. We ended up with code
[2] first accessing Keystone with a given token and
(configurable) admin tenant name, then checking 'admin' role.
Things went well for a while.
Now I'm writing an Ironic driver accessing API of [1]. Pretty
naively I was trying to use an Ironic service user
credentials, that we use for accessing all other services. For
TripleO-based installations it's a user with name 'ironic' and
a special tenant 'service'. Here is where problems are. Our
code perfectly authenticates a mere user (that has tenant
'admin'), but asks Ironic to go away.
We've spent some time researching documentation and keystone
middleware source code, but didn't find any more clues.
Neither did we find a way to use keystone middleware without
rewriting half of project. What we need is 2 simple things in
a simple Flask application:
1. validate a token
2. make sure it belongs to admin
I'm not really clear on what problem you're having, because I'm
not sure if you care about an "admin" username, "admin" tenant
name, or "admin" role name. If you're implementing RBAC, you only
really need to care about the user have an "admin" role in their
list of roles.
Yeah, I guess that's what I need.
It's probably worth calling out that, the Keystone middleware itself
doesn't have any concept of "admin" built in (and this is a good
thing!). Your nova admins may be a totally different group of people to
your Swift admins. Instead, the Keystone middleware will simply tell you
the facts about the user/tenant making the API call, their username,
tenant_id/project_id, the list of roles assigned to them etc. Given this
information, most OpenStack projects use the oslo policy library to take
this info, apply some rules, and then allow you to ask "Can the user
perform action X?" rather than "Is this user an admin?".
For a small internal project, this kind of flexibility may not matter,
and it's certainly not required to use the KS middleware.. But if you're
trying to dig through the various projects codebase's to see how things
are done, knowing this will help :)
You can wrap your flask application with a configured instance of
auth_token middleware; this is about the simplest way to do it,
and this also demos the environment variables exposed to your
application that you can use to validation authorization:
https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41
Thanks a lot, I will give it a try!
If you happen to be using paste-deploy with Flask, Designate has some
code that does just that..
We use a piece of WSGI Middleware[1] to read the info provided by the
keystone middleware and attach it to the Request object for later use,
and the api-paste.ini itself[2] to wire up the KS middleware, our
KeystoneContextMiddleware" and the Flask app itself.
[1]:
https://github.com/openstack/designate/blob/master/designate/api/middleware.py#L62-119
[2]:
https://github.com/openstack/designate/blob/master/etc/designate/api-paste.ini
Good luck!
Thanks,
Kiall
__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev