Re: [openstack-dev] extending keystone identity
Thanks again, Dolph.
First, is there some good documentation on how to write a custom driver? I'm
wondering specifically about how a keystone user-list is mapped to a specific
function in identity/backend/mydriver.py. I suppose this mapping is why I was
getting the 500 error about the action not being implemented.
Secondly, before poking around with writing a custom driver, I was decided to
simply inherit ldap.Identity, as follows:
class Identity(ldap.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def authenticate(self, user_id, password):
LOG.debug('in auth function')
When I get a list of users, I never get the debug output. Further, I removed
the authenticate method from the Identity class in ldap.py and list-users STILL
worked. Unsure how this is possible. It seems we're never hitting the
authenticate method, which is why overriding it in my custom driver doesn't
make much of a difference in reaching my goal for local users.
Is there another method I'm supposed to be overriding?
I appreciate the help -- I know these are likely silly questions to seasoned
keystone developers.
From: dolph.math...@gmail.com
Date: Mon, 27 Jan 2014 22:35:18 -0600
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
From your original email, it sounds like you want to extend the existing LDAP
identity driver implementation, rather than writing a custom driver from
scratch, which is what you've written. The TemplatedCatalog driver sort of
follows that pattern with the KVS catalog driver, although it's not a
spectacular example.
On Mon, Jan 27, 2014 at 9:11 PM, Simon Perfer simon.per...@hotmail.com wrote:
I dug a bit more and found this in the logs:
(keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you have
requested has not been implemented.
Despite basing my (super simple) code on the SQL or LDAP backends, I must be
doing something wrong.
-- I've placed my backend code in
/usr/share/pyshared/keystone/identity/backends/nicira.py or
/usr/share/pyshared/keystone/common/nicira.py
-- I DO see the my authenticate module loaded in the log
I would appreciate any help in figuring out what I'm missing. Thanks!
From: simon.per...@hotmail.com
To: openstack-dev@lists.openstack.org
Date: Mon, 27 Jan 2014 21:58:43 -0500
Subject: Re: [openstack-dev] extending keystone identity
Dolph, I appreciate the response and pointing me in the right direction.
Here's what I have so far:
imports here
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(identity.Driver):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def authenticate(self, user_id, password, domain_scope=None):
LOG.debug('in authenticate method')
When I request a user-list via the python-keystoneclient, we never make it into
the authenticate method (as is evident by the missing debug log).
Any thoughts on why I'm not hitting this method?
From: dolph.math...@gmail.com
Date: Mon, 27 Jan 2014 18:14:50 -0600
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
_check_password() is a private/internal API, so we make no guarantees about
it's stability. Instead, override the public authenticate() method with
something like this:
def authenticate(self, user_id, password, domain_scope=None):
if user_id in SPECIAL_LIST_OF_USERS: # compare against value
from keystone.conf passelse:return
super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope)
On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.com wrote:
I'm looking to create a simple Identity driver that will look at usernames. A
small number of specific users should be authenticated by looking at a
hard-coded password in keystone.conf, while any other users should fall back to
LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code
(https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called at some point.
I've based my driver on this ldapauth.py file, and created an Identity class
which subclasses sql.Identity. Here's what I have so far:
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(sql.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def _check_password(self, password, user_ref):
LOG.debug('Authenticating via my custom hybrid authentication
Re: [openstack-dev] extending keystone identity
Use two separate domains for them. Make the userids be uuid@domainid
to be able distinguish one from the other.
On 01/27/2014 04:27 PM, Simon Perfer wrote:
I'm looking to create a simple Identity driver that will look at
usernames. A small number of specific users should be authenticated by
looking at a hard-coded password in keystone.conf, while any other
users should fall back to LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code
(https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called at some
point.
I've based my driver on this ldapauth.py file, and created an Identity
class which subclasses sql.Identity. Here's what I have so far:
CONF = config.CONF
LOG = logging.getLogger(__name__) Roles should also be scopeed-able
class Identity(sql.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def _check_password(self, password, user_ref):
LOG.debug('Authenticating via my custom hybrid authentication')
username = user_ref.get('name')
LOG.debug('Username = %s' % username)
I can see from the syslog output that we never enter the
_check_password() function.
Can someone point me in the right direction regarding which function
calls the identity driver? Also, what is the entry function in the
identity drivers? Why wouldn't check_password() be called, as we see
in the github / blog example above?
THANKS!
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
Thanks Adam. We played around with domains without success. There's a rather
complex reason why given our existing OpenStack environment.
I'm still hoping that it will be simple enough to extend an existing driver.
I'd also love to learn how to code my own driver for some more complex
authentication projects we have coming down the pipe.
Date: Tue, 28 Jan 2014 15:42:29 -0500
From: ayo...@redhat.com
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
Use two separate domains for them.
Make the userids be uuid@domainid to be able distinguish one
from the other.
On 01/27/2014 04:27 PM, Simon Perfer wrote:
I'm looking to create a
simple Identity driver that will look at usernames. A small
number of specific users should be authenticated by looking
at a hard-coded password in keystone.conf, while any other
users should fall back to LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code
(https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called
at some point.
I've based my driver on this ldapauth.py file, and created
an Identity class which subclasses sql.Identity. Here's what I
have so far:
CONF = config.CONF
LOG = logging.getLogger(__name__) Roles should
also be scopeed-able
class Identity(sql.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module
loaded')
def _check_password(self, password,
user_ref):
LOG.debug('Authenticating via my custom
hybrid authentication')
username = user_ref.get('name')
LOG.debug('Username = %s' % username)
I can see from the syslog output that we never
enter the _check_password() function.
Can someone point me in the right direction regarding which
function calls the identity driver? Also, what is the entry
function in the identity drivers? Why wouldn't
check_password() be called, as we see in the github / blog
example above?
THANKS!
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
On Tue, Jan 28, 2014 at 12:54 PM, Simon Perfer simon.per...@hotmail.comwrote:
Thanks again, Dolph.
First, is there some good documentation on how to write a custom driver?
I'm wondering specifically about how a keystone user-list is mapped to a
specific function in identity/backend/mydriver.py.
I believe it's calling list_users() in your implementation of the Driver
interface (or raising Not Implemented from the Driver abstract base class
itself).
I suppose this mapping is why I was getting the 500 error about the action
not being implemented.
(501 Not Implemented - 500 is for unhandled exceptions)
Secondly, before poking around with writing a custom driver, I was decided
to simply inherit ldap.Identity, as follows:
class Identity(ldap.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def authenticate(self, user_id, password):
LOG.debug('in auth function')
The basic structure of that looks good to me.
def __init__(self, *args, **kwargs):
super(Identity, self).__init__(*args, **kwargs)
When I get a list of users, I never get the debug output.
What debug output are you expecting? The above code snippet doesn't
override list_users(), so I wouldn't expect any output, except what
ldap.Identity already provides.
Further, I removed the authenticate method from the Identity class in
ldap.py and list-users STILL worked.
Unsure how this is possible. It seems we're never hitting the authenticate
method, which is why overridin it in my custom driver doesn't make much of
a difference in reaching my goal for local users.
Correct - list_users() shouldn't require authenticate() ... or vice versa.
Is there another method I'm supposed to be overriding?
Not if you only want to change the behavior of authentication. list_users()
should only called by the administrative API.
I appreciate the help -- I know these are likely silly questions to
seasoned keystone developers.
--
From: dolph.math...@gmail.com
Date: Mon, 27 Jan 2014 22:35:18 -0600
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
From your original email, it sounds like you want to extend the existing
LDAP identity driver implementation, rather than writing a custom driver
from scratch, which is what you've written. The TemplatedCatalog driver
sort of follows that pattern with the KVS catalog driver, although it's not
a spectacular example.
On Mon, Jan 27, 2014 at 9:11 PM, Simon Perfer simon.per...@hotmail.comwrote:
I dug a bit more and found this in the logs:
(keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you
have requested has not been implemented.
Despite basing my (super simple) code on the SQL or LDAP backends, I must
be doing something wrong.
-- I've placed my backend code in
/usr/share/pyshared/keystone/identity/backends/nicira.py
or /usr/share/pyshared/keystone/common/nicira.py
-- I DO see the my authenticate module loaded in the log
I would appreciate any help in figuring out what I'm missing. Thanks!
--
From: simon.per...@hotmail.com
To: openstack-dev@lists.openstack.org
Date: Mon, 27 Jan 2014 21:58:43 -0500
Subject: Re: [openstack-dev] extending keystone identity
Dolph, I appreciate the response and pointing me in the right direction.
Here's what I have so far:
imports here
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(identity.Driver):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def authenticate(self, user_id, password, domain_scope=None):
LOG.debug('in authenticate method')
When I request a user-list via the python-keystoneclient, we never make it
into the authenticate method (as is evident by the missing debug log).
Any thoughts on why I'm not hitting this method?
--
From: dolph.math...@gmail.com
Date: Mon, 27 Jan 2014 18:14:50 -0600
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
_check_password() is a private/internal API, so we make no guarantees
about it's stability. Instead, override the public authenticate() method
with something like this:
def authenticate(self, user_id, password, domain_scope=None):
if user_id in SPECIAL_LIST_OF_USERS:
# compare against value from keystone.conf
pass
else:
return super(CustomIdentityDriver, self).authenticate(user_id,
password, domain_scope)
On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.comwrote:
I'm looking to create a simple Identity driver that will look at
usernames. A small number of specific users should be authenticated by
looking at a hard-coded password in keystone.conf, while any
[openstack-dev] extending keystone identity
I'm looking to create a simple Identity driver that will look at usernames. A
small number of specific users should be authenticated by looking at a
hard-coded password in keystone.conf, while any other users should fall back to
LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code
(https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called at some point.
I've based my driver on this ldapauth.py file, and created an Identity class
which subclasses sql.Identity. Here's what I have so far:
CONF = config.CONFLOG = logging.getLogger(__name__)
class Identity(sql.Identity):def __init__(self):super(Identity,
self).__init__()LOG.debug('My authentication module loaded')
def _check_password(self, password, user_ref):
LOG.debug('Authenticating via my custom hybrid authentication')
username = user_ref.get('name')
LOG.debug('Username = %s' % username)
I can see from the syslog output that we never enter the _check_password()
function.
Can someone point me in the right direction regarding which function calls the
identity driver? Also, what is the entry function in the identity drivers? Why
wouldn't check_password() be called, as we see in the github / blog example
above?
THANKS! ___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
_check_password() is a private/internal API, so we make no guarantees about
it's stability. Instead, override the public authenticate() method with
something like this:
def authenticate(self, user_id, password, domain_scope=None):
if user_id in SPECIAL_LIST_OF_USERS:
# compare against value from keystone.conf
pass
else:
return super(CustomIdentityDriver, self).authenticate(user_id,
password, domain_scope)
On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.comwrote:
I'm looking to create a simple Identity driver that will look at
usernames. A small number of specific users should be authenticated by
looking at a hard-coded password in keystone.conf, while any other users
should fall back to LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code (
https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called at some point.
I've based my driver on this ldapauth.py file, and created an Identity
class which subclasses sql.Identity. Here's what I have so far:
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(sql.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def _check_password(self, password, user_ref):
LOG.debug('Authenticating via my custom hybrid authentication')
username = user_ref.get('name')
LOG.debug('Username = %s' % username)
I can see from the syslog output that we never enter the _check_password()
function.
Can someone point me in the right direction regarding which function calls
the identity driver? Also, what is the entry function in the identity
drivers? Why wouldn't check_password() be called, as we see in the github /
blog example above?
THANKS!
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
Dolph, I appreciate the response and pointing me in the right direction.
Here's what I have so far:
imports here
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(identity.Driver):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def authenticate(self, user_id, password, domain_scope=None):
LOG.debug('in authenticate method')
When I request a user-list via the python-keystoneclient, we never make it into
the authenticate method (as is evident by the missing debug log).
Any thoughts on why I'm not hitting this method?
From: dolph.math...@gmail.com
Date: Mon, 27 Jan 2014 18:14:50 -0600
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
_check_password() is a private/internal API, so we make no guarantees about
it's stability. Instead, override the public authenticate() method with
something like this:
def authenticate(self, user_id, password, domain_scope=None):
if user_id in SPECIAL_LIST_OF_USERS: # compare against value
from keystone.conf passelse:return
super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope)
On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.com wrote:
I'm looking to create a simple Identity driver that will look at usernames. A
small number of specific users should be authenticated by looking at a
hard-coded password in keystone.conf, while any other users should fall back to
LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code
(https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called at some point.
I've based my driver on this ldapauth.py file, and created an Identity class
which subclasses sql.Identity. Here's what I have so far:
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(sql.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def _check_password(self, password, user_ref):
LOG.debug('Authenticating via my custom hybrid authentication')
username = user_ref.get('name')
LOG.debug('Username = %s' % username)
I can see from the syslog output that we never enter the _check_password()
function.
Can someone point me in the right direction regarding which function calls the
identity driver? Also, what is the entry function in the identity drivers? Why
wouldn't check_password() be called, as we see in the github / blog example
above?
THANKS!
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
I dug a bit more and found this in the logs:
(keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you have
requested has not been implemented.
Despite basing my (super simple) code on the SQL or LDAP backends, I must be
doing something wrong.
-- I've placed my backend code in
/usr/share/pyshared/keystone/identity/backends/nicira.py or
/usr/share/pyshared/keystone/common/nicira.py
-- I DO see the my authenticate module loaded in the log
I would appreciate any help in figuring out what I'm missing. Thanks!
From: simon.per...@hotmail.com
To: openstack-dev@lists.openstack.org
Date: Mon, 27 Jan 2014 21:58:43 -0500
Subject: Re: [openstack-dev] extending keystone identity
Dolph, I appreciate the response and pointing me in the right direction.
Here's what I have so far:
imports here
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(identity.Driver):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def authenticate(self, user_id, password, domain_scope=None):
LOG.debug('in authenticate method')
When I request a user-list via the python-keystoneclient, we never make it into
the authenticate method (as is evident by the missing debug log).
Any thoughts on why I'm not hitting this method?
From: dolph.math...@gmail.com
Date: Mon, 27 Jan 2014 18:14:50 -0600
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
_check_password() is a private/internal API, so we make no guarantees about
it's stability. Instead, override the public authenticate() method with
something like this:
def authenticate(self, user_id, password, domain_scope=None):
if user_id in SPECIAL_LIST_OF_USERS: # compare against value
from keystone.conf passelse:return
super(CustomIdentityDriver, self).authenticate(user_id, password, domain_scope)
On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.com wrote:
I'm looking to create a simple Identity driver that will look at usernames. A
small number of specific users should be authenticated by looking at a
hard-coded password in keystone.conf, while any other users should fall back to
LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code
(https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called at some point.
I've based my driver on this ldapauth.py file, and created an Identity class
which subclasses sql.Identity. Here's what I have so far:
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(sql.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def _check_password(self, password, user_ref):
LOG.debug('Authenticating via my custom hybrid authentication')
username = user_ref.get('name')
LOG.debug('Username = %s' % username)
I can see from the syslog output that we never enter the _check_password()
function.
Can someone point me in the right direction regarding which function calls the
identity driver? Also, what is the entry function in the identity drivers? Why
wouldn't check_password() be called, as we see in the github / blog example
above?
THANKS!
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
Re: [openstack-dev] extending keystone identity
From your original email, it sounds like you want to extend the existing
LDAP identity driver implementation, rather than writing a custom driver
from scratch, which is what you've written. The TemplatedCatalog driver
sort of follows that pattern with the KVS catalog driver, although it's not
a spectacular example.
On Mon, Jan 27, 2014 at 9:11 PM, Simon Perfer simon.per...@hotmail.comwrote:
I dug a bit more and found this in the logs:
(keystone.common.wsgi): 2014-01-27 19:07:13,851 WARNING The action you
have requested has not been implemented.
Despite basing my (super simple) code on the SQL or LDAP backends, I must
be doing something wrong.
-- I've placed my backend code in
/usr/share/pyshared/keystone/identity/backends/nicira.py
or /usr/share/pyshared/keystone/common/nicira.py
-- I DO see the my authenticate module loaded in the log
I would appreciate any help in figuring out what I'm missing. Thanks!
--
From: simon.per...@hotmail.com
To: openstack-dev@lists.openstack.org
Date: Mon, 27 Jan 2014 21:58:43 -0500
Subject: Re: [openstack-dev] extending keystone identity
Dolph, I appreciate the response and pointing me in the right direction.
Here's what I have so far:
imports here
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(identity.Driver):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def authenticate(self, user_id, password, domain_scope=None):
LOG.debug('in authenticate method')
When I request a user-list via the python-keystoneclient, we never make it
into the authenticate method (as is evident by the missing debug log).
Any thoughts on why I'm not hitting this method?
--
From: dolph.math...@gmail.com
Date: Mon, 27 Jan 2014 18:14:50 -0600
To: openstack-dev@lists.openstack.org
Subject: Re: [openstack-dev] extending keystone identity
_check_password() is a private/internal API, so we make no guarantees
about it's stability. Instead, override the public authenticate() method
with something like this:
def authenticate(self, user_id, password, domain_scope=None):
if user_id in SPECIAL_LIST_OF_USERS:
# compare against value from keystone.conf
pass
else:
return super(CustomIdentityDriver, self).authenticate(user_id,
password, domain_scope)
On Mon, Jan 27, 2014 at 3:27 PM, Simon Perfer simon.per...@hotmail.comwrote:
I'm looking to create a simple Identity driver that will look at
usernames. A small number of specific users should be authenticated by
looking at a hard-coded password in keystone.conf, while any other users
should fall back to LDAP authentication.
I based my original driver on what's found here:
http://waipeng.wordpress.com/2013/09/30/openstack-ldap-authentication/
As can be seen in the github code (
https://raw.github.com/waipeng/keystone/8c18917558bebbded0f9c588f08a84b0ea33d9ae/keystone/identity/backends/ldapauth.py),
there's a _check_password() method which is supposedly called at some point.
I've based my driver on this ldapauth.py file, and created an Identity
class which subclasses sql.Identity. Here's what I have so far:
CONF = config.CONF
LOG = logging.getLogger(__name__)
class Identity(sql.Identity):
def __init__(self):
super(Identity, self).__init__()
LOG.debug('My authentication module loaded')
def _check_password(self, password, user_ref):
LOG.debug('Authenticating via my custom hybrid authentication')
username = user_ref.get('name')
LOG.debug('Username = %s' % username)
I can see from the syslog output that we never enter the _check_password()
function.
Can someone point me in the right direction regarding which function calls
the identity driver? Also, what is the entry function in the identity
drivers? Why wouldn't check_password() be called, as we see in the github /
blog example above?
THANKS!
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___ OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___ OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
___
OpenStack-dev mailing list
OpenStack-dev@lists.openstack.org
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
