subject:"\"Re\\\: \\\[openstack\\\-dev\\\] \\\[Keystone\\\] How to check admin authentication\\\?\""

Re: [openstack-dev] [Keystone] How to check admin authentication?

2015-03-02 Thread Kiall Mac Innes

On 02/03/15 08:53, Dmitry Tantsur wrote:
2015-02-27 17:27 GMT+01:00 Dolph Mathews >:

On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur
mailto:dtant...@redhat.com>> wrote:

Hi all!

This (presumably) pretty basic question tortures me for
several months already, so I kindly seek for help here.

I'm working on a Flask-based service [1] and I'd like to use
Keystone tokens for authentication. This is an admin-only API,
so we need to check for an admin role. We ended up with code
[2] first accessing Keystone with a given token and
(configurable) admin tenant name, then checking 'admin' role.
Things went well for a while.

Now I'm writing an Ironic driver accessing API of [1]. Pretty
naively I was trying to use an Ironic service user
credentials, that we use for accessing all other services. For
TripleO-based installations it's a user with name 'ironic' and
a special tenant 'service'. Here is where problems are. Our
code perfectly authenticates a mere user (that has tenant
'admin'), but asks Ironic to go away.

We've spent some time researching documentation and keystone
middleware source code, but didn't find any more clues.
Neither did we find a way to use keystone middleware without
rewriting half of project. What we need is 2 simple things in
a simple Flask application:
1. validate a token
2. make sure it belongs to admin

I'm not really clear on what problem you're having, because I'm
not sure if you care about an "admin" username, "admin" tenant
name, or "admin" role name. If you're implementing RBAC, you only
really need to care about the user have an "admin" role in their
list of roles.

Yeah, I guess that's what I need.

It's probably worth calling out that, the Keystone middleware itself
doesn't have any concept of "admin" built in (and this is a good
thing!). Your nova admins may be a totally different group of people to
your Swift admins. Instead, the Keystone middleware will simply tell you
the facts about the user/tenant making the API call, their username,
tenant_id/project_id, the list of roles assigned to them etc. Given this
information, most OpenStack projects use the oslo policy library to take
this info, apply some rules, and then allow you to ask "Can the user
perform action X?" rather than "Is this user an admin?".

For a small internal project, this kind of flexibility may not matter,
and it's certainly not required to use the KS middleware.. But if you're
trying to dig through the various projects codebase's to see how things
are done, knowing this will help :)

You can wrap your flask application with a configured instance of
auth_token middleware; this is about the simplest way to do it,
and this also demos the environment variables exposed to your
application that you can use to validation authorization:

https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41

Thanks a lot, I will give it a try!

If you happen to be using paste-deploy with Flask, Designate has some
code that does just that..

We use a piece of WSGI Middleware[1] to read the info provided by the
keystone middleware and attach it to the Request object for later use,
and the api-paste.ini itself[2] to wire up the KS middleware, our
KeystoneContextMiddleware" and the Flask app itself.

[1]:
https://github.com/openstack/designate/blob/master/designate/api/middleware.py#L62-119
[2]:
https://github.com/openstack/designate/blob/master/etc/designate/api-paste.ini

Good luck!

Thanks,
Kiall
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone] How to check admin authentication?

2015-03-02 Thread Dmitry Tantsur

2015-02-27 17:27 GMT+01:00 Dolph Mathews :

>
> On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur 
> wrote:
>
>> Hi all!
>>
>> This (presumably) pretty basic question tortures me for several months
>> already, so I kindly seek for help here.
>>
>> I'm working on a Flask-based service [1] and I'd like to use Keystone
>> tokens for authentication. This is an admin-only API, so we need to check
>> for an admin role. We ended up with code [2] first accessing Keystone with
>> a given token and (configurable) admin tenant name, then checking 'admin'
>> role. Things went well for a while.
>>
>> Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I
>> was trying to use an Ironic service user credentials, that we use for
>> accessing all other services. For TripleO-based installations it's a user
>> with name 'ironic' and a special tenant 'service'. Here is where problems
>> are. Our code perfectly authenticates a mere user (that has tenant
>> 'admin'), but asks Ironic to go away.
>>
>> We've spent some time researching documentation and keystone middleware
>> source code, but didn't find any more clues. Neither did we find a way to
>> use keystone middleware without rewriting half of project. What we need is
>> 2 simple things in a simple Flask application:
>> 1. validate a token
>> 2. make sure it belongs to admin
>>
>
> I'm not really clear on what problem you're having, because I'm not sure
> if you care about an "admin" username, "admin" tenant name, or "admin" role
> name. If you're implementing RBAC, you only really need to care about the
> user have an "admin" role in their list of roles.
>

Yeah, I guess that's what I need.


>
> You can wrap your flask application with a configured instance of
> auth_token middleware; this is about the simplest way to do it, and this
> also demos the environment variables exposed to your application that you
> can use to validation authorization:
>
>
> https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41
>

Thanks a lot, I will give it a try!


>
>
>>
>> I'll thankfully appreciate any ideas how to fix our situation.
>> Thanks in advance!
>>
>> Dmitry.
>>
>> [1] https://github.com/stackforge/ironic-discoverd
>> [2] https://github.com/stackforge/ironic-discoverd/blob/master/
>> ironic_discoverd/utils.py#L50-L65
>>
>> 
>> __
>> OpenStack Development Mailing List (not for usage questions)
>> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
>> unsubscribe
>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
--
-- Dmitry Tantsur
--
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone] How to check admin authentication?

2015-02-27 Thread Dolph Mathews

On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur  wrote:

> Hi all!
>
> This (presumably) pretty basic question tortures me for several months
> already, so I kindly seek for help here.
>
> I'm working on a Flask-based service [1] and I'd like to use Keystone
> tokens for authentication. This is an admin-only API, so we need to check
> for an admin role. We ended up with code [2] first accessing Keystone with
> a given token and (configurable) admin tenant name, then checking 'admin'
> role. Things went well for a while.
>
> Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I
> was trying to use an Ironic service user credentials, that we use for
> accessing all other services. For TripleO-based installations it's a user
> with name 'ironic' and a special tenant 'service'. Here is where problems
> are. Our code perfectly authenticates a mere user (that has tenant
> 'admin'), but asks Ironic to go away.
>
> We've spent some time researching documentation and keystone middleware
> source code, but didn't find any more clues. Neither did we find a way to
> use keystone middleware without rewriting half of project. What we need is
> 2 simple things in a simple Flask application:
> 1. validate a token
> 2. make sure it belongs to admin
>

I'm not really clear on what problem you're having, because I'm not sure if
you care about an "admin" username, "admin" tenant name, or "admin" role
name. If you're implementing RBAC, you only really need to care about the
user have an "admin" role in their list of roles.

You can wrap your flask application with a configured instance of
auth_token middleware; this is about the simplest way to do it, and this
also demos the environment variables exposed to your application that you
can use to validation authorization:


https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41


>
> I'll thankfully appreciate any ideas how to fix our situation.
> Thanks in advance!
>
> Dmitry.
>
> [1] https://github.com/stackforge/ironic-discoverd
> [2] https://github.com/stackforge/ironic-discoverd/blob/master/
> ironic_discoverd/utils.py#L50-L65
>
> __
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

Re: [openstack-dev] [Keystone] How to check admin authentication?

Re: [openstack-dev] [Keystone] How to check admin authentication?

Re: [openstack-dev] [Keystone] How to check admin authentication?

3 matches

Site Navigation

Mail list logo

Footer information