Re: [openstack-dev] [Keystone] How to check admin authentication?

2015-03-02 Thread Dmitry Tantsur
2015-02-27 17:27 GMT+01:00 Dolph Mathews dolph.math...@gmail.com:


 On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur dtant...@redhat.com
 wrote:

 Hi all!

 This (presumably) pretty basic question tortures me for several months
 already, so I kindly seek for help here.

 I'm working on a Flask-based service [1] and I'd like to use Keystone
 tokens for authentication. This is an admin-only API, so we need to check
 for an admin role. We ended up with code [2] first accessing Keystone with
 a given token and (configurable) admin tenant name, then checking 'admin'
 role. Things went well for a while.

 Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I
 was trying to use an Ironic service user credentials, that we use for
 accessing all other services. For TripleO-based installations it's a user
 with name 'ironic' and a special tenant 'service'. Here is where problems
 are. Our code perfectly authenticates a mere user (that has tenant
 'admin'), but asks Ironic to go away.

 We've spent some time researching documentation and keystone middleware
 source code, but didn't find any more clues. Neither did we find a way to
 use keystone middleware without rewriting half of project. What we need is
 2 simple things in a simple Flask application:
 1. validate a token
 2. make sure it belongs to admin


 I'm not really clear on what problem you're having, because I'm not sure
 if you care about an admin username, admin tenant name, or admin role
 name. If you're implementing RBAC, you only really need to care about the
 user have an admin role in their list of roles.


Yeah, I guess that's what I need.



 You can wrap your flask application with a configured instance of
 auth_token middleware; this is about the simplest way to do it, and this
 also demos the environment variables exposed to your application that you
 can use to validation authorization:


 https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41


Thanks a lot, I will give it a try!





 I'll thankfully appreciate any ideas how to fix our situation.
 Thanks in advance!

 Dmitry.

 [1] https://github.com/stackforge/ironic-discoverd
 [2] https://github.com/stackforge/ironic-discoverd/blob/master/
 ironic_discoverd/utils.py#L50-L65

 
 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:
 unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev



 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev




-- 
--
-- Dmitry Tantsur
--
__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev


Re: [openstack-dev] [Keystone] How to check admin authentication?

2015-02-27 Thread Dolph Mathews
On Fri, Feb 27, 2015 at 8:39 AM, Dmitry Tantsur dtant...@redhat.com wrote:

 Hi all!

 This (presumably) pretty basic question tortures me for several months
 already, so I kindly seek for help here.

 I'm working on a Flask-based service [1] and I'd like to use Keystone
 tokens for authentication. This is an admin-only API, so we need to check
 for an admin role. We ended up with code [2] first accessing Keystone with
 a given token and (configurable) admin tenant name, then checking 'admin'
 role. Things went well for a while.

 Now I'm writing an Ironic driver accessing API of [1]. Pretty naively I
 was trying to use an Ironic service user credentials, that we use for
 accessing all other services. For TripleO-based installations it's a user
 with name 'ironic' and a special tenant 'service'. Here is where problems
 are. Our code perfectly authenticates a mere user (that has tenant
 'admin'), but asks Ironic to go away.

 We've spent some time researching documentation and keystone middleware
 source code, but didn't find any more clues. Neither did we find a way to
 use keystone middleware without rewriting half of project. What we need is
 2 simple things in a simple Flask application:
 1. validate a token
 2. make sure it belongs to admin


I'm not really clear on what problem you're having, because I'm not sure if
you care about an admin username, admin tenant name, or admin role
name. If you're implementing RBAC, you only really need to care about the
user have an admin role in their list of roles.

You can wrap your flask application with a configured instance of
auth_token middleware; this is about the simplest way to do it, and this
also demos the environment variables exposed to your application that you
can use to validation authorization:


https://github.com/dolph/keystone-deploy/blob/master/playbooks/roles/http/templates/echo.py#L33-L41



 I'll thankfully appreciate any ideas how to fix our situation.
 Thanks in advance!

 Dmitry.

 [1] https://github.com/stackforge/ironic-discoverd
 [2] https://github.com/stackforge/ironic-discoverd/blob/master/
 ironic_discoverd/utils.py#L50-L65

 __
 OpenStack Development Mailing List (not for usage questions)
 Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
 http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev

__
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe
http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev