Public bug reported: The documentation on auth plugins (http://docs.openstack.org/developer/keystone/configuration.html#how-to- implement-an-authentication-plugin) does not state that it's a V3 feature. I did a bunch of tests today and found that it's being ignored. You can set the config to complete garbage values and it was ignored. I also found that calls to get a token skip the auth drivers and talk right to the identity ones.
<mfisch> morganfainberg: perhaps you can comment on a mystery, when I use password auth and request a token, is it supposed to go through the auth modules? <morganfainberg> mfisch, v2.0 or v3? <morganfainberg> mfisch, v3 is where the auth plugins/modules are used vs. the logic in the token auth controller <mfisch> morganfainberg: v2 <mfisch> morganfainberg: I did see the token driver just calling right to the identity driver <mfisch> morganfainberg: ugh, so whats the point of an auth module in v2? <morganfainberg> mfisch, https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L60 <morganfainberg> mfisch, this is one of the benefits of using V3 (yes, I know, not supported everywhere yet) <mfisch> morganfainberg: yeah, thats the code I was looking at earlier, authenticate_local calls direct to ident <morganfainberg> mfisch, yep <morganfainberg> mfisch, v2.0 doesn't have the auth plugin mechanisms <morganfainberg> mfisch, it wasn't really designed with that in mind. <mfisch> morganfainberg: so the docs for it are really designed for v3 <morganfainberg> mfisch, if we weren't clear on the auth plugins being a v3 thing we should get the docs updated <morganfainberg> mfisch, but yes, v3 is where auth plugin logic is used <mfisch> morganfainberg: I dont see it called out here: http://docs.openstack.org/developer/keystone/configuration.html#how-to-implement-an-authentication-plugin <morganfainberg> mfisch, yep, don't see it either. file a bug on this if you don't mind (feel free to fix it too if you're so inclined) <morganfainberg> mfisch, good catch. <mfisch> not sure if happy to be right or sad that it doesn't work <morganfainberg> mfisch, well, help us get everyone moved to v3 :) then it'll work like you expect! <morganfainberg> mfisch (shameless plug for help to get OpenStack on keystone V3) <mfisch> I'm on board ** Affects: keystone Importance: Low Status: Triaged ** Tags: documentation low-hanging-fruit -- You received this bug notification because you are a member of Yahoo! Engineering Team, which is subscribed to Keystone. https://bugs.launchpad.net/bugs/1311324 Title: documentation does not specify that [auth] drivers only work with v3 API Status in OpenStack Identity (Keystone): Triaged Bug description: The documentation on auth plugins (http://docs.openstack.org/developer/keystone/configuration.html#how- to-implement-an-authentication-plugin) does not state that it's a V3 feature. I did a bunch of tests today and found that it's being ignored. You can set the config to complete garbage values and it was ignored. I also found that calls to get a token skip the auth drivers and talk right to the identity ones. <mfisch> morganfainberg: perhaps you can comment on a mystery, when I use password auth and request a token, is it supposed to go through the auth modules? <morganfainberg> mfisch, v2.0 or v3? <morganfainberg> mfisch, v3 is where the auth plugins/modules are used vs. the logic in the token auth controller <mfisch> morganfainberg: v2 <mfisch> morganfainberg: I did see the token driver just calling right to the identity driver <mfisch> morganfainberg: ugh, so whats the point of an auth module in v2? <morganfainberg> mfisch, https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L60 <morganfainberg> mfisch, this is one of the benefits of using V3 (yes, I know, not supported everywhere yet) <mfisch> morganfainberg: yeah, thats the code I was looking at earlier, authenticate_local calls direct to ident <morganfainberg> mfisch, yep <morganfainberg> mfisch, v2.0 doesn't have the auth plugin mechanisms <morganfainberg> mfisch, it wasn't really designed with that in mind. <mfisch> morganfainberg: so the docs for it are really designed for v3 <morganfainberg> mfisch, if we weren't clear on the auth plugins being a v3 thing we should get the docs updated <morganfainberg> mfisch, but yes, v3 is where auth plugin logic is used <mfisch> morganfainberg: I dont see it called out here: http://docs.openstack.org/developer/keystone/configuration.html#how-to-implement-an-authentication-plugin <morganfainberg> mfisch, yep, don't see it either. file a bug on this if you don't mind (feel free to fix it too if you're so inclined) <morganfainberg> mfisch, good catch. <mfisch> not sure if happy to be right or sad that it doesn't work <morganfainberg> mfisch, well, help us get everyone moved to v3 :) then it'll work like you expect! <morganfainberg> mfisch (shameless plug for help to get OpenStack on keystone V3) <mfisch> I'm on board To manage notifications about this bug go to: https://bugs.launchpad.net/keystone/+bug/1311324/+subscriptions -- Mailing list: https://launchpad.net/~yahoo-eng-team Post to : [email protected] Unsubscribe : https://launchpad.net/~yahoo-eng-team More help : https://help.launchpad.net/ListHelp
