[ops][keystone] Does anyone use external auth?
On Tue, Jul 30, 2019, at 13:45, Fox, Kevin M wrote:
> https://www.youtube.com/watch?v=7BSnhRZ8nhs mentions they use
> mod_auth_oidc. Not sure that is still true. But may want to reach out
> to them.
The video shows that they're using federated authentication, which provides them with the ability to create a rich attribute mapping and connect their OpenIDC IdP to keystone while still using the auth module in front of keystone. The 'external' auth method only provides a subset of that functionality, which is simply the ability to accept the auth module's parameters as a valid authentication.
> From: Colleen Murphy [colleen at gazlene.net]
> Sent: Tuesday, July 30, 2019 1:28 PM
> To: openstack-discuss at lists.openstack.org
> Subject: [ops][keystone] Does anyone use external auth?
> Currently, one of the default auth methods for keystone is 'external',
> meaning keystone offloads authentication to an HTTPD auth module like
> mod_ssl or mod_auth_kerb and gets the user's identity from the
> REMOTE_USER variable passed in by the web server:
> The 'external' auth method existed before federation. The biggest
> problem with external auth now is that it is effectively single-domain,
> there's no way to parse anything besides a user identifier from the
> REMOTE_USER variable, and keystone is barreling full steam ahead to a
> multidomain world. The 'external' auth method conflicts with the
> 'mapped' auth method as mentioned in the "Caution" notice in the above
> document for the same reason. Moreover, we should be able to achieve
> the same behavior with just federation, e.g. you can create a federated
> IdP representing your SSL CA, and continue to use mod_ssl with a
> mapping to properly parse all the attributes coming in from the auth
> We'd like to start discouraging, deprecating, and removing external
> auth in keystone. So our question to operators is: are you currently
> using external auth? If so, which HTTPD auth modules are you using? And
> is it a use case that we can't support with federated auth?
> Colleen (cmurphy)