diff options
| author | Adam Young <ayoung@redhat.com> | 2013-07-12 10:23:38 -0400 |
|---|---|---|
| committer | Jamie Lennox <jamielennox@gmail.com> | 2013-07-17 12:45:52 +1000 |
| commit | 88c319e6bce98082f9a90b8b27726793d5366326 (patch) | |
| tree | 867ae6600cec6cfd50885eaf86d17dfb27cd1a16 /doc | |
| parent | 3a56c8a68d0f033266f98963261a6d724e506966 (diff) | |
| download | keystone-88c319e6bce98082f9a90b8b27726793d5366326.tar.gz keystone-88c319e6bce98082f9a90b8b27726793d5366326.tar.xz keystone-88c319e6bce98082f9a90b8b27726793d5366326.zip | |
Pluggable Remote User
Select the code to handle REMOTE_USER based on a config file option
Fixes the REMOTE_USER logic to get the domain name from
REALM, which is the least surprise option.
Disregards the auth_data passed in, as we should be using REMOTE_USER
to get the user name.
External Plugin is now executed in conjunction with the auth methods,
as opposed to in place of them.
DocImpact
blueprint pluggable-remote-user
Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c
Diffstat (limited to 'doc')
| -rw-r--r-- | doc/source/configuration.rst | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 0a2d9339..a074c704 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -106,7 +106,10 @@ file. It is up to the plugin to register its own configuration options. * ``methods`` - comma-delimited list of authentication plugin names * ``<plugin name>`` - specify the class which handles to authentication method, in the same manner as one would specify a backend driver. -Keystone provides two authentication methods by default. ``password`` handles password authentication and ``token`` handles token authentication. +Keystone provides three authentication methods by default. ``password`` handles password +authentication and ``token`` handles token authentication. ``external`` is used in conjunction +with authentication performed by a container web server that sets the ``REMOTE_USER`` +environment variable. How to Implement an Authentication Plugin ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -148,6 +151,12 @@ invoked, all plugins must succeed in order to for the entire authentication to be successful. Furthermore, all the plugins invoked must agree on the ``user_id`` in the ``auth_context``. +The ``REMOTE_USER`` environment variable is only set from a containing webserver. However, +to ensure that a user must go through other authentication mechanisms, even if this variable +is set, remove ``external`` from the list of plugins specified in ``methods``. This effectively +disables external authentication. + + Token Provider -------------- |