From 88c319e6bce98082f9a90b8b27726793d5366326 Mon Sep 17 00:00:00 2001 From: Adam Young Date: Fri, 12 Jul 2013 10:23:38 -0400 Subject: Pluggable Remote User Select the code to handle REMOTE_USER based on a config file option Fixes the REMOTE_USER logic to get the domain name from REALM, which is the least surprise option. Disregards the auth_data passed in, as we should be using REMOTE_USER to get the user name. External Plugin is now executed in conjunction with the auth methods, as opposed to in place of them. DocImpact blueprint pluggable-remote-user Change-Id: I9dda6dbe073f03806bdf539db6faa01644109f1c --- doc/source/configuration.rst | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) (limited to 'doc') diff --git a/doc/source/configuration.rst b/doc/source/configuration.rst index 0a2d9339..a074c704 100644 --- a/doc/source/configuration.rst +++ b/doc/source/configuration.rst @@ -106,7 +106,10 @@ file. It is up to the plugin to register its own configuration options. * ``methods`` - comma-delimited list of authentication plugin names * ```` - specify the class which handles to authentication method, in the same manner as one would specify a backend driver. -Keystone provides two authentication methods by default. ``password`` handles password authentication and ``token`` handles token authentication. +Keystone provides three authentication methods by default. ``password`` handles password +authentication and ``token`` handles token authentication. ``external`` is used in conjunction +with authentication performed by a container web server that sets the ``REMOTE_USER`` +environment variable. How to Implement an Authentication Plugin ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ @@ -148,6 +151,12 @@ invoked, all plugins must succeed in order to for the entire authentication to be successful. Furthermore, all the plugins invoked must agree on the ``user_id`` in the ``auth_context``. +The ``REMOTE_USER`` environment variable is only set from a containing webserver. However, +to ensure that a user must go through other authentication mechanisms, even if this variable +is set, remove ``external`` from the list of plugins specified in ``methods``. This effectively +disables external authentication. + + Token Provider -------------- -- cgit