External authentication plugins

Registered by Brant Knudson

We need to figure out what external authentication plugins Keystone needs to provide.

Requirements are that we should support what was supported in Grizzly and Havana, and also support a plugin that works with both auth V2 and auth V3.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
Brant Knudson
Direction:
Needs approval
Assignee:
None
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Steve Martinelli
Completed by
Steve Martinelli

Related branches

Sprints

Whiteboard

Background Info
-------------------------

- These are plugins we had in Havana (for V3):
  (See http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/plugins/external.py?h=stable/havana)

  - keystone.auth.plugins.external.ExternalDefault

    - @ is optional, everything after first @ is ignored
    - users are only found in default domain

  - keystone.auth.plugins.external.ExternalDomain

    - @ is required, everything after last @ is the domain name

- This is how Havana V2 works:
  (See http://git.openstack.org/cgit/openstack/keystone/tree/keystone/token/controllers.py?h=stable/havana#n277 )

  - @ is not a special character, the whole username is used
  - users are only found in default domain

- This is how Grizzly works:

  - V3:

    - The user name in REMOTE_USER is ignored, the user name and domain are taken from "password" method data in request
      (See http://git.openstack.org/cgit/openstack/keystone/tree/keystone/auth/controllers.py?h=stable/grizzly#n322 )

  - V2 Grizzly worked the same as Havana

Notes on previous behavior
-----------------------------------------

- Regarding keystone.auth.plugins.external.ExternalDefault:
  - Dolph: I have yet to find someone that thinks this behavior is useful; IMO this should be changed to reflect grizzly v2 behavior

Current plugins in IceHouse, as of I2
-------------------------------------------------------

- DefaultDomain: takes full name, user always in default domain
  - This is G & H V2
- Domain : like DefaultDomain but gets domain from REMOTE_DOMAIN environment.
  - This is new
- LegacyDefaultDomain: removes after the @ and uses default domain (deprecated)
  - This is H ExternalDefault
- LegacyDomain: splits up REMOTE_USER to username and domainname (deprecated)
  - This is H ExternalDomain

Deprecated names in IceHouse
-----------------------------------------------

- ExternalDefault : DefaultDomain (deprecated name)
- ExternalDomain : Domain (deprecated name)

Plans for IceHouse
---------------------------

- Develop a plugin that works like Grizzly V3

(stevemar) 2016-02-02: this is terribly hard to follow along, and looks like it hasn't been updated in about 4 releases, and the keystone code base has shifted significantly since then. I'm going to mark this as implemented, we can open a new spec for any leftover functionality that we might have been missed.

(?)

Work Items

Work items:
Develop a plugin that works like Grizzly V3: TODO

This blueprint contains Public information 
Everyone can see this information.