OpenStack Identity (keystone)

PAM for SQL Identity

Registered by Ken Thomas

We have a need for using the sql.Identity to manage users, roles, and tenants, but we need to have a pluggable authorization module to authenticate our users rather than just checking the hashed passwords match what's in the database.

For example, keystone.identity.backends.sql.Identity has the following snippet of code in its authenticate method.

if (not user_ref
            or not utils.check_password(password, user_ref.get('password'))):

We need to change that check_password call to something specific to our needs.

I propose that we use a PAM that defaults to the existing check_password call, but allows people to provide their own PAM to do whatever authentication they need.

I also propose that keystone.conf contain an optional 'pam' field under [identify] where the module can be specified.

The work around that we're using for now is to subclass sql.Identity and reimpliement the authenticate method to do what we need.

Questions:

1. Does this sound of any use to y'all?

2. Would this be of use for the other identity backends? It looks like it could be used where ever utils.check_password is currently being called.

3. What should be done for backends that don't support it? Just ignore it?

I'll be happy to work on this if it's deemed useful.

Follow up suggestion... My concern about our current work around of subclassing sql.Identity is that I have to duplicate the entire authenticate method. If there was a check_password method (like in ldap/core.py) then I could just overwrite that method and be assured that if things change in the base class, I won't need to reimplement my authenticate method.

This change is much smaller in scope, but is it as useful as a general pam for the other identify classes?

Blueprint information

Status:
Complete
Approver:
None
Priority:
Low
Drafter:
None
Direction:
Approved
Assignee:
Ken Thomas
Definition:
New
Series goal:
None
Implementation:
Implemented
Milestone target:
None
Started by
Dolph Mathews
Completed by
Dolph Mathews

Related branches

Sprints

Whiteboard

I have implemented a local patch for LDAP authentication when using the SQL Identity backend. I am interested if people are looking to make this more generic interface which would allow a multitude of different authentication backends.

After toying with deploying the LDAP Identity backend we personally feel that fitting the data model going forward will always be challenging. Without a specific schema published by OpenStack I don't see a good way forward with the LDAP Identity backend.

That being said, LDAP, PAM and things like Oauth are very attractive for the authentication component for anyone deploying OpenStack at scale. Keeping passwords in a SQL database just means one more password for users. Keeping all the rest of the authorization components in SQL make a lot of sense.

How do people envision this to be implemented with respect to the current code layout (eg. something like Authentication backends for the SQL Identity Backend)?

  This is now much easier to implement with the introduction of pluggable authentication in grizzly. This would simply be an alternative password plugin.

Gerrit topic: https://review.openstack.org/#q,topic:bp/sql-identiy-pam,n,z

Addressed by: https://review.openstack.org/8257
    Tweak for easier, safer subclassing

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.