openstack team mailing list archive

Thread
Date

Re: [keystone] Multi-tenants per user, authentication tokens and global roles

To: Adam Young <ayoung@xxxxxxxxxx>
From: Ryan Lane <rlane@xxxxxxxxxxxxx>
Date: Fri, 27 Jul 2012 11:20:54 -0700
Cc: openstack@xxxxxxxxxxxxxxxxxxx
In-reply-to: <501298D2.3070901@redhat.com>

> You can use a token to get a token.  Look at the authenticate code in
> keystone/service.py
>
> Have the user initially get a non-tenant specific token.  Pass that in the
> x-auth header to POST /tokens/ along with a tenantid  and you will get a new
> one scoped to the tenant
>

Ah. This is perfect, thanks!

>> I'm using the LDAP backend. I'm assuming I'm going to have to modify
>> the authenticate method to handle this. Would doing this be enough to
>> make this work, or will I need to patch more extensively for this
>> solution?
>
>
> Tokens are not stored in LDAP.  There are separate back ends for: identity,
> tokens, and service catalog.  LDAP is only wired up for Identity.  For
> Token, the default is KVS, which is in memory only. You probably want to use
> memcached or SQL for the token back end, otherwise a reboot of the keystone
> server will lose you all the tokens.
>

I was planning on hacking in a method of pulling a long-lived token
from LDAP, but your previous comment makes that unneeded.

- Ryan

References

[keystone] Multi-tenants per user, authentication tokens and global roles
From: Ryan Lane, 2012-07-27
Re: [keystone] Multi-tenants per user, authentication tokens and global roles
From: Adam Young, 2012-07-27
Re: [keystone] Multi-tenants per user, authentication tokens and global roles
From: Ryan Lane, 2012-07-27
Re: [keystone] Multi-tenants per user, authentication tokens and global roles
From: Adam Young, 2012-07-27