← Back to team overview

openstack team mailing list archive

Re: [keystone] Multi-tenants per user, authentication tokens and global roles

 

> You can use a token to get a token.  Look at the authenticate code in
> keystone/service.py
>
> Have the user initially get a non-tenant specific token.  Pass that in the
> x-auth header to POST /tokens/ along with a tenantid  and you will get a new
> one scoped to the tenant
>

Ah. This is perfect, thanks!

>> I'm using the LDAP backend. I'm assuming I'm going to have to modify
>> the authenticate method to handle this. Would doing this be enough to
>> make this work, or will I need to patch more extensively for this
>> solution?
>
>
> Tokens are not stored in LDAP.  There are separate back ends for: identity,
> tokens, and service catalog.  LDAP is only wired up for Identity.  For
> Token, the default is KVS, which is in memory only. You probably want to use
> memcached or SQL for the token back end, otherwise a reboot of the keystone
> server will lose you all the tokens.
>

I was planning on hacking in a method of pulling a long-lived token
from LDAP, but your previous comment makes that unneeded.

- Ryan


References