yahoo-eng-team team mailing list archive

Thread
Date

[Bug 1311324] [NEW] documentation does not specify that [auth] drivers only work with v3 API

To: yahoo-eng-team@xxxxxxxxxxxxxxxxxxx
From: Matt Fischer <matt@xxxxxxxxxxxxxxx>
Date: Tue, 22 Apr 2014 20:37:22 -0000
Reply-to: Bug 1311324 <1311324@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

Public bug reported:

The documentation on auth plugins
(http://docs.openstack.org/developer/keystone/configuration.html#how-to-
implement-an-authentication-plugin) does not state that it's a V3
feature. I did a bunch of tests today and found that it's being ignored.
You can set the config to complete garbage values and it was ignored. I
also found that calls to get a token skip the auth drivers and talk
right to the identity ones.

 <mfisch> morganfainberg: perhaps you can comment on a mystery, when I use password auth and request a token, is it supposed to go through the auth modules?
 <morganfainberg> mfisch, v2.0 or v3?
 <morganfainberg> mfisch, v3 is where the auth plugins/modules are used vs. the logic in the token auth controller
 <mfisch> morganfainberg: v2
 <mfisch> morganfainberg: I did see the token driver just calling right to the identity driver
 <mfisch> morganfainberg: ugh, so whats the point of an auth module in v2?
 <morganfainberg> mfisch, https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L60
 <morganfainberg> mfisch, this is one of the benefits of using V3 (yes, I know, not supported everywhere yet)
 <mfisch> morganfainberg: yeah, thats the code I was looking at earlier, authenticate_local calls direct to ident
 <morganfainberg> mfisch, yep
 <morganfainberg> mfisch, v2.0 doesn't have the auth plugin mechanisms
 <morganfainberg> mfisch, it wasn't really designed with that in mind.
 <mfisch> morganfainberg: so the docs for it are really designed for v3
 <morganfainberg> mfisch, if we weren't clear on the auth plugins being a v3 thing we should get the docs updated
 <morganfainberg> mfisch, but yes, v3 is where auth plugin logic is used
 <mfisch> morganfainberg: I dont see it called out here: http://docs.openstack.org/developer/keystone/configuration.html#how-to-implement-an-authentication-plugin
 <morganfainberg> mfisch, yep, don't see it either. file a bug on this if you don't mind (feel free to fix it too if you're so inclined)
 <morganfainberg> mfisch, good catch.
 <mfisch> not sure if happy to be right or sad that it doesn't work
 <morganfainberg> mfisch, well, help us get everyone moved to v3 :) then it'll work like you expect!
 <morganfainberg> mfisch (shameless plug for help to get OpenStack on keystone V3)
 <mfisch> I'm on board

** Affects: keystone
     Importance: Low
         Status: Triaged


** Tags: documentation low-hanging-fruit

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to Keystone.
https://bugs.launchpad.net/bugs/1311324

Title:
  documentation does not specify that [auth] drivers only work with v3
  API

Status in OpenStack Identity (Keystone):
  Triaged

Bug description:
  The documentation on auth plugins
  (http://docs.openstack.org/developer/keystone/configuration.html#how-
  to-implement-an-authentication-plugin) does not state that it's a V3
  feature. I did a bunch of tests today and found that it's being
  ignored. You can set the config to complete garbage values and it was
  ignored. I also found that calls to get a token skip the auth drivers
  and talk right to the identity ones.

   <mfisch> morganfainberg: perhaps you can comment on a mystery, when I use password auth and request a token, is it supposed to go through the auth modules?
   <morganfainberg> mfisch, v2.0 or v3?
   <morganfainberg> mfisch, v3 is where the auth plugins/modules are used vs. the logic in the token auth controller
   <mfisch> morganfainberg: v2
   <mfisch> morganfainberg: I did see the token driver just calling right to the identity driver
   <mfisch> morganfainberg: ugh, so whats the point of an auth module in v2?
   <morganfainberg> mfisch, https://github.com/openstack/keystone/blob/master/keystone/token/controllers.py#L60
   <morganfainberg> mfisch, this is one of the benefits of using V3 (yes, I know, not supported everywhere yet)
   <mfisch> morganfainberg: yeah, thats the code I was looking at earlier, authenticate_local calls direct to ident
   <morganfainberg> mfisch, yep
   <morganfainberg> mfisch, v2.0 doesn't have the auth plugin mechanisms
   <morganfainberg> mfisch, it wasn't really designed with that in mind.
   <mfisch> morganfainberg: so the docs for it are really designed for v3
   <morganfainberg> mfisch, if we weren't clear on the auth plugins being a v3 thing we should get the docs updated
   <morganfainberg> mfisch, but yes, v3 is where auth plugin logic is used
   <mfisch> morganfainberg: I dont see it called out here: http://docs.openstack.org/developer/keystone/configuration.html#how-to-implement-an-authentication-plugin
   <morganfainberg> mfisch, yep, don't see it either. file a bug on this if you don't mind (feel free to fix it too if you're so inclined)
   <morganfainberg> mfisch, good catch.
   <mfisch> not sure if happy to be right or sad that it doesn't work
   <morganfainberg> mfisch, well, help us get everyone moved to v3 :) then it'll work like you expect!
   <morganfainberg> mfisch (shameless plug for help to get OpenStack on keystone V3)
   <mfisch> I'm on board

To manage notifications about this bug go to:
https://bugs.launchpad.net/keystone/+bug/1311324/+subscriptions

Follow ups

[Bug 1311324] Re: documentation does not specify that [auth] drivers only work with v3 API
From: Thierry Carrez, 2014-06-11
[Bug 1311324] [NEW] documentation does not specify that [auth] drivers only work with v3 API
From: Matt Fischer, 2014-04-22

References

[Bug 1311324] [NEW] documentation does not specify that [auth] drivers only work with v3 API
From: Matt Fischer, 2014-04-22