-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Using external authentication backend #85
Comments
So you want to supply a token instead maybe? If auth info such as passwords are not supposed to be in the app, then you would have to supply a token from somewhere. Are you thinking about using As far as I can see there are no support for using tokens directly. It might not be hard to add. |
I (sorry, wrong account) was thinking that passing a Keystone v3 fernet scoped token to Swift should be the logical thing to do. Now, how to get that token? I am not so sure that django_openstack_auth supplies that (I guess it does), but otherwise the python openstack client should do. |
Requesting a token and using that in the swift client works fine. Should the app itself get the token or is the token supplied from somewhere outside? Is this limited to a fixed set of containers in a specific domain/project or should it be able to upload to any container in any domain/project? |
The app never sees the password. It gets an OIDC token that then uses to get a Keystone token. The question is, since in your API doc is said that Password is a mandatory field, what happens if you don't have one, but a Keystone token. In principle, the limits on what the app can upload/download depend on the user can do (e.g. in Horizon), from any domain/project if possible. Sorry but this is all very theoretical: I'm only evaluating libs, did not throw a line of code yet. |
What you say definitely makes sense. This package was originally only intended to be a storage backend for media and static files. You can of course instantiate the backend manually and send parameters in the constructor instead of using the ones in the settings module. What is missing right now is the ability to pass in a token instead of using password authentication. You would also have to know the exact name of an existing container in the destination project (or maybe the create options can work..). .. so it's probably doable by adding a token config option. Then you would probably also need to manually set the EDIT: I also assumed you are making a Django app as this project heavily depends on Django. |
Your assumption is correct. Thanks a lot for all the info! |
Dear Dev,
I am looking for a library that would allow me to upload files to Swift using this authorization backend, so that the password is not seen by the web app:
AUTHENTICATION_BACKENDS = ('openstack_auth.backend.KeystoneBackend',)
(source: http://django-openstack-auth.readthedocs.io/en/latest/installation.html#installation)
Unfortunately, I see that your library defines SWIFT_KEY/SWIFT_PASSWORD as a Required field.
The question is: can I use your library without specifying the password, so that it uses the django authentication backend that I set up?
Thanks!
The text was updated successfully, but these errors were encountered: