Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Using external authentication backend #85

Open
cscs opened this issue May 11, 2017 · 6 comments
Open

Using external authentication backend #85

cscs opened this issue May 11, 2017 · 6 comments

Comments

@cscs
Copy link

cscs commented May 11, 2017

Dear Dev,

I am looking for a library that would allow me to upload files to Swift using this authorization backend, so that the password is not seen by the web app:
AUTHENTICATION_BACKENDS = ('openstack_auth.backend.KeystoneBackend',)
(source: http://django-openstack-auth.readthedocs.io/en/latest/installation.html#installation)

Unfortunately, I see that your library defines SWIFT_KEY/SWIFT_PASSWORD as a Required field.

The question is: can I use your library without specifying the password, so that it uses the django authentication backend that I set up?

Thanks!

@einarf
Copy link
Contributor

einarf commented May 11, 2017

So you want to supply a token instead maybe? If auth info such as passwords are not supposed to be in the app, then you would have to supply a token from somewhere. Are you thinking about using django_openstack_auth or simply just supplying a token from the outside in requests?

As far as I can see there are no support for using tokens directly. It might not be hard to add.

@naevtamarkus
Copy link

I (sorry, wrong account) was thinking that passing a Keystone v3 fernet scoped token to Swift should be the logical thing to do. Now, how to get that token? I am not so sure that django_openstack_auth supplies that (I guess it does), but otherwise the python openstack client should do.

@einarf
Copy link
Contributor

einarf commented May 12, 2017

Requesting a token and using that in the swift client works fine. Should the app itself get the token or is the token supplied from somewhere outside? Is this limited to a fixed set of containers in a specific domain/project or should it be able to upload to any container in any domain/project?

@naevtamarkus
Copy link

The app never sees the password. It gets an OIDC token that then uses to get a Keystone token. The question is, since in your API doc is said that Password is a mandatory field, what happens if you don't have one, but a Keystone token. In principle, the limits on what the app can upload/download depend on the user can do (e.g. in Horizon), from any domain/project if possible.

Sorry but this is all very theoretical: I'm only evaluating libs, did not throw a line of code yet.
Thanks!

@einarf
Copy link
Contributor

einarf commented May 15, 2017

What you say definitely makes sense.

This package was originally only intended to be a storage backend for media and static files. You can of course instantiate the backend manually and send parameters in the constructor instead of using the ones in the settings module.

What is missing right now is the ability to pass in a token instead of using password authentication. You would also have to know the exact name of an existing container in the destination project (or maybe the create options can work..).

.. so it's probably doable by adding a token config option. Then you would probably also need to manually set the SWIFT_BASE_URL.

EDIT: I also assumed you are making a Django app as this project heavily depends on Django.

@naevtamarkus
Copy link

Your assumption is correct. Thanks a lot for all the info!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants