Keystone auth component to add existing user database
Hey there,
I'm trying to get a hold on the best approach to make keystone aware of an existing (internal) user database, that's
exposed via an API.
The flow should have been:
- extract username and password
- encrypt them
- check the API of the internal DB if the credentials are valid
- If so, return None
- if not, raise Unauthorized
There are basically two way's
- write a plugin (http://
- write a middleware component (http://
So first I tried to write a plugin, as this seemed to be the right approach, so the basic implementation had the authenticate method,
that was just logging the auth attempt and raise Unauthorized. I could see, through other logging extensions, that the auth plugin got instantiated etc. but never used.
So tracing what would happen, I came to the conclusion, that I need a middleware component, as authentication was always done
through
keystone.
which does not have the fancy checking and list building as
keystone.
I assumed this is due to the fact, that somehow, keystone is always used in an http fashion.
So I went back to the middleware component. I'll start work on this more or less after I've finished this post.
But I'm a little irritated as to what the approach here would be. There are also a couple of open questions, like, [Middleware] Is the token generated after I set REMOTE_USER or do I have to trigger this manually?
The flow would be similar to the plugin flow. Though what I still lack is a comprehensive overview, of how authentication is
done in context of a call http://
- Which contexts [i.e. API call's, rpc call's, http contexts, ] are there, that use the concept of authentication?
- How is authentication done for these contexts?
- Under which conditions would a plugin be used?
- Under which conditions would a middleware be used?
- Why does it seem that the plugin chain is not used in the flow I described?
- Why do I get the feeling that I'm completely misunderstanding the context, in which plugin and middleware are used?
I hope anyone could point me in the right direction of getting a more general understanding of the auth architecture, beyond
http://
Best Regards,
Phil
Question information
- Language:
- English Edit question
- Status:
- Answered
- Assignee:
- No assignee Edit question
- Last query:
- Last reply:
Can you help with this problem?
Provide an answer of your own, or ask Phil for more information if necessary.