)]}'
{"doc/source/admin/external-authentication.rst":[{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"165fbc2be5183c269c3bec2e4378c808be4f74db","unresolved":false,"context_lines":[{"line_number":73,"context_line":"To use this method, Keystone should be running on HTTPD."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"X.509 example"},{"line_number":76,"context_line":"-------------"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"The following snippet for the Apache conf will authenticate the user based on"},{"line_number":79,"context_line":"a valid X.509 certificate from a known CA::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_1649885e","side":"PARENT","line":76,"updated":"2019-07-18 16:55:11.000000000","message":"Is there another safer example we could use, like kerberos? We\u0027re still allowing external auth so it would still be best to document it as long as we\u0027re also including a disclaimer.","commit_id":"e9ee189b4392bbd9ff4324cb194ee9e1e0818586"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"f5359f4d81036242e9eff53845011573d4b0556f","unresolved":false,"context_lines":[{"line_number":73,"context_line":"To use this method, Keystone should be running on HTTPD."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"X.509 example"},{"line_number":76,"context_line":"-------------"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"The following snippet for the Apache conf will authenticate the user based on"},{"line_number":79,"context_line":"a valid X.509 certificate from a known CA::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_9d5b50f4","side":"PARENT","line":76,"in_reply_to":"7faddb67_1649885e","updated":"2019-07-19 04:39:11.000000000","message":"let me setup kerberos on my dev environment to get an accurate example","commit_id":"e9ee189b4392bbd9ff4324cb194ee9e1e0818586"},{"author":{"_account_id":15054,"name":"wangxiyuan","email":"wangxiyuan1007@gmail.com","username":"wangxiyuan"},"change_message_id":"f203f1b7921aae21830dade22ef99fe762b98fd7","unresolved":false,"context_lines":[{"line_number":73,"context_line":"To use this method, Keystone should be running on HTTPD."},{"line_number":74,"context_line":""},{"line_number":75,"context_line":"X.509 example"},{"line_number":76,"context_line":"-------------"},{"line_number":77,"context_line":""},{"line_number":78,"context_line":"The following snippet for the Apache conf will authenticate the user based on"},{"line_number":79,"context_line":"a valid X.509 certificate from a known CA::"}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_93cd7fb8","side":"PARENT","line":76,"in_reply_to":"7faddb67_9d5b50f4","updated":"2019-07-19 09:10:43.000000000","message":"The `CAUTION` is good.\n+1 for Colllen, this example part can be kept.","commit_id":"e9ee189b4392bbd9ff4324cb194ee9e1e0818586"},{"author":{"_account_id":27621,"name":"Vishakha Agarwal","email":"agarwalvishakha18@gmail.com","username":"Vishakha"},"change_message_id":"4b3ec6b7a40386ac76056158e68550c433efcd36","unresolved":false,"context_lines":[{"line_number":4,"context_line":""},{"line_number":5,"context_line":"When Keystone is executed in a web server like Apache HTTPD,"},{"line_number":6,"context_line":"it is possible to have the web server also handle authentication."},{"line_number":7,"context_line":"This enables support for additional methods of authentication that "},{"line_number":8,"context_line":"are not provided by the identity store backend and"},{"line_number":9,"context_line":"the authentication plugins that Keystone supports."},{"line_number":10,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_b3d8d1ee","line":7,"range":{"start_line":7,"start_character":66,"end_line":7,"end_character":67},"updated":"2019-07-18 07:41:37.000000000","message":"trailing space","commit_id":"5fcab40996667510c7d7e0ee9ad4b79e7de3cfb4"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"45a83edce689dcd4a4cfc628ee3473ee6e42f8fd","unresolved":false,"context_lines":[{"line_number":4,"context_line":""},{"line_number":5,"context_line":"When Keystone is executed in a web server like Apache HTTPD,"},{"line_number":6,"context_line":"it is possible to have the web server also handle authentication."},{"line_number":7,"context_line":"This enables support for additional methods of authentication that "},{"line_number":8,"context_line":"are not provided by the identity store backend and"},{"line_number":9,"context_line":"the authentication plugins that Keystone supports."},{"line_number":10,"context_line":""}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_16973a4a","line":7,"range":{"start_line":7,"start_character":66,"end_line":7,"end_character":67},"in_reply_to":"7faddb67_b3d8d1ee","updated":"2019-07-19 13:48:41.000000000","message":"++","commit_id":"5fcab40996667510c7d7e0ee9ad4b79e7de3cfb4"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"45a83edce689dcd4a4cfc628ee3473ee6e42f8fd","unresolved":false,"context_lines":[{"line_number":78,"context_line":"    is not recommended as `external` method is limited to a single domain."},{"line_number":79,"context_line":"    Furthermore, there\u0027s no way to effectively distinguish SSL certificates"},{"line_number":80,"context_line":"    used for secure communication from SSL certificates used for user"},{"line_number":81,"context_line":"    authentication. X.509 SSL client certificate authentication should be use"},{"line_number":82,"context_line":"    with federation instead."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_7629ce34","line":81,"range":{"start_line":81,"start_character":74,"end_line":81,"end_character":77},"updated":"2019-07-19 13:48:41.000000000","message":"\"used\"","commit_id":"5fcab40996667510c7d7e0ee9ad4b79e7de3cfb4"},{"author":{"_account_id":21420,"name":"Gage Hugo","email":"gagehugo@gmail.com","username":"ghugo"},"change_message_id":"45a83edce689dcd4a4cfc628ee3473ee6e42f8fd","unresolved":false,"context_lines":[{"line_number":79,"context_line":"    Furthermore, there\u0027s no way to effectively distinguish SSL certificates"},{"line_number":80,"context_line":"    used for secure communication from SSL certificates used for user"},{"line_number":81,"context_line":"    authentication. X.509 SSL client certificate authentication should be use"},{"line_number":82,"context_line":"    with federation instead."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_76ac6e9e","line":82,"range":{"start_line":82,"start_character":4,"end_line":82,"end_character":28},"updated":"2019-07-19 13:48:41.000000000","message":"Do we want to recommend that x509 \"only\" be used with federation?","commit_id":"5fcab40996667510c7d7e0ee9ad4b79e7de3cfb4"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"4a4dc602f87465acaedf52d24c9add79e1375392","unresolved":false,"context_lines":[{"line_number":79,"context_line":"    Furthermore, there\u0027s no way to effectively distinguish SSL certificates"},{"line_number":80,"context_line":"    used for secure communication from SSL certificates used for user"},{"line_number":81,"context_line":"    authentication. X.509 SSL client certificate authentication should be use"},{"line_number":82,"context_line":"    with federation instead."}],"source_content_type":"text/x-rst","patch_set":1,"id":"7faddb67_6a0a3d20","line":82,"range":{"start_line":82,"start_character":4,"end_line":82,"end_character":28},"in_reply_to":"7faddb67_76ac6e9e","updated":"2019-07-19 16:44:14.000000000","message":"Yes. X.509 should be for federation only. External auth is only useful in a situation where the all the identities are managed by a single IDP and in a single monolithic domain. And it cannot be used in conjunction with federation either. X.509, on the other hand, have a lot more attributes then just the username mapping and it shouldn\u0027t be limited by external auth.","commit_id":"5fcab40996667510c7d7e0ee9ad4b79e7de3cfb4"},{"author":{"_account_id":8482,"name":"Colleen Murphy","email":"colleen@gazlene.net","username":"krinkle"},"change_message_id":"c395a55efb849ed5bf997a9666fae1047858204c","unresolved":false,"context_lines":[{"line_number":104,"context_line":"        KrbLocalUserMapping   On"},{"line_number":105,"context_line":"        KrbAuthoritative      On"},{"line_number":106,"context_line":"        Require               valid-user"},{"line_number":107,"context_line":"        SetEnv REMOTE_DOMAIN  FOO"},{"line_number":108,"context_line":"    \u003c/Location\u003e"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_ec6f2d25","line":107,"range":{"start_line":107,"start_character":8,"end_line":107,"end_character":33},"updated":"2019-09-30 18:37:19.000000000","message":"This is the main issue, right? Any external auth can\u0027t be used with more than a single domain and that domain is hardcoded with SetEnv? If so, kerberos isn\u0027t really a better example than X.509, and we might as well keep the old example but deprecate external auth altogether.","commit_id":"b916f9632bb86f47396be50013cbadc99a05fc31"},{"author":{"_account_id":1916,"name":"Guang Yee","email":"gyee@suse.com","username":"guang-yee"},"change_message_id":"0d2d12ce23b8ec9b8489d96b5354e93e4a2da06b","unresolved":false,"context_lines":[{"line_number":104,"context_line":"        KrbLocalUserMapping   On"},{"line_number":105,"context_line":"        KrbAuthoritative      On"},{"line_number":106,"context_line":"        Require               valid-user"},{"line_number":107,"context_line":"        SetEnv REMOTE_DOMAIN  FOO"},{"line_number":108,"context_line":"    \u003c/Location\u003e"}],"source_content_type":"text/x-rst","patch_set":2,"id":"3fa7e38b_6f4ecc97","line":107,"range":{"start_line":107,"start_character":8,"end_line":107,"end_character":33},"in_reply_to":"3fa7e38b_ec6f2d25","updated":"2019-09-30 23:50:42.000000000","message":"Right, there are a number of issues with Kerberos.\n\n1. Single domain\n2. Require separate auth URL (i.e. /krb/identity/v3/auth/tokens)\n3. Limited number of attributes about the identity, just name and domain.\n4. It\u0027s not compatible with other external auth mechanisms. i.e. can\u0027t enable them at the same time.\n\nGiven that external auth only conveying a single attribute (REMOTE_USER), I am not not sure how useful it is in a large scale production environment. I am fine with deprecating it.","commit_id":"b916f9632bb86f47396be50013cbadc99a05fc31"}]}