Skip to main content

OpenStack Identity plugin for Rackspace Technologies

Project description

Keystone-RXT Authentication Plugin

This repo is a simple authentication plugin for Rackspace Global Auth that will allow an OpenStack environment to use Rackspace Global Auth as an IDP.

When the plugin is installed the password authentication method is required, and the plugin value needs to be be set to rxt. Once activated, the plugin will run normally allowing both local users and remote users to authenticate to the cloud. The RXT authentication plugin presents a federated token and conforms to the mapping authentication driver.

Why?

The answer is quite simple, Rackspace Public Cloud Identity provides a powerful set of tools which can allow folks to make use of their existing users within an OpenStack environment; additionally, this setup allows us to use OpenStack natively.

How?

To bridge the authentication gap between Keystone and Rackspace Identity the keystone-rxt authentication driver effectively acts as a reverse proxy to Rackspace Identity and then presents the returned data as a federated token.

Capstone Diagram

History

This plugin was inspired by the Capstone project. Process wise, Capstone and Keystone-RXT perform similar actions using Rackspace Identity as an IDP compatible with OpenStack. While Keystone-RXT was inspired by Capstone, the two projects serve different purposes.

Mapping

Within this repository is an example mapping file mapping.json which will create different users based on the roles a user has within Rackspace Identity. This file is just an example and can be customized to meet the demands of the OpenStack environment following the typical mapping setup. See more about Keystone Mapping and Federation here.


Deploying the keystone-rxt plugin.

Before we can do anything you need to install the plugin within your keystone environment, for development purposes the example here is using pip.

pip install --force --upgrade git+https://github.com/rackerlabs/keystone-rxt

This plugin is not yet on PyPi, but that will change with time.

Setup your environment

Once the authentication plugin is installed, update your keystone.conf to use the new password plugin named rxt.

The configuration file entry will look something like this

[auth]
methods = password,token,application_credential
password = rxt

Take note that the password method is defined and that the password plugin is set to use rxt.

If you have multifactor auth enabled, and want to support users that are running work loads with it the plugin also supports TOTP. To enable TOPT make sure totp is in your allowed authentication methods and that the totp plugin is using the rxt plugin.

[auth]
methods = password,token,application_credential,totp
password = rxt
totp = rxt

Yes, just a couple of lines is all that's required in config. After the configuration edit, be sure to restart keystone.

Rackspace Configurations

The [rackspace] section can also be used in your keystone.conf to allow you to configure how to anchor on roles.

key value
role_attribute A string option used as an anchor to discover roles attributed to a given user
role_attribute_enforcement When set true will limit a users project to only the discovered GUID for the defined role_attribute

Identity mapping, project, and domain setup

Once the plugin is setup and running, everything will be operating normally. The plugin is passive until the Keystone is informed about the identity provider and we have the rackspace_cloud_domain created.

Craete the domain
openstack domain create rackspace_cloud_domain
Create the identity provider
openstack identity provider create --remote-id rackspace --domain rackspace_cloud_domain rackspace
Create the mapping for our identity provider
openstack mapping create --rules files/mapping.json --schema-version 2.0 rackspace_mapping
Create the federation protocol
openstack federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace

Using The RXT Authentication Plugin

Using the plugin is no different that a typical day in the cloud. Simply authenticate using your favorite method, just make sure you include the rackspace_cloud_domain domain.

Authentication using openstacksdk

This setup requires a federated token to work. The clouds yaml will not pull a token by default.

clouds:
  local:
    auth:
      auth_url: http://localhost:5000/v3
      project_name: 67890_Development
      project_domain_name: rackspace_cloud_domain
      username: test
      password: secrete
      user_domain_name: rackspace_cloud_domain
    region_name: RegionOne
    interface: internal
    identity_api_version: "3"

If you're running the CLI tools with a TOTP enabled user and you don't want to use your API key, setup your clouds.yaml with the following options so that it knows to run with password and totp.

clouds:
  rxt-local-mfa:
    auth_type: "v3multifactor"
    auth_methods:
      - v3password
      - v3totp
    auth:
      auth_url: http://localhost:5000/v3
      project_name: 67890_Development
      project_domain_name: rackspace_cloud_domain
      username: test
      password: secrete
      user_domain_name: rackspace_cloud_domain
    region_name: RegionOne
    interface: internal
    identity_api_version: "3"

Enabling TOTP will require you to use your one time token to run commands, this token can be defined on the CLI with the --os-passcode flag; for example the simple image list would look like so openstack --os-cloud local --os-passcode 123456 image list

Once you have the clouds CLI setup, run commands normally.

openstack --os-cloud local image list
+--------------------------------------+-------------------------------------------------+--------+
| ID                                   | Name                                            | Status |
+--------------------------------------+-------------------------------------------------+--------+
| 6af793ec-d5d2-4a70-a284-cbbb223365f3 | debian-10-openstack-amd64.qcow2                 | active |
| 4ee2c1b4-1055-40b8-ad6b-eb3c9eb7b4d7 | debian-11-genericcloud-amd64.qcow2              | active |
| f16a1332-a5fb-46d5-b2ae-caa136cf9432 | jammy-server-cloudimg-amd64-disk-kvm.img        | active |
| 9e2c968c-c5b3-4a1b-9355-261fa9907e16 | ubuntu-bionic-server-cloudimg-amd64.img         | active |
| 0ee7d71b-2043-49a0-b107-56ebbbcd6b95 | ubuntu-focal-server-cloudimg-amd64-disk-kvm.img | active |
| 804cc228-251c-4081-97df-f609c0e568e7 | ubuntu-jammy-server-cloudimg-amd64-disk-kvm.img | active |
| da9923a8-ac4b-4036-ac14-46264247eb27 | ubuntu-xenial-server-cloudimg-amd64-disk1.img   | active |
+--------------------------------------+-------------------------------------------------+--------+
Authentication using cURL

You can also use cURL to great effect.

Example POST json files can be found in the files directory.

curl -sS -D - -H "Content-Type: application/json" --data-binary "@get-scoped-token" "http://172.16.27.211:5000/v3/auth/tokens" -o /dev/null
HTTP/1.1 201 CREATED
Content-Type: application/json
Content-Length: 5594
X-Subject-Token: OS_TOKEN
Vary: X-Auth-Token
x-openstack-request-id: req-5a0eb098-eecc-41e1-a10d-d872dc867561
Connection: close

With the about command we can pull out the value of X-Subject-Token and store it as OS_TOKEN so that we can authenticate to the various APIs supported by our service catalog.

curl -H "Accept: application/json" -H "X-Auth-Token: $OS_TOKEN" http://localhost:9292/v2/images

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

keystone_rxt-0.0.4.tar.gz (49.9 kB view details)

Uploaded Source

Built Distribution

keystone_rxt-0.0.4-py3-none-any.whl (12.0 kB view details)

Uploaded Python 3

File details

Details for the file keystone_rxt-0.0.4.tar.gz.

File metadata

  • Download URL: keystone_rxt-0.0.4.tar.gz
  • Upload date:
  • Size: 49.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for keystone_rxt-0.0.4.tar.gz
Algorithm Hash digest
SHA256 ee9cdc7b00b8d2b9b4ae7320a594e122a0aeeb1a970fe82d507f43c07675101d
MD5 d04e020ae974f6a9dfc8eed32271247e
BLAKE2b-256 d4175adecf5c56ab7884827feea8a67e2a974f7cc43dd70456958e491b31665c

See more details on using hashes here.

File details

Details for the file keystone_rxt-0.0.4-py3-none-any.whl.

File metadata

  • Download URL: keystone_rxt-0.0.4-py3-none-any.whl
  • Upload date:
  • Size: 12.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/5.1.0 CPython/3.12.4

File hashes

Hashes for keystone_rxt-0.0.4-py3-none-any.whl
Algorithm Hash digest
SHA256 0ab80e4b7edb9253467e5c4ce0894da7fdf3a2d3e449d5bef87f60d59f68a556
MD5 44a1f1158c7b5cf0a98cc74dbf9936db
BLAKE2b-256 634c86a76554b31153868c4f1b9a2a5aa79ae1c0ebd32ab213b2cf336e34591e

See more details on using hashes here.

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page