This repo is a simple authentication plugin for Rackspace Global Auth that will allow an OpenStack environment to use Rackspace Global Auth as an IDP.
When the plugin is installed the password
authentication method is required, and the plugin value needs to be be set
to rxt
. Once activated, the plugin will run normally allowing both local users and remote users to authenticate to
the cloud. The RXT authentication plugin presents a federated token and conforms to the mapping authentication driver.
The answer is quite simple, Rackspace Public Cloud Identity provides a powerful set of tools which can allow folks to make use of their existing users within an OpenStack environment; additionally, this setup allows us to use OpenStack natively.
To bridge the authentication gap between Keystone and Rackspace Identity the keystone-rxt authentication driver effectively acts as a reverse proxy to Rackspace Identity and then presents the returned data as a federated token.
This plugin was inspired by the Capstone project. Process wise, Capstone and Keystone-RXT perform similar actions using Rackspace Identity as an IDP compatible with OpenStack. While Keystone-RXT was inspired by Capstone, the two projects serve different purposes.
Within this repository is an example mapping file mapping.json
which will create different users based on the roles
a user has within Rackspace Identity. This file is just an example and can be customized to meet the demands of the
OpenStack environment following the typical mapping setup. See more about Keystone Mapping and Federation
here.
Before we can do anything you need to install the plugin within your keystone environment, for development purposes
the example here is using pip
.
pip install --force --upgrade git+https://github.com/rackerlabs/keystone-rxt
This plugin is not yet on PyPi, but that will change with time.
Once the authentication plugin is installed, update your keystone.conf
to use the new password plugin named rxt
.
The configuration file entry will look something like this
[auth]
methods = password,token,application_credential
password = rxt
Take note that the
password
method is defined and that the password plugin is set to userxt
.
If you have multifactor auth enabled, and want to support users that are running work loads with it
the plugin also supports TOTP. To enable TOPT make sure totp
is in your allowed authentication
methods and that the totp
plugin is using the rxt
plugin.
[auth]
methods = password,token,application_credential,totp
password = rxt
totp = rxt
Yes, just a couple of lines is all that's required in config. After the configuration edit, be sure to restart keystone.
The [rackspace]
section can also be used in your keystone.conf
to allow you to configure how to anchor on
roles.
key | value |
---|---|
role_attribute |
A string option used as an anchor to discover roles attributed to a given user |
role_attribute_enforcement |
When set true will limit a users project to only the discovered GUID for the defined role_attribute |
Once the plugin is setup and running, everything will be operating normally. The plugin is passive until
the Keystone is informed about the identity provider and we have the rackspace_cloud_domain
created.
openstack domain create rackspace_cloud_domain
openstack identity provider create --remote-id rackspace --domain rackspace_cloud_domain rackspace
openstack mapping create --rules files/mapping.json --schema-version 2.0 rackspace_mapping
openstack federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace
Using the plugin is no different that a typical day in the cloud. Simply authenticate using your favorite method,
just make sure you include the rackspace_cloud_domain
domain.
This setup requires a federated token to work. The clouds yaml will not pull a token by default.
clouds:
local:
auth:
auth_url: http://localhost:5000/v3
project_name: 67890_Development
project_domain_name: rackspace_cloud_domain
username: test
password: secrete
user_domain_name: rackspace_cloud_domain
region_name: RegionOne
interface: internal
identity_api_version: "3"
If you're running the CLI tools with a TOTP enabled user and you don't want to use your API key,
setup your clouds.yaml
with the following options so that it knows to run with password
and
totp
.
clouds:
rxt-local-mfa:
auth_type: "v3multifactor"
auth_methods:
- v3password
- v3totp
auth:
auth_url: http://localhost:5000/v3
project_name: 67890_Development
project_domain_name: rackspace_cloud_domain
username: test
password: secrete
user_domain_name: rackspace_cloud_domain
region_name: RegionOne
interface: internal
identity_api_version: "3"
Enabling TOTP will require you to use your one time token to run commands, this token can be defined on the CLI with the
--os-passcode
flag; for example the simple image list would look like soopenstack --os-cloud local --os-passcode 123456 image list
Once you have the clouds CLI setup, run commands normally.
openstack --os-cloud local image list
+--------------------------------------+-------------------------------------------------+--------+
| ID | Name | Status |
+--------------------------------------+-------------------------------------------------+--------+
| 6af793ec-d5d2-4a70-a284-cbbb223365f3 | debian-10-openstack-amd64.qcow2 | active |
| 4ee2c1b4-1055-40b8-ad6b-eb3c9eb7b4d7 | debian-11-genericcloud-amd64.qcow2 | active |
| f16a1332-a5fb-46d5-b2ae-caa136cf9432 | jammy-server-cloudimg-amd64-disk-kvm.img | active |
| 9e2c968c-c5b3-4a1b-9355-261fa9907e16 | ubuntu-bionic-server-cloudimg-amd64.img | active |
| 0ee7d71b-2043-49a0-b107-56ebbbcd6b95 | ubuntu-focal-server-cloudimg-amd64-disk-kvm.img | active |
| 804cc228-251c-4081-97df-f609c0e568e7 | ubuntu-jammy-server-cloudimg-amd64-disk-kvm.img | active |
| da9923a8-ac4b-4036-ac14-46264247eb27 | ubuntu-xenial-server-cloudimg-amd64-disk1.img | active |
+--------------------------------------+-------------------------------------------------+--------+
You can also use cURL
to great effect.
Example POST json files can be found in the files directory.
curl -sS -D - -H "Content-Type: application/json" --data-binary "@get-scoped-token" "http://172.16.27.211:5000/v3/auth/tokens" -o /dev/null
HTTP/1.1 201 CREATED
Content-Type: application/json
Content-Length: 5594
X-Subject-Token: OS_TOKEN
Vary: X-Auth-Token
x-openstack-request-id: req-5a0eb098-eecc-41e1-a10d-d872dc867561
Connection: close
With the about command we can pull out the value of X-Subject-Token
and store it as OS_TOKEN
so that we can
authenticate to the various APIs supported by our service catalog.
curl -H "Accept: application/json" -H "X-Auth-Token: $OS_TOKEN" http://localhost:9292/v2/images