Skip to content

Federated Keystone RXT tokens using Rackspace Global Auth

Notifications You must be signed in to change notification settings

rackerlabs/keystone-rxt

Repository files navigation

Keystone-RXT Authentication Plugin

This repo is a simple authentication plugin for Rackspace Global Auth that will allow an OpenStack environment to use Rackspace Global Auth as an IDP.

When the plugin is installed the password authentication method is required, and the plugin value needs to be be set to rxt. Once activated, the plugin will run normally allowing both local users and remote users to authenticate to the cloud. The RXT authentication plugin presents a federated token and conforms to the mapping authentication driver.

Why?

The answer is quite simple, Rackspace Public Cloud Identity provides a powerful set of tools which can allow folks to make use of their existing users within an OpenStack environment; additionally, this setup allows us to use OpenStack natively.

How?

To bridge the authentication gap between Keystone and Rackspace Identity the keystone-rxt authentication driver effectively acts as a reverse proxy to Rackspace Identity and then presents the returned data as a federated token.

Capstone Diagram

History

This plugin was inspired by the Capstone project. Process wise, Capstone and Keystone-RXT perform similar actions using Rackspace Identity as an IDP compatible with OpenStack. While Keystone-RXT was inspired by Capstone, the two projects serve different purposes.

Mapping

Within this repository is an example mapping file mapping.json which will create different users based on the roles a user has within Rackspace Identity. This file is just an example and can be customized to meet the demands of the OpenStack environment following the typical mapping setup. See more about Keystone Mapping and Federation here.


Deploying the keystone-rxt plugin.

Before we can do anything you need to install the plugin within your keystone environment, for development purposes the example here is using pip.

pip install --force --upgrade git+https://github.com/rackerlabs/keystone-rxt

This plugin is not yet on PyPi, but that will change with time.

Setup your environment

Once the authentication plugin is installed, update your keystone.conf to use the new password plugin named rxt.

The configuration file entry will look something like this

[auth]
methods = password,token,application_credential
password = rxt

Take note that the password method is defined and that the password plugin is set to use rxt.

If you have multifactor auth enabled, and want to support users that are running work loads with it the plugin also supports TOTP. To enable TOPT make sure totp is in your allowed authentication methods and that the totp plugin is using the rxt plugin.

[auth]
methods = password,token,application_credential,totp
password = rxt
totp = rxt

Yes, just a couple of lines is all that's required in config. After the configuration edit, be sure to restart keystone.

Rackspace Configurations

The [rackspace] section can also be used in your keystone.conf to allow you to configure how to anchor on roles.

key value
role_attribute A string option used as an anchor to discover roles attributed to a given user
role_attribute_enforcement When set true will limit a users project to only the discovered GUID for the defined role_attribute

Identity mapping, project, and domain setup

Once the plugin is setup and running, everything will be operating normally. The plugin is passive until the Keystone is informed about the identity provider and we have the rackspace_cloud_domain created.

Craete the domain
openstack domain create rackspace_cloud_domain
Create the identity provider
openstack identity provider create --remote-id rackspace --domain rackspace_cloud_domain rackspace
Create the mapping for our identity provider
openstack mapping create --rules files/mapping.json --schema-version 2.0 rackspace_mapping
Create the federation protocol
openstack federation protocol create rackspace --mapping rackspace_mapping --identity-provider rackspace

Using The RXT Authentication Plugin

Using the plugin is no different that a typical day in the cloud. Simply authenticate using your favorite method, just make sure you include the rackspace_cloud_domain domain.

Authentication using openstacksdk

This setup requires a federated token to work. The clouds yaml will not pull a token by default.

clouds:
  local:
    auth:
      auth_url: http://localhost:5000/v3
      project_name: 67890_Development
      project_domain_name: rackspace_cloud_domain
      username: test
      password: secrete
      user_domain_name: rackspace_cloud_domain
    region_name: RegionOne
    interface: internal
    identity_api_version: "3"

If you're running the CLI tools with a TOTP enabled user and you don't want to use your API key, setup your clouds.yaml with the following options so that it knows to run with password and totp.

clouds:
  rxt-local-mfa:
    auth_type: "v3multifactor"
    auth_methods:
      - v3password
      - v3totp
    auth:
      auth_url: http://localhost:5000/v3
      project_name: 67890_Development
      project_domain_name: rackspace_cloud_domain
      username: test
      password: secrete
      user_domain_name: rackspace_cloud_domain
    region_name: RegionOne
    interface: internal
    identity_api_version: "3"

Enabling TOTP will require you to use your one time token to run commands, this token can be defined on the CLI with the --os-passcode flag; for example the simple image list would look like so openstack --os-cloud local --os-passcode 123456 image list

Once you have the clouds CLI setup, run commands normally.

openstack --os-cloud local image list
+--------------------------------------+-------------------------------------------------+--------+
| ID                                   | Name                                            | Status |
+--------------------------------------+-------------------------------------------------+--------+
| 6af793ec-d5d2-4a70-a284-cbbb223365f3 | debian-10-openstack-amd64.qcow2                 | active |
| 4ee2c1b4-1055-40b8-ad6b-eb3c9eb7b4d7 | debian-11-genericcloud-amd64.qcow2              | active |
| f16a1332-a5fb-46d5-b2ae-caa136cf9432 | jammy-server-cloudimg-amd64-disk-kvm.img        | active |
| 9e2c968c-c5b3-4a1b-9355-261fa9907e16 | ubuntu-bionic-server-cloudimg-amd64.img         | active |
| 0ee7d71b-2043-49a0-b107-56ebbbcd6b95 | ubuntu-focal-server-cloudimg-amd64-disk-kvm.img | active |
| 804cc228-251c-4081-97df-f609c0e568e7 | ubuntu-jammy-server-cloudimg-amd64-disk-kvm.img | active |
| da9923a8-ac4b-4036-ac14-46264247eb27 | ubuntu-xenial-server-cloudimg-amd64-disk1.img   | active |
+--------------------------------------+-------------------------------------------------+--------+
Authentication using cURL

You can also use cURL to great effect.

Example POST json files can be found in the files directory.

curl -sS -D - -H "Content-Type: application/json" --data-binary "@get-scoped-token" "http://172.16.27.211:5000/v3/auth/tokens" -o /dev/null
HTTP/1.1 201 CREATED
Content-Type: application/json
Content-Length: 5594
X-Subject-Token: OS_TOKEN
Vary: X-Auth-Token
x-openstack-request-id: req-5a0eb098-eecc-41e1-a10d-d872dc867561
Connection: close

With the about command we can pull out the value of X-Subject-Token and store it as OS_TOKEN so that we can authenticate to the various APIs supported by our service catalog.

curl -H "Accept: application/json" -H "X-Auth-Token: $OS_TOKEN" http://localhost:9292/v2/images