Our tools noticed that keystone links to https://docs.openstack.org/keystone/latest/admin/identity-domain-specific-config.html which does not exist anymore. The page was removed but the link to it was not changed. Replace this and similar links with internal links that will work even if files are moved - and can be verified, thus sphinx will error in case of broken targets. These changes include a few other fixes for broken keystone links, e.g. to renamed anchors. For the include files in admin/configuration.rst and admin/federation/configure_federation.rst: Rename them to *inc. The files were published twice (as separate files and on this page) and thus referencing failed. Renaming avoids this. Also, put doctree outside of html tree so that it does not get published. Change-Id: I3d07637b0046cc88a66bcb51a0a4fe7c146c1549
3.9 KiB
Authentication Plugins
Note
This feature is only supported by keystone for the Identity API v3 clients.
Keystone supports authentication plugins and they are specified in
the [auth]
section of the configuration file. However, an
authentication plugin may also have its own section in the configuration
file. It is up to the plugin to register its own configuration
options.
methods
- comma-delimited list of authentication plugin names<plugin name>
- specify the class which handles to authentication method, in the same manner as one would specify a backend driver.
Keystone provides three authentication methods by default.
password
handles password authentication and
token
handles token authentication. external
is used in conjunction with authentication performed by a container web
server that sets the REMOTE_USER
environment variable. For
more details, refer to External Authentication
<../admin/external-authentication>
.
How to Implement an Authentication Plugin
All authentication plugins must extend the keystone.auth.plugins.base.AuthMethodHandler
class
and implement the authenticate()
method. The
authenticate()
method expects the following parameters.
context
- keystone's request contextauth_payload
- the content of the authentication for a given methodauth_context
- user authentication context, a dictionary shared by all plugins. It containsmethod_names
andbind
by default.method_names
is a list andbind
is a dictionary.
If successful, the authenticate()
method must provide a
valid user_id
in auth_context
and return
None
. method_name
is used to convey any
additional authentication methods in case authentication is for
re-scoping. For example, if the authentication is for re-scoping, a
plugin must append the previous method names into
method_names
.
If authentication requires multiple steps, the
authenticate()
method must return the payload in the form
of a dictionary for the next authentication step.
If authentication is unsuccessful, the authenticate()
method must raise a keystone.exception.Unauthorized
exception.
Simply add the new plugin name to the methods
list along
with your plugin class configuration in the [auth]
sections
of the configuration file to deploy it.
If the plugin requires additional configurations, it may register its own section in the configuration file.
Plugins are invoked in the order in which they are specified in the
methods
attribute of the authentication
request body. If multiple plugins are invoked, all plugins must succeed
in order to for the entire authentication to be successful. Furthermore,
all the plugins invoked must agree on the user_id
in the
auth_context
.
The REMOTE_USER
environment variable is only set from a
containing webserver. However, to ensure that a user must go through
other authentication mechanisms, even if this variable is set, remove
external
from the list of plugins specified in
methods
. This effectively disables external authentication.
For more details, refer to External Authentication
<../admin/external-authentication>
.