2b198a8009
This commit introduces OpenID Connect (OIDC) authentication
support to the DCManager API, allowing requests to be authenticated
using either Keystone tokens or OIDC tokens.
Behavior overview:
- The REST API will authenticate using Keystone when the
`X-Auth-Token` header is provided (existing behavior).
- When the `OIDC-Token` header is provided, OIDC authentication
is performed instead.
- If both tokens are present, default to Keystone authentication.
For OIDC authentication:
- The REST API retrieves OIDC IDP configuration parameters from
`system service-parameters` under `kube-apiserver`:
- `oidc-issuer-url`
- `oidc-client-id`
- `oidc-username-claim`
- `oidc-groups-claim`
- If OIDC parameters are not configured, authentication fails
with an unauthenticated response.
- If configured, the REST API validates the OIDC token with the
IDP issuer and extracts claims.
- OIDC arguments and claims are cached.
- External users and groups are mapped to internal
Project+Role tuples based on StarlingX rolebindings.
Test Plan:
PASS: Authenticate REST API requests with Keystone (`X-Auth-Token`).
PASS: Authenticate REST API requests with OIDC (`OIDC-Token`).
PASS: Verify Keystone is used when both tokens are present.
PASS: Verify unauthenticated response when OIDC parameters are
missing.
PASS: Validate token claims and role mappings are applied correctly.
PASS: Confirm cached tokens continue to authorize during temporary
IDP connectivity loss.
PASS: Force to OIDC token validation to return claims as None and verify
the api returns a NotAuthorized exception.
Depends-On: https://review.opendev.org/c/starlingx/integ/+/970455
Story: 2011646
Task: 53594
Change-Id: I830084fcad9b6413477e703514325030c7dc58a2
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
47 lines
1.5 KiB
Plaintext
47 lines
1.5 KiB
Plaintext
# The order of packages is significant, because pip processes them in the order
|
|
# of appearance. Changing the order has an impact on the overall integration
|
|
# process, which may cause wedges in the gate later.
|
|
|
|
babel!=2.4.0,>=2.3.4 # BSD
|
|
eventlet # MIT
|
|
keyring # MIT
|
|
keystonemiddleware>=4.12.0 # Apache-2.0
|
|
kubernetes # Apache-2.0
|
|
netaddr!=0.7.16,>=0.7.13 # BSD
|
|
oslo.concurrency>=3.29.1 # Apache-2.0
|
|
oslo.config>=4.0.0 # Apache-2.0
|
|
oslo.context>=2.14.0 # Apache-2.0
|
|
oslo.db>=4.21.1 # Apache-2.0
|
|
oslo.i18n!=3.15.2,>=2.1.0 # Apache-2.0
|
|
oslo.log>=3.22.0 # Apache-2.0
|
|
oslo.messaging!=5.25.0,>=5.24.2 # Apache-2.0
|
|
oslo.middleware>=3.27.0 # Apache-2.0
|
|
oslo.policy>=1.17.0 # Apache-2.0
|
|
oslo.rootwrap>=5.0.0 # Apache-2.0
|
|
oslo.serialization>=1.10.0 # Apache-2.0
|
|
oslo.service>=1.10.0 # Apache-2.0
|
|
oslo.utils>=3.20.0 # Apache-2.0
|
|
oslo.versionedobjects>=1.17.0 # Apache-2.0
|
|
paste # MIT
|
|
pbr!=2.1.0,>=2.0.0 # Apache-2.0
|
|
pecan!=1.0.2,!=1.0.3,!=1.0.4,!=1.2,>=1.0.0 # BSD
|
|
psutil # BSD
|
|
pycrypto>=2.6 # Public Domain
|
|
python-openstackclient!=3.10.0,>=3.3.0 # Apache-2.0
|
|
python-barbicanclient>=4.5.2
|
|
python-neutronclient>=6.3.0 # Apache-2.0
|
|
python-cinderclient>=2.1.0 # Apache-2.0
|
|
python-novaclient>=7.1.0 # Apache-2.0
|
|
python-keystoneclient>=3.8.0 # Apache-2.0
|
|
redfish # BSD
|
|
requests!=2.12.2,!=2.13.0,>=2.10.0 # Apache-2.0
|
|
requests_toolbelt # Apache-2.0
|
|
retrying!=1.3.0,>=1.2.3 # Apache-2.0
|
|
routes>=2.3.1 # MIT
|
|
sh # MIT
|
|
sqlalchemy!=1.1.5,!=1.1.6,!=1.1.7,!=1.1.8,>=1.0.10 # MIT
|
|
sqlalchemy-migrate>=0.11.0 # Apache-2.0
|
|
webob>=1.7.1 # MIT
|
|
oic
|
|
pyjwkest
|