Tokenlose OpenStack-X509-Authentifizierung

tag-icon tag-icon openstack openstack-keystone
Tokenlose OpenStack-X509-Authentifizierung

Ich möchte eine tokenlose Autorisierung gemäß folgendem implementieren:

Mein Ziel ist es, Fernet-Token mit einem x509-Zertifikat zu erhalten. Nach der Konfiguration können Sie gemäß dem ersten Link die Funktionalität mit folgendem testen:

curl -v -k -s -X GET --cert /<PATH>/x509client.crt \
     --key /<PATH>/x509client.key \
     --cacert /<PATH>/ca.crt \
     -H "X-Project-Name: <PROJECT-NAME>" \
     -H "X-Project-Domain-Id: <PROJECT-DOMAIN-ID>" \
     -H "X-Subject-Token: <TOKEN>" \
     https://<HOST>:<PORT>/v3/auth/tokens

Es scheint, dass die Authentifizierung korrekt abläuft, obwohl es ein Problem beim Abrufen des Tokens gibt. Andererseits wird in der Beispiel-HTTP-Anforderung ein Token zur Validierung gesendet. Ist es in diesem Fall möglich, das Token mithilfe eines x509-Zertifikats abzurufen, ohne vorher ein Token zu haben?

Ich sende zwei Protokolle ( keystone.log). Das erste meldet, dass You are not authorized to perform the requested action: identity:validate_token. Tatsächlich hat er Mitgliedsberechtigungen im entsprechenden Projekt.

2023-12-20 09:54:27.416 696 DEBUG keystone.common.tokenless_auth [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 09:54:27.431 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 09:54:27.433 696 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['member', 'reader']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 09:54:27.435 696 DEBUG keystone.common.rbac_enforcer.enforcer [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 09:54:27.437 696 WARNING keystone.server.flask.application [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] You are not authorized to perform the requested action: identity:validate_token.: keystone.exception.ForbiddenAction: You are not authorized to perform the requested action: identity:validate_token.

Das zweite Protokoll wurde nach dem Hinzufügen von Administratorrechten zum Benutzer generiert, dann geht es weiter und No token in the requestwird gemeldet.

2023-12-20 14:13:55.582 698 DEBUG keystone.common.tokenless_auth [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 14:13:55.631 698 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['reader', 'admin', 'member']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 14:13:55.633 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 14:13:55.634 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorization granted enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:457
2023-12-20 14:13:55.636 698 WARNING keystone.server.flask.application [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] No token in the request: keystone.exception.TokenNotFound: No token in the request

verwandte Informationen