Autenticación x509 sin token de Openstack

tag-icon tag-icon openstack openstack-keystone
Autenticación x509 sin token de Openstack

Me gustaría implementar la autorización sin token de acuerdo con:

Mi objetivo es obtener el token fernet utilizando el certificado x509. Después de la configuración, según el primer enlace, puede probar la funcionalidad con:

curl -v -k -s -X GET --cert /<PATH>/x509client.crt \
     --key /<PATH>/x509client.key \
     --cacert /<PATH>/ca.crt \
     -H "X-Project-Name: <PROJECT-NAME>" \
     -H "X-Project-Domain-Id: <PROJECT-DOMAIN-ID>" \
     -H "X-Subject-Token: <TOKEN>" \
     https://<HOST>:<PORT>/v3/auth/tokens

Parece que la autenticación se realiza correctamente, mientras que hay un problema al adquirir el token. Por otro lado, en la solicitud HTTP de ejemplo, se envía un token para su validación. En este caso, ¿es posible adquirir el token utilizando el certificado x509, sin tener ningún token antes?

Estoy enviando dos registros ( keystone.log). El primero informa que You are not authorized to perform the requested action: identity:validate_token. De hecho, tiene permisos de miembro en el proyecto correspondiente.

2023-12-20 09:54:27.416 696 DEBUG keystone.common.tokenless_auth [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 09:54:27.431 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 09:54:27.433 696 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['member', 'reader']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 09:54:27.435 696 DEBUG keystone.common.rbac_enforcer.enforcer [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 09:54:27.437 696 WARNING keystone.server.flask.application [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] You are not authorized to perform the requested action: identity:validate_token.: keystone.exception.ForbiddenAction: You are not authorized to perform the requested action: identity:validate_token.

El segundo registro se generó después de agregar privilegios de administrador al usuario, luego continuamos y No token in the requestse informa.

2023-12-20 14:13:55.582 698 DEBUG keystone.common.tokenless_auth [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 14:13:55.631 698 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['reader', 'admin', 'member']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 14:13:55.633 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 14:13:55.634 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorization granted enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:457
2023-12-20 14:13:55.636 698 WARNING keystone.server.flask.application [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] No token in the request: keystone.exception.TokenNotFound: No token in the request

información relacionada