다음에 따라 토큰 없는 인증을 구현하고 싶습니다.
내 목표는 x509 인증서를 사용하여 fernet 토큰을 얻는 것입니다. 구성 후 첫 번째 링크에 따라 다음을 사용하여 기능을 테스트할 수 있습니다.
curl -v -k -s -X GET --cert /<PATH>/x509client.crt \
--key /<PATH>/x509client.key \
--cacert /<PATH>/ca.crt \
-H "X-Project-Name: <PROJECT-NAME>" \
-H "X-Project-Domain-Id: <PROJECT-DOMAIN-ID>" \
-H "X-Subject-Token: <TOKEN>" \
https://<HOST>:<PORT>/v3/auth/tokens
인증은 제대로 진행되고 있는 것 같은데, 토큰 획득에 문제가 있는 것 같습니다. 반면에 HTTP 요청 예제에서는 유효성 검사를 위해 토큰이 전송됩니다. 이런 경우 기존 토큰이 없어도 x509 인증서를 사용하여 토큰을 획득할 수 있나요?
두 개의 로그( )를 보냅니다 keystone.log. 첫 번째 보고서는 You are not authorized to perform the requested action: identity:validate_token. 실제로 그는 해당 프로젝트에 대한 회원 권한을 가지고 있습니다.
2023-12-20 09:54:27.416 696 DEBUG keystone.common.tokenless_auth [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 09:54:27.431 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 09:54:27.433 696 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['member', 'reader']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 09:54:27.435 696 DEBUG keystone.common.rbac_enforcer.enforcer [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 09:54:27.437 696 WARNING keystone.server.flask.application [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] You are not authorized to perform the requested action: identity:validate_token.: keystone.exception.ForbiddenAction: You are not authorized to perform the requested action: identity:validate_token.
두 번째 로그는 사용자에게 관리자 권한을 추가한 후 생성되었으며, 계속해서 No token in the request보고됩니다.
2023-12-20 14:13:55.582 698 DEBUG keystone.common.tokenless_auth [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 14:13:55.631 698 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['reader', 'admin', 'member']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 14:13:55.633 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 14:13:55.634 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorization granted enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:457
2023-12-20 14:13:55.636 698 WARNING keystone.server.flask.application [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] No token in the request: keystone.exception.TokenNotFound: No token in the request