我想按照以下方式实现无令牌授权:
我的目标是使用 x509 证书获取 fernet 令牌。配置后,根据第一个链接,您可以使用以下命令测试功能:
curl -v -k -s -X GET --cert /<PATH>/x509client.crt \
--key /<PATH>/x509client.key \
--cacert /<PATH>/ca.crt \
-H "X-Project-Name: <PROJECT-NAME>" \
-H "X-Project-Domain-Id: <PROJECT-DOMAIN-ID>" \
-H "X-Subject-Token: <TOKEN>" \
https://<HOST>:<PORT>/v3/auth/tokens
身份验证似乎正确进行,但在获取令牌时出现问题。另一方面,在示例 HTTP 请求中,会发送令牌进行验证。在这种情况下,是否可以使用 x509 证书获取令牌,而无需之前拥有任何令牌?
我发了两份日志(keystone.log),第一份报告说You are not authorized to perform the requested action: identity:validate_token,其实他在对应的项目中有成员权限。
2023-12-20 09:54:27.416 696 DEBUG keystone.common.tokenless_auth [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.429 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 09:54:27.430 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 09:54:27.431 696 DEBUG keystone.federation.utils [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 09:54:27.433 696 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['member', 'reader']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 09:54:27.434 696 DEBUG keystone.server.flask.request_processing.req_logging [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 09:54:27.435 696 DEBUG keystone.common.rbac_enforcer.enforcer [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 09:54:27.437 696 WARNING keystone.server.flask.application [req-7bd8dc4a-360a-412e-8bf1-4dbdfa07a53c e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] You are not authorized to perform the requested action: identity:validate_token.: keystone.exception.ForbiddenAction: You are not authorized to perform the requested action: identity:validate_token.
第二条日志是在为用户添加管理员权限后生成的,然后我们继续并No token in the request报告。
2023-12-20 14:13:55.582 698 DEBUG keystone.common.tokenless_auth [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] The IdP Id 5f4d72545fd6571e186bcd2b5b595525bfdb1c213346f295d3f64967fd5ba195 and protocol Id x509 are used to look up the mapping. get_mapped_user /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/tokenless_auth.py:110
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] rules: [{'local': [{'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}], 'remote': [{'type': 'SSL_CLIENT_S_DN_CN'}]}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:540
2023-12-20 14:13:55.587 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] updating a direct mapping: ['testtls'] _verify_all_requirements /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:867
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'user': {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.588 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'name': '{0}', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] direct_maps: [['testtls']] _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:743
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] local: {'id': '83dbbc36a16d4f57b1258da8ea74e20c'} _update_local_mapping /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:744
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] identity_values: [{'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}}] process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:560
2023-12-20 14:13:55.589 698 DEBUG keystone.federation.utils [req-34dee54a-90bc-4c7f-b49f-667e3219b92b - - - - -] mapped_properties: {'user': {'name': 'testtls', 'domain': {'id': '83dbbc36a16d4f57b1258da8ea74e20c'}, 'type': 'local'}, 'group_ids': [], 'group_names': [], 'projects': []} process /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/federation/utils.py:562
2023-12-20 14:13:55.631 698 DEBUG keystone.server.flask.request_processing.middleware.auth_context [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: auth_context: {'user_id': 'e2eaa51c5f7f442aac677755f9147e7f', 'is_delegated_auth': False, 'project_id': '2690ddb518954770a88ac2c082967d61', 'roles': ['reader', 'admin', 'member']} fill_context /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/middleware/auth_context.py:478
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] REQUEST_METHOD: `GET` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:27
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] SCRIPT_NAME: `` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:28
2023-12-20 14:13:55.632 698 DEBUG keystone.server.flask.request_processing.req_logging [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] PATH_INFO: `/v3/auth/tokens` log_request_info /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/server/flask/request_processing/req_logging.py:29
2023-12-20 14:13:55.633 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorizing `identity:validate_token()` enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:449
2023-12-20 14:13:55.634 698 DEBUG keystone.common.rbac_enforcer.enforcer [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] RBAC: Authorization granted enforce_call /var/lib/kolla/venv/lib/python3.8/site-packages/keystone/common/rbac_enforcer/enforcer.py:457
2023-12-20 14:13:55.636 698 WARNING keystone.server.flask.application [req-34dee54a-90bc-4c7f-b49f-667e3219b92b e2eaa51c5f7f442aac677755f9147e7f 2690ddb518954770a88ac2c082967d61 - - -] No token in the request: keystone.exception.TokenNotFound: No token in the request