Add warning about using `external` with federation

Using both the `external` authentication method and a federation method (such as saml2, etc) can result in conflicts [1] [1] http://docs.openstack.org/developer/keystone/external-auth.html#configuration Change-Id: Ifb95d779d48c14a4fa24a26d016151edf409d760 Related-Bug: #1657978
2017-01-20 16:00:17 -08:00 · 2017-01-20 16:00:17 -08:00 · a551b94dd7
parent 0a4ca273ae
commit a551b94dd7
1 changed files with 5 additions and 1 deletions
--- a/keystone/conf/auth.py
+++ b/keystone/conf/auth.py
@ -20,7 +20,11 @@ methods = cfg.ListOpt(
    'methods',
    default=constants._DEFAULT_AUTH_METHODS,
    help=utils.fmt("""
-Allowed authentication methods.
+Allowed authentication methods. Note: You should disable the `external` auth
+method if you are currently using federation. External auth and federation
+both use the REMOTE_USER variable. Since both the mapped and external plugin
+are being invoked to validate attributes in the request environment, it can
+cause conflicts.
 """))

 password = cfg.StrOpt(  # nosec : This is the name of the plugin, not