Doc update on enabled external auth and federation

By default the external auth is enabled and can cause user_id conflict when REMOTE_USER is set due to the fact that federation uses REMOTE_USER as well. Therefore, the docs were updated to advise users against using both external auth and federation on the same sequence. Closes-Bug: #1563454 Change-Id: I193f78ae0ad0232471b725d5700870c349703310
2016-07-07 17:54:49 +00:00 · 2016-07-07 17:54:49 +00:00 · 82c7b8bedc
parent 46b76a3d8e
commit 82c7b8bedc
1 changed files with 21 additions and 0 deletions
--- a/doc/source/external-auth.rst
+++ b/doc/source/external-auth.rst
@ -37,6 +37,27 @@ provided by Keystone:
  the domain for the user. If this variable is not present, the configured
  default domain will be used. The ``REMOTE_USER`` variable is the username.

+.. CAUTION::
+
+    You should disable the external auth method if you are currently using
+    federation. External auth and federation both use the ``REMOTE_USER``
+    variable. Since both the mapped and external plugin are being invoked to
+    validate attributes in the request environment, it can cause conflicts.
+
+    For example, imagine there are two distinct users with the same username
+    `foo`, one in the `Default` domain while the other is in the `BAR` domain.
+    The external Federation modules (i.e. mod_shib) sets the ``REMOTE_USER``
+    attribute to `foo`. The external auth module also tries to set the
+    ``REMOTE_USER`` attribute to `foo` for the `Default` domain. The
+    federated mapping engine maps the incoming identity to `foo` in the `BAR`
+    domain. This results in user_id conflict since both are using different
+    user_ids to set `foo` in the `Default` domain and the `BAR` domain.
+
+    To disable this, simply remove `external` from the `methods` option in
+    `keystone.conf`::
+
+       methods = external,password,token,oauth1
+
 Using HTTPD authentication
 ==========================