{"id":19096499,"url":"https://github.com/sapcc/keystone-extensions","last_synced_at":"2025-10-06T04:26:12.557Z","repository":{"id":41954521,"uuid":"316439704","full_name":"sapcc/keystone-extensions","owner":"sapcc","description":"SAP Converged Cloud Keystone Extensions","archived":false,"fork":false,"pushed_at":"2025-04-22T08:36:55.000Z","size":56,"stargazers_count":0,"open_issues_count":7,"forks_count":2,"subscribers_count":50,"default_branch":"main","last_synced_at":"2025-04-30T14:17:07.923Z","etag":null,"topics":["keystone","ldap","rate-limiting"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sapcc.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-11-27T08:13:06.000Z","updated_at":"2022-02-23T17:00:20.000Z","dependencies_parsed_at":"2023-12-15T12:43:47.563Z","dependency_job_id":"5b9e6f04-b9dc-49c3-b026-5aa850c4e59e","html_url":"https://github.com/sapcc/keystone-extensions","commit_stats":null,"previous_names":[],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/sapcc/keystone-extensions","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fkeystone-extensions","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fkeystone-extensions/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fkeystone-extensions/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fkeystone-extensions/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sapcc","download_url":"https://codeload.github.com/sapcc/keystone-extensions/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sapcc%2Fkeystone-extensions/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278557776,"owners_count":26006378,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-06T02:00:05.630Z","response_time":65,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["keystone","ldap","rate-limiting"],"created_at":"2024-11-09T03:36:53.297Z","updated_at":"2025-10-06T04:26:12.527Z","avatar_url":"https://github.com/sapcc.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Converged Cloud Keystone Extensions\n\nProvides a custom identity driver, auth plugins, lifesaver middleware and keystone-manage-extension cli for keystone.\n\nThe identity driver supports:\n\n- usage of Microsoft Active Directory as identity provider\n- optional authentication fallback against a outlook exchange web service\n- optional outlook exchange web service password mirroring on AD auth failure\n- merging of several user account status flags (IDM/HR, CAM) into one\n keystone user.enabled attribute\n\nThe keystone-manage-extension cli provides\n\n- a extended bootstrap command that takes care of giving the bootstrap user domain admin permissions\n- a repair_assignments command to do a emergency role assignment cleanup after AD objects have been deleted that still have references to them\n\nThe auth plugins provide:\n\n - Radius / SecurID authentication\n - Password authentication with optional password validation against EWS and mirroring the externally validated password to LDAP\n\nThe lifesaver middleware protects against abusive requests and rejects requests from users that have depleted their credit.\n\n## Installation\n\nInstall the python package into the keystone (virtual) environment\n\n    pip install git+https://github.com/sapcc/keystone-extensions.git\n\n\n### Identity Driver\n\nEnable keystone's [domain specific drivers](http://docs.openstack.org/developer/keystone/configuration.html#domain-specific-drivers)\nand configure one or more domains to use the **cc_ldap** driver (instead of the usual sql or ldap).\n\nThe driver extends the standard keystone LDAP driver, so all [configuration\noptions of the LDAP driver](http://docs.openstack.org/developer/keystone/configuration.html#configuring-the-ldap-identity-provider) also apply to the CC_AD driver.\n\n\n### The cc_password, cc_radius and cc_x509 auth plugins\n\nThe Converged Cloud authentication specific implementations are contained in keystone authentication plugins.\n\nTo replace the default keystone password-, external- and totp auth plugins with the cc versions, you need to override the plugin implementation in keystone.conf.\n\nTo enable the plugins, specify in keystone.conf:\n\n    [auth]\n    password = cc_password\n    totp = cc_radius\n    external = cc_x509\n\n    methods = password,token,totp\n\nThe cc_password plugin offers the cc specific password mirroring logic from GLOBAL AD, via a password verification hack against the Outlook External Web Service (EWS).\nIf the password validation against AD fails, it will try to verify the same password against EWS.\nIf that succeeds, it is assumed that a GLOBAL password update has taken place and the cc AD password of the user is updated with the new password.\n\nThe plugin offers the following configuration settings:\n\n    [cc_password]\n    url = \u003cyour outlook exchange external web service url\u003e\n    secure = \u003ca boolean that indicates if the certificate of above URL should be verified\u003e\n\n\nTo use the SecurID plugin, the Radius server details need to be configures in keystone.conf as well:\n\n    [cc_radius]\n    host = \u003cyour radius host\u003e\n    port = \u003cthe port number of the radius service on the host\u003e    \n    secret = \u003cthe shared secret\u003e\n\nSingle sign on support for Converged Cloud keystone consumers via SSO certificate is supported by the cc_x509 authentication plugin.\nIt supports authentication by evaluating the x509 client certificate headers (HTTP_SSL_CLIENT_VERIFY and HTTP_SSL_CLIENT_CERT)in a request and validating its content.\nThe request should also contain an additional HTTP_X_USER_DOMAIN_ID or HTTP_X_USER_DOMAIN_ID header to indicate what Openstack domain should be used for the user validation.    \nTo use the cc_x509 plugin, it needs to be configured in keystone.conf:\n\n    [cc_x509]\n    user_domain_id_header = HTTP_X_USER_DOMAIN_ID\n    user_domain_name_header = HTTP_X_USER_DOMAIN_NAME\n    trusted_issuer = CN=some common name,O=any corporate,C=CountryCode\n\n\n### The lifesaver middleware\n\nIntroduces a concept of user punishment for requests that caused an error.\n\nThe cost of each error type (identified by a response status \u003e= 400) can be configured.\n\nA user starts with a configurable initial credit, that is refilled by a configurable amount in a configurable interval.\n\nOnce a user has consumed all his credit and causes an error, his requests are blocked (rejected with a 429) until his credit has been refilled.\n\nThe middleware is configured in keystone.conf:\n\n    [lifesaver]\n    enabled = true\n    # the memcached host to use\n    memcached = localhost\n    # a csv list of allowlisted domains\n    domain_allowlist = Default, tempest\n    # a csv list of allowlisted users\n    user_allowlist = admin, keystone, nova, neutron, cinder, glance, designate, barbican, dashboard, manila, swift\n    # a csv list of blocklisted users\n    #user_blocklist =\n    # initial user credit\n    initial_credit = 100\n    # how often do we refill credit\n    refill_seconds = 60\n    # and with what amount\n    refill_amount = 5\n    # cost of each status\n    status_cost = default:1,401:10,403:5,404:0,429:0\n\nThe middleware is enabled by adding it to paste.ini:\n\n    [filter:lifesaver]\n    use = egg:keystone-extensions#lifesaver\n\n\n    [pipeline:api_v3]\n    # The last item in this pipeline must be service_v3 or an equivalent\n    # application. It cannot be a filter.\n    pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id lifesaver build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3\n\nor via flask [ugly hardcoding](https://github.com/sapcc/keystone/blob/0cedc509def82d28737f9f7dfd105ec528060f18/keystone/server/flask/core.py#L76-L80)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsapcc%2Fkeystone-extensions","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsapcc%2Fkeystone-extensions","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsapcc%2Fkeystone-extensions/lists"}