Ask Your Question

What's the best way to have IP address ACLs with keystone?

asked 2014-11-26 05:54:57 -0600

Will Angenent gravatar image


I'd like to be able to use ACLs on IP addresses, ranges and subnets, so that customers can decide from where they are able to login from. It should be sufficient for keystone to check this at authentication time. It might be necessary to use an HTTP header such as X-Forwarded-For that may be injected by a proxy server.

Ideally it would be nice to do this without modifying keystone or having to write an authentication plugin. But I can't think of a way to do this in an efficient way without modifying keystone.

Any ideas how to make this happen?

Thanks, Will

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2014-12-02 16:54:17 -0600

mpetason gravatar image

I would recommend verifying that this isn't already a blueprint for Keystone:

If it isn't then I would recommend creating one with exactly what you are trying to accomplish. If others like the idea then it may be developed.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2014-11-26 05:54:57 -0600

Seen: 56 times

Last updated: Dec 02 '14