Nova/AuthManagerSpec

• Launchpad Entry: NovaSpec:finalize-nova-auth
• Created: May 12, 2011
• Contributors: Brian Lamar, Brian Waldon

Summary

OpenStack needs an authentication service which will allow for centralization of authentication credentials. Currently we are investigating Keystone for such a system:

• Author(s): John Eo, Khaled Hussein, Ziad Sawalha, and more...
• Version Control: https://github.com/rackspace/keystone

User stories

As a deployer of Nova, I want to use Keystone to store authentication credentials.

As a deployer of Nova, I want to use the existing OpenStack authentication credentials.

As a deployer of Nova, I want it to be painless to transition an existing deployment from the existing database into Keystone.

Implementation

All references to OpenStack API refer, more specifically, to the OpenStack Nova API.

Phase 1

{{http://wiki.openstack.org/Nova/AuthManagerSpec?action=AttachFile&do=get&target=auth_phase1.png}}

Description of Phase 1 Items

• Keystone OpenStack API Authentication Middleware: This middleware will field incoming OSAPI API requests, validate their token, and pass the request on to the OpenStack API service. This middleware does not have the ability to generate new tokens, only to authenticate existing tokens. A user must retrieve a token directly from Keystone before making this request.
• Keystone EC2 API Authentication Middleware: This middleware will field incoming EC2 API requests, validate their signature, and pass the request on to the OpenStack EC2 service.
• Authentication Migration Middleware: This middleware will field pre-authenticated requests from a Keystone-compatible service and ensure that the authenticated user exists in the OpenStack Nova authentication database. If the user does not exist, it will be created to allow for a smooth transition period.

Steps to Complete Phase 1

1. Creation/completion of "OpenStack API Authentication Middlware" (potentially alternatively called "Token Authentication Middleware" in Keystone.
2. Creation/completion of "EC2 API Authentication Middleware" in Keystone.
3. Creation of "Authentication Migration Middleware" in OpenStack Nova.

Phase 2

The first phase was more centered around creating a good migration plan for moving authentication to Keystone. Phase 2 deals with the nova code migration. Much of the current authentication code in OpenStack Nova will be able to be removed and Keystone library calls will replace the existing authentication code.

1. Replace nova.auth:AuthManager internals with keystone library calls for authentication.
2. Remove existing Nova authentication middleware and replace it with references to keystone's authentication middleware in Nova's paste deployment file.