Difference between revisions of "Nova/AuthManagerSpec"
< Nova
m (Text replace - "NovaSpec" to "NovaSpec") |
|||
| (15 intermediate revisions by 3 users not shown) | |||
| Line 1: | Line 1: | ||
| − | + | ||
| − | * '''Launchpad Entry''': | + | * '''Launchpad Entry''': NovaSpec:finalize-nova-auth |
* '''Created''': May 12, 2011 | * '''Created''': May 12, 2011 | ||
| − | * '''Contributors''': Brian | + | * '''Contributors''': Brian Lamar, Brian Waldon |
== Summary == | == Summary == | ||
| − | [[OpenStack]] needs an authentication | + | [[OpenStack]] needs an authentication service which will allow for centralization of authentication credentials. Currently we are investigating Keystone for such a system: |
| − | + | * '''Author(s):''' John Eo, Khaled Hussein, Ziad Sawalha, and more... | |
| − | + | * '''Version Control:''' https://github.com/rackspace/keystone | |
== User stories == | == User stories == | ||
| − | As a deployer of Nova, I want to use Keystone | + | As a deployer of Nova, I want to use Keystone to store authentication credentials. |
| − | As a deployer of Nova, I want to use the existing | + | As a deployer of Nova, I want to use the existing [[OpenStack]] authentication credentials. |
As a deployer of Nova, I want it to be painless to transition an existing deployment from the existing database into Keystone. | As a deployer of Nova, I want it to be painless to transition an existing deployment from the existing database into Keystone. | ||
== Implementation == | == Implementation == | ||
| + | |||
| + | '''All references to [[OpenStack]] API refer, more specifically, to the [[OpenStack]] Nova API.''' | ||
=== Phase 1 === | === Phase 1 === | ||
| − | [[ | + | {{http://wiki.openstack.org/Nova/AuthManagerSpec?action=[[AttachFile]]&do=get&target=auth_phase1.png}} |
| + | |||
| + | ==== Description of Phase 1 Items ==== | ||
| + | |||
| + | * '''Keystone [[OpenStack]] API Authentication Middleware''': This middleware will field incoming OSAPI API requests, validate their token, and pass the request on to the [[OpenStack]] API service. This middleware does not have the ability to generate new tokens, only to authenticate existing tokens. A user must retrieve a token directly from Keystone before making this request. | ||
| + | * '''Keystone EC2 API Authentication Middleware''': This middleware will field incoming EC2 API requests, validate their signature, and pass the request on to the [[OpenStack]] EC2 service. | ||
| + | * '''Authentication Migration Middleware''': This middleware will field pre-authenticated requests from a Keystone-compatible service and ensure that the authenticated user exists in the [[OpenStack]] Nova authentication database. If the user does not exist, it will be created to allow for a smooth transition period. | ||
| + | |||
| + | === Steps to Complete Phase 1 === | ||
| + | |||
| + | # Creation/completion of "[[OpenStack]] API Authentication Middlware" (potentially alternatively called "Token Authentication Middleware" in Keystone. | ||
| + | # Creation/completion of "EC2 API Authentication Middleware" in Keystone. | ||
| + | # Creation of "Authentication Migration Middleware" in [[OpenStack]] Nova. | ||
| − | === | + | === Phase 2 === |
| − | + | The first phase was more centered around creating a good migration plan for moving authentication to Keystone. Phase 2 deals with the nova code migration. Much of the current authentication code in [[OpenStack]] Nova will be able to be removed and Keystone library calls will replace the existing authentication code. | |
| − | + | # Replace nova.auth:[[AuthManager]] internals with keystone library calls for authentication. | |
| − | [[ | + | # Remove existing Nova authentication middleware and replace it with references to keystone's authentication middleware in Nova's paste deployment file. |
Latest revision as of 23:31, 17 February 2013
- Launchpad Entry: NovaSpec:finalize-nova-auth
- Created: May 12, 2011
- Contributors: Brian Lamar, Brian Waldon
Contents
Summary
OpenStack needs an authentication service which will allow for centralization of authentication credentials. Currently we are investigating Keystone for such a system:
- Author(s): John Eo, Khaled Hussein, Ziad Sawalha, and more...
- Version Control: https://github.com/rackspace/keystone
User stories
As a deployer of Nova, I want to use Keystone to store authentication credentials.
As a deployer of Nova, I want to use the existing OpenStack authentication credentials.
As a deployer of Nova, I want it to be painless to transition an existing deployment from the existing database into Keystone.
Implementation
All references to OpenStack API refer, more specifically, to the OpenStack Nova API.
Phase 1
{{http://wiki.openstack.org/Nova/AuthManagerSpec?action=AttachFile&do=get&target=auth_phase1.png}}
Description of Phase 1 Items
- Keystone OpenStack API Authentication Middleware: This middleware will field incoming OSAPI API requests, validate their token, and pass the request on to the OpenStack API service. This middleware does not have the ability to generate new tokens, only to authenticate existing tokens. A user must retrieve a token directly from Keystone before making this request.
- Keystone EC2 API Authentication Middleware: This middleware will field incoming EC2 API requests, validate their signature, and pass the request on to the OpenStack EC2 service.
- Authentication Migration Middleware: This middleware will field pre-authenticated requests from a Keystone-compatible service and ensure that the authenticated user exists in the OpenStack Nova authentication database. If the user does not exist, it will be created to allow for a smooth transition period.
Steps to Complete Phase 1
- Creation/completion of "OpenStack API Authentication Middlware" (potentially alternatively called "Token Authentication Middleware" in Keystone.
- Creation/completion of "EC2 API Authentication Middleware" in Keystone.
- Creation of "Authentication Migration Middleware" in OpenStack Nova.
Phase 2
The first phase was more centered around creating a good migration plan for moving authentication to Keystone. Phase 2 deals with the nova code migration. Much of the current authentication code in OpenStack Nova will be able to be removed and Keystone library calls will replace the existing authentication code.
- Replace nova.auth:AuthManager internals with keystone library calls for authentication.
- Remove existing Nova authentication middleware and replace it with references to keystone's authentication middleware in Nova's paste deployment file.
