Jump to: navigation, search

Nova/AuthManagerSpec

< Nova
Revision as of 19:19, 13 May 2011 by Brian (talk)
  • Launchpad Entry: NovaSpec:finalize-nova-auth
  • Created: May 12, 2011
  • Contributors: Brian Waldon, Brian Lamar

Summary

OpenStack needs an authentication service which will allow for centralization of authentication credentials. Currently we are investigating Keystone for such a system:

User stories

As a deployer of Nova, I want to use Keystone as my authn/authz backend.

As a deployer of Nova, I want to use the existing authn/authz backend.

As a deployer of Nova, I want it to be painless to transition an existing deployment from the existing database into Keystone.

Implementation

Phase 1

{{http://wiki.openstack.org/Nova/AuthManagerSpec?action=AttachFile&do=get&target=auth_phase1.png}}

Steps to Complete Phase 1

  1. Creation/completion of "OpenStack API Authentication Middlware" (potentially alternatively called "Token Authentication Middleware" in Keystone.
  2. Creation/completion of "EC2 API Authentication Middleware" in Keystone.
  3. Creation of "Authentication Migration Middleware" in OpenStack Nova.

Phase 2

Looking ahead to Phase 2, much of the current authentication code in OpenStack will be able to be removed and keystone library calls will replace the existing authentication code. We will ensure Keystone is using compatible/standard methods for it's WSGI/API interface. Currently it is utilizing `bottle` for many WSGI tasks. Updating Keystone to use `webob`, `routes`, and other OpenStack standard WSGI libraries will greatly increase the chances of success for the project.

Retrieved from "https://wiki.openstack.org/w/index.php?title=Nova/AuthManagerSpec&oldid=4339"