Nova/AuthManagerSpec

Launchpad Entry: NovaSpec:finalize-nova-auth
Created: May 12, 2011
Contributors: Brian Waldon, Brian Lamar

Summary

OpenStack needs an authentication service which will allow for centralization of authentication credentials. Currently we are investigating Keystone for such a system:

Author(s): John Eo, Khaled Hussein, Ziad Swahala, and more...
Version Control: https://github.com/khussein/keystone

User stories

As a deployer of Nova, I want to use Keystone to store authentication credentials.

As a deployer of Nova, I want to use the existing OpenStack authentication credentials.

As a deployer of Nova, I want it to be painless to transition an existing deployment from the existing database into Keystone.

Implementation

All references to OpenStack API refer, more specifically, to the OpenStack Nova API.

Phase 1

{{http://wiki.openstack.org/Nova/AuthManagerSpec?action=AttachFile&do=get&target=auth_phase1.png}}

Description of Phase 1 Items

Keystone OpenStack API Authentication Middleware: This middleware will field incoming OSAPI API requests, validate their token, and pass the request on to the OpenStack API service. This middleware does not have the ability to generate new tokens, only to authenticate existing tokens.
Keystone EC2 API Authentication Middleware: This middleware will field incoming EC2 API requests, validate their signature, and pass the request on to the OpenStack EC2 service.

Steps to Complete Phase 1

Creation/completion of "OpenStack API Authentication Middlware" (potentially alternatively called "Token Authentication Middleware" in Keystone.
Creation/completion of "EC2 API Authentication Middleware" in Keystone.
Creation of "Authentication Migration Middleware" in OpenStack Nova.
Ensure Keystone is using OpenStack-compatible libraries for it's WSGI/API interface.

Phase 2

Looking ahead to Phase 2, much of the current authentication code in OpenStack will be able to be removed and keystone library calls will replace the existing authentication code.