Addressing Somik's comment.

diff --git a/README b/README
index be695302aef41c5548b3ff05c76bab892094ad1d..83d293be0790469df534897d58de406d0bd9182b 100644 (file)
--- a/README
+++ b/README
@@ -89,6 +89,32 @@ Created a new Virtual Network with ID:e754e7c0-a8eb-40e5-861a-b182d30c3441
 Requests to Quantum API are authenticated with the Keystone identity service
 using a token-based authentication protocol. 
 
+1) Enabling Authentication and Authorization
+The Keystone identity service is a requirement. It must be installed, although
+not necessarily on the same machine where Quantum is running; both Keystone's
+admin API and service API should be running
+
+Authentication and Authorization middleware should be enabled in the Quantum
+pipeline. To this aim, uncomment the following line in /etc/quantum.conf:
+
+pipeline = authN authZ extensions quantumapiapp
+
+The final step concerns configuring access to Keystone. The following attributes
+must be specified in the [filter:authN] section of quantum.conf:
+
+auth_host                      IP address or host name of the server where Keystone is running
+auth_port                      Port where the Keystone Admin API is listening
+auth_protocol          Protocol used for communicating with Keystone (http/https)
+auth_version           Keystone API version (default: 2.0)
+auth_admin_token       Keystone token for administrative access
+auth_admin_user                Keystone user with administrative rights
+auth_admin_password Password for the user specified with auth_admin_user
+
+NOTE: aut_admin_token and auth_admin_user/password are exclusive. 
+If both are specified, auth_admin_token has priority.
+
+2) Authenticating and Authorizing request for Quantum API 
+
 A user should first authenticate with Keystone, supplying user credentials;
 the Keystone service will return an authentication token, together with
 informations concerning token expirations and endpoint where that token can

diff --git a/etc/quantum.conf b/etc/quantum.conf
index ab63496390f0c10331e76b98a1bd66fa2d7d5dff..05856094e574d4c3417487672dfe42b91d0a4eb5 100644 (file)
--- a/etc/quantum.conf
+++ b/etc/quantum.conf
@@ -20,10 +20,10 @@ use = egg:Paste#urlmap
 /v0.1: quantumapi
 
 [pipeline:quantumapi]
-# To disable keystone integration comment the following line and
-# uncomment the next one
-pipeline = authN authZ extensions quantumapiapp
-#pipeline = extensions quantumapiapp
+# To enable keystone integration uncomment the following line and
+# comment the next one
+#pipeline = authN authZ extensions quantumapiapp
+pipeline = extensions quantumapiapp
 
 
 [filter:authN]
@@ -32,10 +32,9 @@ auth_host = 127.0.0.1
 auth_port = 5001
 auth_protocol = http
 auth_version = 2.0
-# Not sure the admin token thing is right...
-#admin_token = 9a82c95a-99e9-4c3a-b5ee-199f6ba7ff04
-admin_user = admin
-admin_password = secrete
+#auth_admin_token = 9a82c95a-99e9-4c3a-b5ee-199f6ba7ff04
+auth_admin_user = admin
+auth_admin_password = secrete
 
 [filter:authZ]
 paste.filter_factory = quantum.common.authorization:filter_factory

diff --git a/etc/quantum.conf.keystone b/etc/quantum.conf.keystone
deleted file mode 100644 (file)
index 8b5dca0..0000000
--- a/etc/quantum.conf.keystone
+++ /dev/null
@@ -1,46 +0,0 @@
-[DEFAULT]
-# Show more verbose log output (sets INFO log level output)
-verbose = True
-
-# Show debugging output in logs (sets DEBUG log level output)
-debug = True
-
-# Address to bind the API server
-bind_host = 0.0.0.0
-
-# Port the bind the API server to
-bind_port = 9696
-
-# Path to the extensions
-api_extensions_path = extensions
-
-[composite:quantum]
-use = egg:Paste#urlmap
-/: quantumversions
-/v0.1: quantumapi
-
-[pipeline:quantumapi]
-pipeline = authN authZ extensions quantumapiapp
-
-[filter:authN]
-paste.filter_factory = quantum.common.authentication:filter_factory
-auth_host = 127.0.0.1
-auth_port = 5001
-auth_protocol = http
-auth_version = 2.0
-# Not sure the admin token thing is right...
-#admin_token = 9a82c95a-99e9-4c3a-b5ee-199f6ba7ff04
-admin_user = admin
-admin_password = secrete
-
-[filter:authZ]
-paste.filter_factory = quantum.common.authorization:filter_factory
-
-[filter:extensions]
-paste.filter_factory = quantum.common.extensions:plugin_aware_extension_middleware_factory
-
-[app:quantumversions]
-paste.app_factory = quantum.api.versions:Versions.factory
-
-[app:quantumapiapp]
-paste.app_factory = quantum.api:APIRouterV01.factory

diff --git a/quantum/common/authentication.py b/quantum/common/authentication.py
index 6f849249bb4e5d2d99107f11e9eafec1bbd0726d..280db361137966091ccd0f076364eeedb4938ef8 100755 (executable)
--- a/quantum/common/authentication.py
+++ b/quantum/common/authentication.py
@@ -110,9 +110,9 @@ class AuthProtocol(object):
         LOG.debug("AUTH SERVICE LOCATION:%s", self.auth_location)
         # Credentials used to verify this component with the Auth service since
         # validating tokens is a priviledged call
-        self.admin_user = conf.get('admin_user')
-        self.admin_password = conf.get('admin_password')
-        self.admin_token = conf.get('admin_token')
+        self.admin_user = conf.get('auth_admin_user')
+        self.admin_password = conf.get('auth_admin_password')
+        self.admin_token = conf.get('auth_admin_token')
 
     def _build_token_uri(self, claims=None):
         uri = "/v" + self.auth_api_version + "/tokens" + \