From 95a76422984a7fe57b0b25ae82a584736d8c8ad4 Mon Sep 17 00:00:00 2001 From: Salvatore Orlando Date: Wed, 24 Aug 2011 20:57:08 +0100 Subject: [PATCH] Addressing Somik's comment. --- README | 26 ++++++++++++++++++ etc/quantum.conf | 15 +++++------ etc/quantum.conf.keystone | 46 -------------------------------- quantum/common/authentication.py | 6 ++--- 4 files changed, 36 insertions(+), 57 deletions(-) delete mode 100644 etc/quantum.conf.keystone diff --git a/README b/README index be695302a..83d293be0 100644 --- a/README +++ b/README @@ -89,6 +89,32 @@ Created a new Virtual Network with ID:e754e7c0-a8eb-40e5-861a-b182d30c3441 Requests to Quantum API are authenticated with the Keystone identity service using a token-based authentication protocol. +1) Enabling Authentication and Authorization +The Keystone identity service is a requirement. It must be installed, although +not necessarily on the same machine where Quantum is running; both Keystone's +admin API and service API should be running + +Authentication and Authorization middleware should be enabled in the Quantum +pipeline. To this aim, uncomment the following line in /etc/quantum.conf: + +pipeline = authN authZ extensions quantumapiapp + +The final step concerns configuring access to Keystone. The following attributes +must be specified in the [filter:authN] section of quantum.conf: + +auth_host IP address or host name of the server where Keystone is running +auth_port Port where the Keystone Admin API is listening +auth_protocol Protocol used for communicating with Keystone (http/https) +auth_version Keystone API version (default: 2.0) +auth_admin_token Keystone token for administrative access +auth_admin_user Keystone user with administrative rights +auth_admin_password Password for the user specified with auth_admin_user + +NOTE: aut_admin_token and auth_admin_user/password are exclusive. +If both are specified, auth_admin_token has priority. + +2) Authenticating and Authorizing request for Quantum API + A user should first authenticate with Keystone, supplying user credentials; the Keystone service will return an authentication token, together with informations concerning token expirations and endpoint where that token can diff --git a/etc/quantum.conf b/etc/quantum.conf index ab6349639..05856094e 100644 --- a/etc/quantum.conf +++ b/etc/quantum.conf @@ -20,10 +20,10 @@ use = egg:Paste#urlmap /v0.1: quantumapi [pipeline:quantumapi] -# To disable keystone integration comment the following line and -# uncomment the next one -pipeline = authN authZ extensions quantumapiapp -#pipeline = extensions quantumapiapp +# To enable keystone integration uncomment the following line and +# comment the next one +#pipeline = authN authZ extensions quantumapiapp +pipeline = extensions quantumapiapp [filter:authN] @@ -32,10 +32,9 @@ auth_host = 127.0.0.1 auth_port = 5001 auth_protocol = http auth_version = 2.0 -# Not sure the admin token thing is right... -#admin_token = 9a82c95a-99e9-4c3a-b5ee-199f6ba7ff04 -admin_user = admin -admin_password = secrete +#auth_admin_token = 9a82c95a-99e9-4c3a-b5ee-199f6ba7ff04 +auth_admin_user = admin +auth_admin_password = secrete [filter:authZ] paste.filter_factory = quantum.common.authorization:filter_factory diff --git a/etc/quantum.conf.keystone b/etc/quantum.conf.keystone deleted file mode 100644 index 8b5dca0d9..000000000 --- a/etc/quantum.conf.keystone +++ /dev/null @@ -1,46 +0,0 @@ -[DEFAULT] -# Show more verbose log output (sets INFO log level output) -verbose = True - -# Show debugging output in logs (sets DEBUG log level output) -debug = True - -# Address to bind the API server -bind_host = 0.0.0.0 - -# Port the bind the API server to -bind_port = 9696 - -# Path to the extensions -api_extensions_path = extensions - -[composite:quantum] -use = egg:Paste#urlmap -/: quantumversions -/v0.1: quantumapi - -[pipeline:quantumapi] -pipeline = authN authZ extensions quantumapiapp - -[filter:authN] -paste.filter_factory = quantum.common.authentication:filter_factory -auth_host = 127.0.0.1 -auth_port = 5001 -auth_protocol = http -auth_version = 2.0 -# Not sure the admin token thing is right... -#admin_token = 9a82c95a-99e9-4c3a-b5ee-199f6ba7ff04 -admin_user = admin -admin_password = secrete - -[filter:authZ] -paste.filter_factory = quantum.common.authorization:filter_factory - -[filter:extensions] -paste.filter_factory = quantum.common.extensions:plugin_aware_extension_middleware_factory - -[app:quantumversions] -paste.app_factory = quantum.api.versions:Versions.factory - -[app:quantumapiapp] -paste.app_factory = quantum.api:APIRouterV01.factory diff --git a/quantum/common/authentication.py b/quantum/common/authentication.py index 6f849249b..280db3611 100755 --- a/quantum/common/authentication.py +++ b/quantum/common/authentication.py @@ -110,9 +110,9 @@ class AuthProtocol(object): LOG.debug("AUTH SERVICE LOCATION:%s", self.auth_location) # Credentials used to verify this component with the Auth service since # validating tokens is a priviledged call - self.admin_user = conf.get('admin_user') - self.admin_password = conf.get('admin_password') - self.admin_token = conf.get('admin_token') + self.admin_user = conf.get('auth_admin_user') + self.admin_password = conf.get('auth_admin_password') + self.admin_token = conf.get('auth_admin_token') def _build_token_uri(self, claims=None): uri = "/v" + self.auth_api_version + "/tokens" + \ -- 2.45.2