Authentication strategy

asked 2013-03-08 20:13:06 -0500

weslley-bueno gravatar image


I'm using the Essex release and I have a question about the 'auth_strategy' option in 'nova.conf'. I need to disable the authentication process through Keystone (I will use another authentication system), so when I set the option to 'noauth' or 'deprecated', I'm unable to run any service from nova (list, image-list etc). Sometimes I get 'Malformed request url (HTTP 400)'[1] some others I get 'Unable to authorize user'[2]. Running through some topics here, I found some similar issues (1 and 2), but I could not solve my problem with the suggestions, since they were not in my problem's context.

I am assuming that disabling the authentication process by Keystone, I will be able to use the nova services without any credentials (with Glance I was able to do that, without provide any credentials). Is there really any way I could do that on Nova?

Thanks! Weslley

edit retag flag offensive close merge delete

3 answers

Sort by ยป oldest newest most voted

answered 2013-03-16 10:17:22 -0500

keith-tobin gravatar image

If it dose not get called, you can just edit the past.ini and force it in the place of the authmiddleware.

edit flag offensive delete link more

answered 2013-03-10 13:32:03 -0500

keith-tobin gravatar image

Openstack is mead up of many components, nova is just one. If you set the auth_strategy in nova you are just affecting nova. At this point nova wil not authenticate but the other components will. I am near sure that setting auth_strategy to no auth will just cause nova to select between no auth and keystone sections of the api_past.ini file

[composite:openstack_compute_api_v2] use = call:nova.api.auth:pipeline_factory noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2 keystone = faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v2 keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2

The problem is this is only one place where authention comes into play, most all services calling other services calling API,s will authenticate with keystone and the call the service like glance, cinder, quantum, swift, etc, where that service will verify with keystone that the authentication is valid, this is what the above past.ini file is configuring the wsgi to load and use keystone or not. Other services also have past.ini files to configure the validation of a user incoming token that the caller has passed.

To replace or turn off keystone has to happen in all components.

If you have any further questions, the are welcome.

edit flag offensive delete link more

answered 2013-03-10 14:38:52 -0500

weslley-bueno gravatar image

Thanks for the attention. I will keep searching for these other components. Running through the source code I found where occurs the call for the authentication module, but I could not successfuly modify it to far. Anyway, thanks for the answer. Any further answers will be appreciated.

Another question, here in the api-paste.ini it says that nova should call the NoAuthMiddleware module (if auth_strategy=noauth), am I right?

[filter:noauth] paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory

The thing is that it does not call it at all. It keeps calling the AuthMiddleware. Anyone knows why?

As soon as I find a solution, I'll post it here. If I do not, I'll let you know and close the topic.

Thanks again.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2013-03-08 20:13:06 -0500

Seen: 168 times

Last updated: Mar 16 '13