Ask Your Question

Authentication and Authorization for Quantum

asked 2012-11-26 01:57:13 -0600

We know that for the latest Quantum Folsom version, the Keystone is enabled by default as the Authentication and Authorization service for Quantum. I am right now investigating other alternatives for Authentication and Authorization if we do not use Keystone.

We also know that we can use both the Quantum CLI tool and HTTP REST API to do the same things with Quantum(Quantum CLI tool in fact a wrapper to call HTTP REST API). Therefore, if I disable the Keystone from the Quantum configuration file but still want to equip Quantum with user Authentication and Authorization, I know that I can act as the ADMIN role with Quantum CLI tool to use Quantum on behalf of all other users with some existing authentication alternatives such as PAM. By using PAM, we can control the access of the ADMIN user with use of Quantum CLI tool. However, if we want to use the HTTP REST API directly, I have no idea right now of how to do the Authentication for each user from the REST call.

For Authorization, I have not gotten the chance to have an investigation of what other alternatives can be used for Quantum, either using Quantum CLI tool or using HTTP REST API directly, if we will not use Keystone.

Hope i can get some insights for the topic above here. Thank you in advance.

edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted

answered 2012-11-26 03:26:19 -0600

gongysh gravatar image

for API: authn, you can replace composite:quantumapi_v2_0 in api-paste.ini [composite:quantumapi_v2_0] use = call:quantum.auth:pipeline_factory noauth = extensions quantumapiapp_v2_0 keystone = authtoken keystonecontext extensions quantumapiapp_v2_0 authz: if your authn can return roles right, it will pass the policy check.

for CLI, u can provide --os-auth-strategy <auth-strategy> Authentication strategy (Env: OS_AUTH_STRATEGY, default keystone). For now, any other value will disable the authentication --os-auth-url <auth-url> Authentication URL (Env: OS_AUTH_URL) as long as it can provide service catalog right.

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools

1 follower


Asked: 2012-11-26 01:57:13 -0600

Seen: 49 times

Last updated: Nov 26 '12