Ask Your Question
3

Keystone authentication to public/admin port and scoped/unscoped token

asked 2014-12-14 10:31:05 -0500

Sliter gravatar image

updated 2014-12-15 21:31:39 -0500

New to OpenStack, after setting up a simple environment(controller+compute node), I am trying to learn how those components work.

My attempt(using curl) was trying to get a token and then get a list of tenants with that token.


To get a token, I had tried the following ways:

curl -i -X POST http://controller:PORT/v2.0/tokens -H "Content-type: application/json" -d INFO

Replacing the PORT and INFO in the above command to:

  1. PORT 5000, INFO: username, password => token 1
  2. PORT 35357, INFO: username, password => token 2
  3. PORT 5000, INFO: username, password, tenant name => token 3
  4. PORT 35357, INFO: username, password, tenant name => token 4

Note: The username is the admin user


To get a list of tenants, I had tried the following:

curl -i -X GET http://controller:PORT/v2.0/tenants -H "X-Auth-Token: TOKEN"

Replacing the PORT and TOKEN in the above command to:

  1. token 1, port 5000: only to see the admin tenant
  2. token 1, port 35357: 401, requires authentication
  3. token 2, port 5000: only to see the admin tenant
  4. token 2, port 35357: 401, requires authentication
  5. token 3, port 5000: only to see the admin tenant
  6. token 3, port 35357: see admin, demo and service tenant
  7. token 4, port 5000: only to see the admin tenant
  8. token 4, port 35357: see admin, demo and service tenant

My questions are:

  1. Are there any difference regarding to the tokens returned by talking to port 5000 and port 35357? If there is no difference, should I care which port to talk to when authentication is required?

  2. With the unscoped tokens(token 1 and token 2), why authentication is required when I was trying to talk to port 35357? Remember I provided the admin user credentials to get those two tokens.

  3. With the scoped tokens(token 3 and token 4), why I could only see the admin tenant when talking to port 5000 while I could see all the tenants when talking to port 35357?



Update:

Thanks @Haneef Ali for the response.

Q: 3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases

A: Yes, I used the same token and username, password, tenant in both cases.

My guess is that providing scoped token to port 5000 and to port 35357 maps to different rules in keystone policy.json.

screenshot /etc/keystone/policy.json

image description

Notice that there is a list_projects rule as well as a list_user_projects rule.

So when you talks to port 5000 providing whatever unscoped token or scoped token, keystone refers to the list_user_projects rule which accepts operation from both admin and owner. That's explains the items in 1,3,5,7 in the above "To get a list of tenants" section.

However, when talks to port 35357, keystone will refer to the list_projects rule which requires the admin privileges. That's why in item 2&4, we received 'requires authentication' message while it item 6&8 it ...

(more)
edit retag flag offensive close merge delete

1 answer

Sort by ยป oldest newest most voted
2

answered 2014-12-15 11:17:04 -0500

updated 2014-12-15 23:31:26 -0500

1) No, there is no difference. Only certain operations are exposed at 5000 and all of them except one is exposed at 35357. In most of the cases you will be fine if you just use 35357

2) You should be authorized to invoke any identity operations. Authorization is defined by the role that the token have. Unscoped token doesn't have any role. So using unsciped token you cannot invoke any opearation.

3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases

Update 1:

I didn't even notice this so far. I believe it is wrong design

5000:/v2.0/tenants -- Maps to "get_projects_for_token" . This doesn't even care about scope of token.

35357:/v2.0/tenants -- Maps to get_all_tenants which requires scoped token

BTW policy file is used only for v3 apis. These are v2.0 apis, and most of the v2.0 api just use one line from the policy file which is "admin" definition in the policy file

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Get to know Ask OpenStack

Resources for moderators

Question Tools

3 followers

Stats

Asked: 2014-12-14 10:31:05 -0500

Seen: 4,391 times

Last updated: Dec 15 '14