Thanks Jason for the idea.

I am not sure how good is an idea of running two endpoints for quantum
- one with 'noauth' and one with 'keystone'.
If you have seen any such use case with other services please let me know.

Nova defines two piplines: 'noauth' and 'keystone' and it chooses
between them using the 'auth_strategy' flag
in nova.conf.
So a similar approach in our case could be to change the "
composite:quantum" and route the requests made from 'do_request' to a
different url. Currently the call looks something like:
" Quantum Client Request: POST /v1.1/tenants/default/networks.json "

So the calls made from client.py could be changed to something like
" Quantum Client Request: POST /nova-manage/v1.1/tenants/default/networks.json"
and in "composite:quantum" the requests to  "/nova-manage/" could be
routed to an app with "noauth" in the front.

This is not perfect but I think this will get the ball rolling and
enable authN so that we can proceed with authZ until we
figure out the Nova + Quantum issue.

Please share your views.


Thanks,
Deepak


On Mon, Mar 19, 2012 at 11:47 PM, Jason Kölker <jkoel...@rackspace.com> wrote:
> On Mon, 2012-03-19 at 22:41 +0530, Deepak Garg wrote:
>> HI All,
>>
>> Basic AuthZ + AuthN was implemented at
>> https://review.openstack.org/#change,1322 but was lost in the Keystone
>> redux baseline.
>> However most of the work is included in the generic auth_token.py in
>> the keystone tree which is used by all projects for token
>> verification.
>> Enabling AuthN in Quantum needs simple changes in the conf file.
>> But when  $ nova-manage network    cmds  are used, it fails because of
>> authorization error: http://paste.openstack.org/show/10961/
>> Its because nova-manage doesn't accepts tokens, probably because its
>> only meant to be only on the server side and not client side.
>> One solution to this is to write a middleware to be included before authN.
>>
>> Glance doesn't run into this issue because there are no image related
>> nova-manage cmds.
>> Please post any other solution/suggestions.
>
> Yea this is all going to have to change soon. Right now the only option
> is to run another quantum endpoint for nova to hit that is running
> without keystone in front of it. Essentially in "noauth" mode.
>
> At the summit I think we are going to talk about the integration pieces
> of Nove + Quantum + (Melange being merged with quantum).
>
> Happy Hacking!
>
> 7-11
>
>
> --
> Mailing list: https://launchpad.net/~netstack
> Post to     : netstack@lists.launchpad.net
> Unsubscribe : https://launchpad.net/~netstack
> More help   : https://help.launchpad.net/ListHelp



-- 

Deepak Garg,
Data Center and Cloud Div.
Citrix R&D, India
Skype-id: deepakgarg.iit

-- 
Mailing list: https://launchpad.net/~netstack
Post to     : netstack@lists.launchpad.net
Unsubscribe : https://launchpad.net/~netstack
More help   : https://help.launchpad.net/ListHelp

Reply via email to