123 lines
4.8 KiB
ReStructuredText
123 lines
4.8 KiB
ReStructuredText
..
|
|
Copyright 2010 OpenStack Foundation
|
|
All Rights Reserved.
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
not use this file except in compliance with the License. You may obtain
|
|
a copy of the License at
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
|
|
License for the specific language governing permissions and limitations
|
|
under the License.
|
|
|
|
.. _authentication:
|
|
|
|
Authentication With Keystone
|
|
============================
|
|
|
|
Glance may optionally be integrated with Keystone. Setting this up is
|
|
relatively straightforward, as the Keystone distribution includes the
|
|
necessary middleware. Once you have installed Keystone
|
|
and edited your configuration files, newly created images will have
|
|
their `owner` attribute set to the tenant of the authenticated users,
|
|
and the `is_public` attribute will cause access to those images for
|
|
which it is `false` to be restricted to only the owner, users with
|
|
admin context, or tenants/users with whom the image has been shared.
|
|
|
|
|
|
Configuring the Glance servers to use Keystone
|
|
----------------------------------------------
|
|
|
|
Keystone is integrated with Glance through the use of middleware. The
|
|
default configuration files for both the Glance API and the Glance
|
|
Registry use a single piece of middleware called ``unauthenticated-context``,
|
|
which generates a request context containing blank authentication
|
|
information. In order to configure Glance to use Keystone, the
|
|
``authtoken`` and ``context`` middlewares must be deployed in place of the
|
|
``unauthenticated-context`` middleware. The ``authtoken`` middleware performs
|
|
the authentication token validation and retrieves actual user authentication
|
|
information. It can be found in the Keystone distribution.
|
|
|
|
.. include:: ../deprecate-registry.inc
|
|
|
|
|
|
Configuring Glance API to use Keystone
|
|
--------------------------------------
|
|
|
|
Configuring Glance API to use Keystone is relatively straight
|
|
forward. The first step is to ensure that declarations for the two
|
|
pieces of middleware exist in the ``glance-api-paste.ini``. Here is
|
|
an example for ``authtoken``::
|
|
|
|
[filter:authtoken]
|
|
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
|
|
auth_url = http://localhost:5000
|
|
project_domain_id = default
|
|
project_name = service_admins
|
|
user_domain_id = default
|
|
username = glance_admin
|
|
password = password1234
|
|
|
|
The actual values for these variables will need to be set depending on
|
|
your situation. For more information, please refer to the Keystone
|
|
`documentation`_ on the ``auth_token`` middleware.
|
|
|
|
.. _`documentation`: https://docs.openstack.org/keystonemiddleware/latest/middlewarearchitecture.html#configuration
|
|
|
|
In short:
|
|
|
|
* The ``auth_url`` variable points to the Keystone service.
|
|
This information is used by the middleware to actually query Keystone about
|
|
the validity of the authentication tokens.
|
|
* The auth credentials (``project_name``, ``project_domain_id``,
|
|
``user_domain_id``, ``username``, and ``password``) will be used to
|
|
retrieve a service token. That token will be used to authorize user
|
|
tokens behind the scenes.
|
|
|
|
Finally, to actually enable using Keystone authentication, the
|
|
application pipeline must be modified. By default, it looks like::
|
|
|
|
[pipeline:glance-api]
|
|
pipeline = versionnegotiation unauthenticated-context apiv1app
|
|
|
|
Your particular pipeline may vary depending on other options, such as
|
|
the image cache. This must be changed by replacing ``unauthenticated-context``
|
|
with ``authtoken`` and ``context``::
|
|
|
|
[pipeline:glance-api]
|
|
pipeline = versionnegotiation authtoken context apiv1app
|
|
|
|
|
|
Configuring Glance Registry to use Keystone
|
|
-------------------------------------------
|
|
|
|
.. include:: ../deprecate-registry.inc
|
|
|
|
Configuring Glance Registry to use Keystone is also relatively
|
|
straight forward. The same middleware needs to be added
|
|
to ``glance-registry-paste.ini`` as was needed by Glance API;
|
|
see above for an example of the ``authtoken`` configuration.
|
|
|
|
Again, to enable using Keystone authentication, the appropriate
|
|
application pipeline must be selected. By default, it looks like::
|
|
|
|
[pipeline:glance-registry-keystone]
|
|
pipeline = authtoken context registryapp
|
|
|
|
To enable the above application pipeline, in your main ``glance-registry.conf``
|
|
configuration file, select the appropriate deployment flavor by adding a
|
|
``flavor`` attribute in the ``paste_deploy`` group::
|
|
|
|
[paste_deploy]
|
|
flavor = keystone
|
|
|
|
.. note::
|
|
If your authentication service uses a role other than ``admin`` to identify
|
|
which users should be granted admin-level privileges, you must define it
|
|
in the ``admin_role`` config attribute in both ``glance-registry.conf`` and
|
|
``glance-api.conf``.
|