Authentication strategy

Asked by Weslley Morellato Bueno on 2013-03-08


I'm using the Essex release and I have a question about the 'auth_strategy' option in 'nova.conf'. I need to disable the authentication process through Keystone (I will use another authentication system), so when I set the option to 'noauth' or 'deprecated', I'm unable to run any service from nova (list, image-list etc). Sometimes I get 'Malformed request url (HTTP 400)'[1] some others I get 'Unable to authorize user'[2]. Running through some topics here, I found some similar issues (1 and 2), but I could not solve my problem with the suggestions, since they were not in my problem's context.

I am assuming that disabling the authentication process by Keystone, I will be able to use the nova services without any credentials (with Glance I was able to do that, without provide any credentials). Is there really any way I could do that on Nova?


Question information

English Edit question
OpenStack Compute (nova) Edit question
No assignee Edit question
Last query:
Last reply:
Keith Tobin (keith-tobin) said : #1

Openstack is mead up of many components, nova is just one. If you set the auth_strategy in nova you are just affecting nova. At this point nova wil not authenticate but the other components will. I am near sure that setting auth_strategy to no auth will just cause nova to select between no auth and keystone sections of the api_past.ini file

use = call:nova.api.auth:pipeline_factory
noauth = faultwrap sizelimit noauth ratelimit osapi_compute_app_v2
keystone = faultwrap sizelimit authtoken keystonecontext ratelimit osapi_compute_app_v2
keystone_nolimit = faultwrap sizelimit authtoken keystonecontext osapi_compute_app_v2

The problem is this is only one place where authention comes into play, most all services calling other services calling API,s will authenticate with keystone and the call the service like glance, cinder, quantum, swift, etc, where that service will verify with keystone that the authentication is valid, this is what the above past.ini file is configuring the wsgi to load and use keystone or not. Other services also have past.ini files to configure the validation of a user incoming token that the caller has passed.

To replace or turn off keystone has to happen in all components.

If you have any further questions, the are welcome.

Thanks for the attention. I will keep searching for these other components. Running through the source code I found where occurs the call for the authentication module, but I could not successfuly modify it to far. Anyway, thanks for the answer. Any further answers will be appreciated.

Another question, here in the api-paste.ini it says that nova should call the NoAuthMiddleware module (if auth_strategy=noauth), am I right?

paste.filter_factory = nova.api.openstack.auth:NoAuthMiddleware.factory

The thing is that it does not call it at all. It keeps calling the AuthMiddleware. Anyone knows why?

As soon as I find a solution, I'll post it here. If I do not, I'll let you know and close the topic.

Thanks again.

Keith Tobin (keith-tobin) said : #3

If it dose not get called, you can just edit the past.ini and force it in the place of the authmiddleware.

Can you help with this problem?

Provide an answer of your own, or ask Weslley Morellato Bueno for more information if necessary.

To post a message you must log in.