Glance Pluggable Auth Layer

Registered by Glen Campbell

We don't really want Glance to ONLY support Keystone authentication. In many installations, it will be sufficient to have no auth at all for Glance. Therefore, we'd like to add an auth plugin layer to Glance so that it could support no auth (the default) or Keystone (optional) or other forms of authentication if desired by the implementor.

Team Ozone expects to develop this layer and the associated Keystone plugin.

Blueprint information

Vish Ishaya
Glen Campbell
Rick Harris
Series goal:
Accepted for diablo
Milestone target:
milestone icon 2011.3
Started by
Jay Pipes
Completed by
Jay Pipes

Related branches



I wouldn't exactly point to nova as a compelling implementation, but it *does* implement a somewhat pluggable auth system that could be used as reference

Since we are pulling out AuthManager from nova, I would definitely avoid using it. The model we are using is to have all auth information in nova.context and have a middleware that creates the context as needed. This means a new auth is adding a new middleware that creates a different context. You could very easily have a null auth driver that just adds an admin context to every request instead of talking to keystone or some other service.

Vek: I need to point out that this is for putting support for authentication *in the client*, i.e., in this instance, the glance client. The design is meant to be flexible, so that we could also use the same keystone plugin in, say, novaclient.

Gerrit topic:,topic:bp/pluggable-auth,n,z

Addressed by:
    Adding Keystone support for Glance client.

Re-targeting to Diablo since Nova is pushing this in...

Addressed by:
    Adding Keystone support for Glance client.


Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.