Glance Pluggable Auth Layer
We don't really want Glance to ONLY support Keystone authentication. In many installations, it will be sufficient to have no auth at all for Glance. Therefore, we'd like to add an auth plugin layer to Glance so that it could support no auth (the default) or Keystone (optional) or other forms of authentication if desired by the implementor.
Team Ozone expects to develop this layer and the associated Keystone plugin.
Blueprint information
- Status:
- Complete
- Approver:
- Vish Ishaya
- Priority:
- Medium
- Drafter:
- Glen Campbell
- Direction:
- Approved
- Assignee:
- Rick Harris
- Definition:
- Approved
- Series goal:
- Accepted for diablo
- Implementation:
-
Implemented
- Milestone target:
-
2011.3
- Started by
- Jay Pipes
- Completed by
- Jay Pipes
Related branches
Related bugs
Sprints
Whiteboard
I wouldn't exactly point to nova as a compelling implementation, but it *does* implement a somewhat pluggable auth system that could be used as reference
Since we are pulling out AuthManager from nova, I would definitely avoid using it. The model we are using is to have all auth information in nova.context and have a middleware that creates the context as needed. This means a new auth is adding a new middleware that creates a different context. You could very easily have a null auth driver that just adds an admin context to every request instead of talking to keystone or some other service.
Vek: I need to point out that this is for putting support for authentication *in the client*, i.e., in this instance, the glance client. The design is meant to be flexible, so that we could also use the same keystone plugin in, say, novaclient.
Gerrit topic: https:/
Addressed by: https:/
Adding Keystone support for Glance client.
Re-targeting to Diablo since Nova is pushing this in...
Addressed by: https:/
Adding Keystone support for Glance client.
Work Items
Dependency tree
* Blueprints in grey have been implemented.
