Authentication for Analytics REST API

Registered by Ashish Ranjan on 2015-10-08

Authentication for Analytics REST API. Initially it will be supported only via keystone.

Blueprint information

Status:
Complete
Approver:
Ashish Ranjan
Priority:
Medium
Drafter:
Ashish Ranjan
Direction:
Needs approval
Assignee:
Raj Reddy
Definition:
Approved
Series goal:
Accepted for r3.1
Implementation:
Implemented
Milestone target:
milestone icon r3.1.0.0-fcs
Started by
Ashish Ranjan on 2016-08-02
Completed by
Ashish Ranjan on 2016-08-02

Related branches

Sprints

Whiteboard

Contrail Analytics API RBAC

Currently any user can access the Contrail Analytics API to get historical information via queries and get state information via UVEs. It is desired that RBAC similar to the Contrail Config API be implemented. The architecture for RBAC is based on Openstack Keystone Middleware architecture - http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html. We will phase the implementation as follows:

Phase 1 for 3.1:
Contrail Analytics API access for cloud-admin user only

Phase 2 for later releases:
Contrail Analytics API RBAC based on the permissions of the objects being queried or accessed to get state information

Implementation details for Phase 1
1. External user makes a REST API call to contrail-analytics-api passing a token representing the user with the HTTP header X-Auth-Token
2. It is desired that the RBAC logic is centralized in one process/role and hence contrail-analytics-api will in turn make a REST API call using vnc_api library to contrail-api to figure out the domain, tenant, project, role associated with the auth token. For contrail-analytics-api to make a REST API call to contrail-api, it will use vnc_api library and provide the admin user credentials obtained from a configuration file - /etc/contrail/contrail-keystone-auth.conf
3. Based on the user role, contrail-analytics-api will only allow access for cloud-admin user and reject the request (HTTPUnauthorized) for other users.
4. contrail-analytics-api will provide access without auth token for local analytics node users like contrail-logs, contrail-stats, and contrail-flows scripts
5. contrail-svc-monitor, contrail-topology, and contrail-webui will need to be modified to access contrail-analytics-api using an auth token corresponding to cloud-admin role

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.