Authentication for Analytics REST API

Contrail Analytics API RBAC

Currently any user can access the Contrail Analytics API to get historical information via queries and get state information via UVEs. It is desired that RBAC similar to the Contrail Config API be implemented. The architecture for RBAC is based on Openstack Keystone Middleware architecture - http://docs.openstack.org/developer/keystonemiddleware/middlewarearchitecture.html. We will phase the implementation as follows:

Phase 1 for 3.1:
Contrail Analytics API access for cloud-admin user only

Phase 2 for later releases:
Contrail Analytics API RBAC based on the permissions of the objects being queried or accessed to get state information

Implementation details for Phase 1
1. External user makes a REST API call to contrail-analytics-api passing a token representing the user with the HTTP header X-Auth-Token
2. It is desired that the RBAC logic is centralized in one process/role and hence contrail-analytics-api will in turn make a REST API call using vnc_api library to contrail-api to figure out the domain, tenant, project, role associated with the auth token. For contrail-analytics-api to make a REST API call to contrail-api, it will use vnc_api library and provide the admin user credentials obtained from a configuration file - /etc/contrail/contrail-keystone-auth.conf
3. Based on the user role, contrail-analytics-api will only allow access for cloud-admin user and reject the request (HTTPUnauthorized) for other users.
4. contrail-analytics-api will provide access without auth token for local analytics node users like contrail-logs, contrail-stats, and contrail-flows scripts
5. contrail-svc-monitor, contrail-topology, and contrail-webui will need to be modified to access contrail-analytics-api using an auth token corresponding to cloud-admin role