Create OpenStack Identity Service

Registered by Ziad Sawalha

Create an identity service for use with OpenStack. Initially using token-based authentication and necessary middleware to support integration with OpenStack core services; Nova, Glance, and Swift.

Do not build an identity system! Instead, use existing systems for heavy lifting. Local storage can be used for reference implementation or PoC

Architecturally, therefore, implement a generalized claims-based architecture:
Ex: base class that can: Request -> GetClaims -> ValidateClaims -> Returns claim-based authentication.
1.) Receive Claim
2.) Validate Claim
3.) Decorate request
4.) Forward request

Requirement from Nova:
Lightweight Delegation - As a User who is associated with a Tenant ID, I should have the ability to delegate Tenant IDs to other users
and access those Tenants via a call in the new Keystone Service.

Draft Acceptance Criteria:
1.) User is able to grant additional Tenants
2.) Each Tenant has a unique token
3.) The User is able to login with Username & Password/API key
...or... 4.) The User is able to login with Username & Password/API key AND Tenant ID (optional)
5.) A TenantID must always have at least one user.
6.) A user must be associated with a TenantID which may be a default tenant initially.
7.) The Admin User can pass a TenantID token and use a new call to list_all_tenants (Admin only)
8.) The non-Admin User can pass a TenantID token and use a new call to list_all_tenants available to THAT USER ONLY.
9.) The user can pass a TenantID token and use a new call to list_all_users (by TenantID)

Requirement from Swift:
Support existing Auth functionality (Rackspace Auth, DevAuth, SWAUTH)

Requirement from Glance:
Integrate with Glance
Keystone work:
1.) Install Glance
2.) Standardize the interfaces
3.) Prove ability to write to service
Glance work:
1.) Add middleware with tenant key
2.) Functional Tests over that communication to ensure they are attached properly (image:tenant)
3.) Modify Logging to include the middleware context.

Include documentation

Acceptance Criteria:
1.) Must Include "How to start Service"
2.) Must include Presentation
3.) Dev Guide must be updated to include all new features
4.) Create Admin Guide and Install Guide
5.) Update Guide(s) to follow "Open Stack" look and feel

Blueprint information

Ziad Sawalha
Rackspace Integration
Series goal:
Accepted for diablo
Milestone target:
milestone icon diablo-2
Started by
Ziad Sawalha
Completed by
Ziad Sawalha

Related branches



1. Code will look the same for separate engines (model on Burrow "plugability")
2. That standardization should not touch the logic part of the code; place that in a separate layer.
3. No dependencies on new libraries if possible (remove bottlepy which is in alpha code)
4. Use WSGI router (similar to how used in Glance and Burrow)
- start up daemon
- install maps
- use wrapper on exceptions
5. Include daemonization and shell


Work Items

Dependency tree

* Blueprints in grey have been implemented.

This blueprint contains Public information 
Everyone can see this information.