OpenStack Compute (nova)

Initial Keystone Integration

Registered by Khaled Hussein

Keystone provides a common auth framework for all of the services. This blueprint is for the initial integration of the keystone service (described below) with nova. The first version will be a very non-invasive approach with a couple of middlewares.

The purpose of this blueprint is to define a standard for authentication in OpenStack that enables services to support multiple authentication protocols in a pluggable manner. By providing support for authentication via pluggable authentication components, this standard allows OpenStack services to be integrated easily into existing deployment environments. It also provides a path by which to implement support for emerging authentication standards such as OpenID. The standard is not an authentication system onto itself, but rather a protocol by which authentication systems may be integrated with OpenStack services.

Blueprint information

Status:
Complete
Approver:
Rick Clark
Priority:
Essential
Drafter:
Khaled Hussein
Direction:
Approved
Assignee:
Jesse Andrews
Definition:
Approved
Series goal:
Accepted for diablo
Implementation:
Implemented
Milestone target:
milestone icon 2011.3
Started by
Thierry Carrez
Completed by
Vish Ishaya

Related branches

Sprints

Whiteboard

First appeared in diablo-2

Going to mark this complete for the moment. The initial middleware works fine with the openstack api. EC2 compatibility and removal of user code from nova will have to go in a separate blueprint. --vish

Since we now have the separate keystone project, this will be the blueprint for integrating nova with the keystone service --vish
First round complete. There is an auto-create middleware in keystone that will automatically create users and projects in nova.
Still to do:
  switch to tenants instead of projects in nova
  add ec2 compatibility middleware

jorgew: I've updated the spec to address some concerns from the swift team:
             1) Delegated Mode: The decision to reject an unauthenticated request can now be made by the underlying implementation.
             2) Default Component: Details of the default component are moved out of this spec, we'll be submitting the details in a separate blueprint.

             Expect a merge request for swift soon.

(?)

Work Items

Dependency tree

* Blueprints in grey have been implemented.

Nearby