User authentication for incoming requests
Calls into Solum will be authenticated before performing the requested operation.
Rely on existing OpenStack services for user registration. (i.e. do not create "Add user" functionality in Solum).
An OpenStack admin/operator would be able to associate selected OpenStack users with the Solum service (i.e. create user-to-service mapping). Use the same mechanism that exists in OpenStack to associate a user with an OpenStack service. OpenStack already has 2 mechanisms to associate a service with a user
1. use a global default configuration on the service (=solum) so that every new user automatically gets associated with the service;
2. make an auth api call (keystone) to associate an existing user with the service.
Solum will use keystone as its identity system. Additional auth systems can be integrated with keystone so that a service provider using, say an LDAP/AD would be able to plug in their auth system.
NoAuth : Solum will support a NoAuth configuration (useful for dev setups)
A single authentication service will be used for all Solum services.
Users can have roles (configurable); the definition of roles and privileges is outside the scope of this blueprint (we will implement roles with v1.0 in the roadmap - https:/
Blueprint information
- Status:
- Complete
- Approver:
- Adrian Otto
- Priority:
- High
- Drafter:
- Roshan Agrawal
- Direction:
- Approved
- Assignee:
- Georgy Okrokvertskhov
- Definition:
- Approved
- Series goal:
- Accepted for icehouse
- Implementation:
- Implemented
- Milestone target:
- 2014.1.1
- Started by
- Adrian Otto
- Completed by
- Georgy Okrokvertskhov
Related branches
Related bugs
Sprints
Whiteboard
Detailed proposal neded.
Gerrit topic: https:/
Addressed by: https:/
This patch adds a user authentication of incoming request. Currently two authentication strategies are supported: noauth (no authentication) and keystone.