User authentication for incoming requests

Registered by Roshan Agrawal on 2013-10-09

Calls into Solum will be authenticated before performing the requested operation.

Rely on existing OpenStack services for user registration. (i.e. do not create "Add user" functionality in Solum).

An OpenStack admin/operator would be able to associate selected OpenStack users with the Solum service (i.e. create user-to-service mapping). Use the same mechanism that exists in OpenStack to associate a user with an OpenStack service. OpenStack already has 2 mechanisms to associate a service with a user
1. use a global default configuration on the service (=solum) so that every new user automatically gets associated with the service;
2. make an auth api call (keystone) to associate an existing user with the service.

Solum will use keystone as its identity system. Additional auth systems can be integrated with keystone so that a service provider using, say an LDAP/AD would be able to plug in their auth system.

NoAuth : Solum will support a NoAuth configuration (useful for dev setups)

A single authentication service will be used for all Solum services.

Users can have roles (configurable); the definition of roles and privileges is outside the scope of this blueprint (we will implement roles with v1.0 in the roadmap - https://wiki.openstack.org/wiki/Solum/HighLevelRoadmap ).

Blueprint information

Status:
Complete
Approver:
Adrian Otto
Priority:
High
Drafter:
Roshan Agrawal
Direction:
Approved
Assignee:
Georgy Okrokvertskhov
Definition:
Approved
Series goal:
Accepted for icehouse
Implementation:
Implemented
Milestone target:
milestone icon 2014.1.1
Started by
Adrian Otto on 2013-12-03
Completed by
Georgy Okrokvertskhov on 2014-01-08

Related branches

Sprints

Whiteboard

Detailed proposal neded.

Gerrit topic: https://review.openstack.org/#q,topic:bp/user-authentication,n,z

Addressed by: https://review.openstack.org/58811
    This patch adds a user authentication of incoming request. Currently two authentication strategies are supported: noauth (no authentication) and keystone.

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.