OpenStack Compute (nova)

Merge lp://qastaging/~anso/nova/authn_and_authz into lp://qastaging/~hudson-openstack/nova/trunk

  1. authn_and_authz
  2. Merge into trunk
Proposed by termie
Status: Work in progress
Proposed branch: lp://qastaging/~anso/nova/authn_and_authz
Merge into: lp://qastaging/~hudson-openstack/nova/trunk
Diff against target: 1525 lines (+880/-95)
15 files modified
bin/nova-authn (+71/-0)
bin/nova-authz (+54/-0)
bin/nova-direct-api (+2/-1)
bin/stack (+28/-5)
etc/nova-api.conf (+6/-3)
nova/api/authn.py (+208/-0)
nova/api/authz.py (+223/-0)
nova/api/direct.py (+6/-0)
nova/api/ec2/__init__.py (+144/-51)
nova/api/openstack/auth.py (+33/-19)
nova/api/openstack/servers.py (+51/-14)
nova/compute/api.py (+49/-0)
nova/context.py (+3/-1)
nova/flags.py (+1/-0)
nova/tests/test_access.py (+1/-1)
To merge this branch: bzr merge lp://qastaging/~anso/nova/authn_and_authz
Reviewer Review Type Date Requested Status
Jay Pipes (community) Needs Information
Review via email: mp+52119@code.qastaging.launchpad.net

Description of the change

A prototype / demo authn and authz system. Further discussion of the concepts here are in http://plansthis.com/auth

To post a comment you must log in.
Revision history for this message
termie (termie) wrote :

This hasn't been rebased onto trunk yet, so there may be some spurious conflicts in the diff, we wanted the branch to remain intact while we work on it, we will resolve conflicts again before actually proposing for review. For the moment this is just to get launchpad to generate a bit of a diff so that people can look over the code more easily.

Reply
Revision history for this message
Jay Pipes (jaypipes) wrote :
Download full text (4.2 KiB)

Hi guys!

I'm not sure how much specifics I should get into here, since you say it's mostly for discussion, so please excuse me if I have gone into too much of a discussion of the implementation details!

1) Any reason bin/nova-authn and bin/nova-authz don't use paste.config like the other bin/ servers?

2) It seems that bin/nova-authz was not completed? Am I missing something? I don't think that this code:

129 +if __name__ == '__main__':
130 + utils.default_flagfile()
131 + flags.FLAGS(sys.argv)
132 + logging.setup()
133 + service.serve()
134 + service.wait()

will work...

3) In bin/stack:

165 +gflags.DEFINE_string('password', 'user1', 'Direct API password')

We've run into some problems in the unit tests where the user and key were both "user1" :) Could we avoid problems by making the password "pass1" or something like that?

194 + if not token and authenticate_before:
195 + token = do_authenticate()

do_authenticate() returns token, but it returns it like so:

182 + rv = do_request('authn', 'authenticate', params,
183 + host=FLAGS.authn_host,
184 + port=FLAGS.authn_port,
185 + authenticate_before=False)
186 + return rv['auth']['token']['id']

This will raise KeyError if the authentication doesn't work, correct? Probably best to trap for this in do_request(). That said, I believe a better solution would be to have the do_request() call in do_authenticate() trap for the 401 that *should* be returned if a user does not authenticate, no?

4)

Have you guys taken a look at this blueprint: http://wiki.openstack.org/openstack-authn? Jorge and Khaled suggest using the X-Authorization header and mandating that the authentication service set the X-Identity-Status header. What were your thoughts on this?

5) In etc/nova-api.conf

226 +pipeline = logrequest authenticate authn adminrequest authorizer ec2executor

and:

245 +pipeline = faultwrap auth authn ratelimit osapiapp

Seems to be a be confusing having (authenticate and authn) or (auth and authn) in same pipeline...

6) About nova/api/authn.py

This file and its contents are difficult for me to understand. I have the following issues/questions about it:

287 +flags.DEFINE_string('authn_topic', 'authn', 'topic to listen for authn on')

Why are we adding more AMQP communication for authentication? Perhaps I'm just not understanding the various service/manager/driver/adapter abstractions going on here, but it seems odd to be delegating authentication requests to the message queue that another service is listening on?

304 +class AuthnManager(manager.Manager):
305 + """Manages token based authentication."""
306 + def __init__(self, auth_manager=None, *args, **kwargs):
307 + if not auth_manager:
308 + auth_manager = manager_auth.AuthManager()
309 + self.auth_manager = auth_manager
310 + super(AuthnManager, self).__init__(*args, **kwargs)

So, we have an AuthnManager that inherits from manager.Manager and yet has a self.auth_manager member that is a manager_auth.AuthManager? Yikes, that just got really confusing. Could we document this relationship in code comments? I'm having a really tough time understanding how all the managers relate to each other.

290 +_url = "http://127.0.0.1:9001"
291 +_cat...

Read more...

review: Needs Information
Reply

Unmerged revisions

770. By Vish Ishaya

make authn work with os api

769. By Vish Ishaya

make ec2 api use authn

768. By Vish Ishaya

simplify deepmerge

767. By Vish Ishaya

move where 'account:' is added to owner

766. By Vish Ishaya

Change NotFound exceptions into NotAuthorized

765. By Vish Ishaya

Changed account to owner in authz because it is clearer. Added docstrings. Added get_acl method

764. By Vish Ishaya

add docstrings and fix wrappers to check against owner

763. By Vish Ishaya

pass roles as roles and avoid exception in wrapper

762. By Vish Ishaya

add decorator and decorate compute methods

761. By Vish Ishaya

Add docstrings and and allow set_acl

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.