[openstack-dev] [quantum] RPC communication agent to quantum server

Dan Wendlandt dan at nicira.com
Tue Feb 5 02:52:52 UTC 2013


On Mon, Feb 4, 2013 at 8:02 AM, Ravi Chunduru <ravivsn at gmail.com> wrote:

> Thanks Gary.
>
> I feel RPC should use keystone authentication else it is a security
> concern.
>

My understanding is that depending on your config, certain of the message
bus services used by openstack projects for RPC support basic auth, but I
was not aware of any that used keystone.   Keystone is generally used for
authenticating access to the openstack rest APIs, either by tenants,
admins, or others services (e.g., nova calling quantum).

 Dan


>
> On Mon, Feb 4, 2013 at 4:06 AM, Gary Kotton <gkotton at redhat.com> wrote:
>
>>  On 02/03/2013 07:43 PM, Ravi Chunduru wrote:
>>
>> Gary,
>>   Thanks for the pointers on L3 agent.
>> Will there be a keystone authentication for l2 agents in Grizzly?
>>
>>
>> No, for the agents using the RPC communication there is no keystone
>> authentication. This is another channel  of communication. It is similar to
>> that in nova. Each of the modules is able to send one another messages.
>>
>>
>>  Thanks,
>> -Ravi
>>
>>
>> On Sun, Feb 3, 2013 at 7:19 AM, Gary Kotton <gkotton at redhat.com> wrote:
>>
>>>  On 02/02/2013 07:52 PM, Ravi Chunduru wrote:
>>>
>>> L3 agent uses Qclient to communicate with Quantum server while Plugin
>>> agents used RPC.
>>> I understand there is a BP for L3 agent to use RPC in coming days.
>>>
>>>
>>>  Hi Ravi,
>>> In Grizzly the L3 agent makes use of the RPC to interface with the
>>> Quantum plugin. In Folsom the L3 agent makes use of the Quantum client API
>>> to retrieve the l3 data.
>>> Yes, there is keystone authentication. Can you please look at:
>>>
>>> https://github.com/openstack/quantum/blob/stable/folsom/quantum/agent/l3_agent.py#L120
>>> This is via the parameters in the INI file:
>>>
>>> https://github.com/openstack/quantum/blob/stable/folsom/etc/l3_agent.ini#L13
>>>
>>>
>>>
>>>  I was going through OVS agent code, found that it does not
>>> authenticate with keystone, which I feel is a  security concern.
>>>
>>>
>>>  The code that you are referring to is most probably for the l2 agent
>>> interface.
>>>
>>>   self.rpc_context = context.RequestContext('quantum', 'quantum',
>>>                                                   is_admin=False)
>>>
>>>  auth token is not sent while creating context.
>>>
>>>  Any considerations to do that way?
>>>
>>>  Thanks,
>>>
>>>  --
>>> Ravi
>>>
>>>
>>>  _______________________________________________
>>> OpenStack-dev mailing listOpenStack-dev at lists.openstack.orghttp://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>>
>>>
>>>
>>
>>
>>  --
>> Ravi
>>
>>
>>
>
>
> --
> Ravi
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>


-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~
Dan Wendlandt
Nicira, Inc: www.nicira.com
twitter: danwendlandt
~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130204/01efc936/attachment.html>


More information about the OpenStack-dev mailing list