[openstack-dev] [nova][keystone] auth for new metadata plugins
rcritten at redhat.com
Mon Aug 15 21:10:54 UTC 2016
Review https://review.openstack.org/#/c/317739/ added a new dynamic
metadata handler to nova. The basic jist is that rather than serving
metadata statically, it can be done dyamically, so that certain values
aren't provided until they are needed, mostly for security purposes
(like credentials to enroll in an AD domain). The metadata is configured
as URLs to a REST service.
Very little is passed into the REST call, mostly UUIDs of the instance,
image, etc. to ensure a stable API. What this means though is that the
REST service may need to make calls into nova or glance to get
information, like looking up the image metadata in glance.
Currently the dynamic metadata handler _can_ generate auth headers if an
authenticated request is made to it, but consider that a common use case
is fetching metadata from within an instance using something like:
% curl http://169.254.169.254/openstack/2016-10-06/vendor_data2.json
This will come into the nova metadata service unauthenticated.
So a few questions:
1. Is it possible to configure paste (I'm a relative newbie) both
authenticated and unauthenticated requests are accepted such that IF an
authenticated request comes it, those credentials can be used, otherwise
fall back to something else?
2. If an unauthenticated request comes in, how best to obtain a token to
use? Is it best to create a service user for the REST services (perhaps
several), use a shared user, something else?
I guess if config_drive is True then this isn't really a problem as the
metadata will be there in the instance already.
More information about the OpenStack-dev