<br><div class="gmail_quote">On Mon, Feb 4, 2013 at 8:02 AM, Ravi Chunduru <span dir="ltr"><<a href="mailto:ravivsn@gmail.com" target="_blank">ravivsn@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Gary.<div><br></div><div>I feel RPC should use keystone authentication else it is a security concern.</div></div></blockquote><div><br></div><div>My understanding is that depending on your config, certain of the message bus services used by openstack projects for RPC support basic auth, but I was not aware of any that used keystone. Keystone is generally used for authenticating access to the openstack rest APIs, either by tenants, admins, or others services (e.g., nova calling quantum). </div>
<div><br></div><div> Dan</div><div><br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="gmail_extra"><div><div><br><br><div class="gmail_quote">
On Mon, Feb 4, 2013 at 4:06 AM, Gary Kotton <span dir="ltr"><<a href="mailto:gkotton@redhat.com" target="_blank">gkotton@redhat.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"><div>
On 02/03/2013 07:43 PM, Ravi Chunduru wrote:
<blockquote type="cite">
<div dir="ltr">Gary,
<div> Thanks for the pointers on L3 agent.</div>
<div>Will there be a keystone authentication for l2
agents in Grizzly?</div>
</div>
</blockquote>
<br></div>
No, for the agents using the RPC communication there is no keystone
authentication. This is another channel of communication. It is
similar to that in nova. Each of the modules is able to send one
another messages. <br><div><div>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div>-Ravi</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sun, Feb 3, 2013 at 7:19 AM, Gary
Kotton <span dir="ltr"><<a href="mailto:gkotton@redhat.com" target="_blank">gkotton@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 02/02/2013 07:52 PM, Ravi Chunduru
wrote:
<blockquote type="cite">
<div dir="ltr">L3 agent uses Qclient to communicate
with Quantum server while Plugin agents used RPC.
<div>I understand there is a BP for L3 agent to use
RPC in coming days.</div>
</div>
</blockquote>
<br>
</div>
Hi Ravi,<br>
In Grizzly the L3 agent makes use of the RPC to interface
with the Quantum plugin. In Folsom the L3 agent makes use
of the Quantum client API to retrieve the l3 data.<br>
Yes, there is keystone authentication. Can you please look
at:<br>
<a href="https://github.com/openstack/quantum/blob/stable/folsom/quantum/agent/l3_agent.py#L120" target="_blank">https://github.com/openstack/quantum/blob/stable/folsom/quantum/agent/l3_agent.py#L120</a><br>
This is via the parameters in the INI file:<br>
<a href="https://github.com/openstack/quantum/blob/stable/folsom/etc/l3_agent.ini#L13" target="_blank">https://github.com/openstack/quantum/blob/stable/folsom/etc/l3_agent.ini#L13</a>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I was going through OVS agent code, found that
it does not authenticate with keystone, which I
feel is a security concern.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
The code that you are referring to is most probably for
the l2 agent interface.<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>self.rpc_context =
context.RequestContext('quantum', 'quantum',</div>
<div>
is_admin=False)</div>
</div>
<div><br>
</div>
<div>auth token is not sent while creating context.</div>
<div><br>
</div>
<div>Any considerations to do that way?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>
<div><br>
</div>
-- <br>
Ravi<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
OpenStack-dev mailing list
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Ravi<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div></div></div><span><font color="#888888">-- <br>Ravi<br>
</font></span></div>
<br>_______________________________________________<br>
OpenStack-dev mailing list<br>
<a href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br>~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>Dan Wendlandt <div>Nicira, Inc: <a href="http://www.nicira.com" target="_blank">www.nicira.com</a><br><div>twitter: danwendlandt<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br></div></div>