<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
On 02/05/2013 04:52 AM, Dan Wendlandt wrote:
<blockquote
cite="mid:CA+0XJm-6Ls1WKZrJSN7tm-DLU4-K_ZypgYavDiccM157cGJJLQ@mail.gmail.com"
type="cite"><br>
<div class="gmail_quote">On Mon, Feb 4, 2013 at 8:02 AM, Ravi
Chunduru <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ravivsn@gmail.com" target="_blank">ravivsn@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">Thanks Gary.
<div><br>
</div>
<div>I feel RPC should use keystone authentication else it
is a security concern.</div>
</div>
</blockquote>
<div><br>
</div>
<div>My understanding is that depending on your config, certain
of the message bus services used by openstack projects for RPC
support basic auth, but I was not aware of any that used
keystone. Keystone is generally used for authenticating
access to the openstack rest APIs, either by tenants, admins,
or others services (e.g., nova calling quantum). <br>
</div>
</div>
</blockquote>
<br>
Dan, you are correct. Keystone is not used with the RPC.<br>
<br>
If the RPC is a concern then there is an configuration option to set
this as encrypted. I have never tried it...<br>
<blockquote
cite="mid:CA+0XJm-6Ls1WKZrJSN7tm-DLU4-K_ZypgYavDiccM157cGJJLQ@mail.gmail.com"
type="cite">
<div class="gmail_quote">
<div><br>
</div>
<div> Dan</div>
<div><br>
</div>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="gmail_extra">
<div>
<div><br>
<br>
<div class="gmail_quote">
On Mon, Feb 4, 2013 at 4:06 AM, Gary Kotton <span
dir="ltr"><<a moz-do-not-send="true"
href="mailto:gkotton@redhat.com" target="_blank">gkotton@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 02/03/2013 07:43 PM, Ravi Chunduru wrote:
<blockquote type="cite">
<div dir="ltr">Gary,
<div> Thanks for the pointers on L3 agent.</div>
<div>Will there be a keystone authentication
for l2 agents in Grizzly?</div>
</div>
</blockquote>
<br>
</div>
No, for the agents using the RPC communication
there is no keystone authentication. This is
another channel of communication. It is similar
to that in nova. Each of the modules is able to
send one another messages. <br>
<div>
<div> <br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>Thanks,</div>
<div>-Ravi</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sun, Feb 3,
2013 at 7:19 AM, Gary Kotton <span
dir="ltr"><<a
moz-do-not-send="true"
href="mailto:gkotton@redhat.com"
target="_blank">gkotton@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote"
style="margin:0 0 0
.8ex;border-left:1px #ccc
solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div> On 02/02/2013 07:52 PM, Ravi
Chunduru wrote:
<blockquote type="cite">
<div dir="ltr">L3 agent uses
Qclient to communicate with
Quantum server while Plugin
agents used RPC.
<div>I understand there is a
BP for L3 agent to use RPC
in coming days.</div>
</div>
</blockquote>
<br>
</div>
Hi Ravi,<br>
In Grizzly the L3 agent makes use of
the RPC to interface with the
Quantum plugin. In Folsom the L3
agent makes use of the Quantum
client API to retrieve the l3 data.<br>
Yes, there is keystone
authentication. Can you please look
at:<br>
<a moz-do-not-send="true"
href="https://github.com/openstack/quantum/blob/stable/folsom/quantum/agent/l3_agent.py#L120"
target="_blank">https://github.com/openstack/quantum/blob/stable/folsom/quantum/agent/l3_agent.py#L120</a><br>
This is via the parameters in the
INI file:<br>
<a moz-do-not-send="true"
href="https://github.com/openstack/quantum/blob/stable/folsom/etc/l3_agent.ini#L13"
target="_blank">https://github.com/openstack/quantum/blob/stable/folsom/etc/l3_agent.ini#L13</a>
<div><br>
<br>
<blockquote type="cite">
<div dir="ltr">
<div><br>
</div>
<div>I was going through OVS
agent code, found that it
does not authenticate with
keystone, which I feel is a
security concern.</div>
<div><br>
</div>
</div>
</blockquote>
<br>
</div>
The code that you are referring to
is most probably for the l2 agent
interface.<br>
<br>
<blockquote type="cite">
<div>
<div dir="ltr">
<div>
<div>self.rpc_context =
context.RequestContext('quantum',
'quantum',</div>
<div>
is_admin=False)</div>
</div>
<div><br>
</div>
<div>auth token is not sent
while creating context.</div>
<div><br>
</div>
<div>Any considerations to do
that way?</div>
<div><br>
</div>
<div>Thanks,</div>
<div>
<div><br>
</div>
-- <br>
Ravi<br>
</div>
</div>
<br>
<fieldset></fieldset>
<br>
</div>
<pre>_______________________________________________
OpenStack-dev mailing list
<a moz-do-not-send="true" href="mailto:OpenStack-dev@lists.openstack.org" target="_blank">OpenStack-dev@lists.openstack.org</a>
<a moz-do-not-send="true" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev" target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<br>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Ravi<br>
</div>
</blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
</div>
</div>
<span><font color="#888888">-- <br>
Ravi<br>
</font></span></div>
<br>
_______________________________________________<br>
OpenStack-dev mailing list<br>
<a moz-do-not-send="true"
href="mailto:OpenStack-dev@lists.openstack.org"
target="_blank">OpenStack-dev@lists.openstack.org</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
target="_blank">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
Dan Wendlandt
<div>Nicira, Inc: <a moz-do-not-send="true"
href="http://www.nicira.com" target="_blank">www.nicira.com</a><br>
<div>twitter: danwendlandt<br>
~~~~~~~~~~~~~~~~~~~~~~~~~~~<br>
</div>
</div>
</blockquote>
<br>
</body>
</html>