<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<div class="moz-cite-prefix">On 08/30/2016 05:36 PM, Michael Still
wrote:<br>
</div>
<blockquote
cite="mid:CAEd1pt67BAOXb-Nxsyb72Fyfa-V5edSy=dow8rQaAN4ygY_bkw@mail.gmail.com"
type="cite">
<div dir="ltr">Sorry for being slow on this one, I've been pulled
into some internal things at work.
<div><br>
</div>
<div>So... Talking to Matt Riedemann just now, it seems like we
should continue to pass through the user authentication
details when we have them to the plugin. The problem is what
to do in the case where we do not (which is mostly going to be
when the instance itself makes a metadata request).</div>
<div><br>
</div>
<div>I think what you're saying though is that the middleware
wont let any requests through if they have no auth details? Is
that correct?</div>
<div><br>
</div>
</div>
</blockquote>
Yes, that is correct.<br>
<br>
<blockquote
cite="mid:CAEd1pt67BAOXb-Nxsyb72Fyfa-V5edSy=dow8rQaAN4ygY_bkw@mail.gmail.com"
type="cite">
<div dir="ltr">
<div>Michael</div>
<div><br>
</div>
<div><br>
</div>
<div><br>
</div>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Fri, Aug 26, 2016 at 12:46 PM, Adam
Young <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:ayoung@redhat.com" target="_blank">ayoung@redhat.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div class="HOEnZb">
<div class="h5">On 08/22/2016 11:11 AM, Rob Crittenden
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Adam Young wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
On 08/15/2016 05:10 PM, Rob Crittenden wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Review <a moz-do-not-send="true"
href="https://review.openstack.org/#/c/317739/"
rel="noreferrer" target="_blank">https://review.openstack.org/#<wbr>/c/317739/</a>
added a new dynamic<br>
metadata handler to nova. The basic jist is that
rather than serving<br>
metadata statically, it can be done dyamically, so
that certain values<br>
aren't provided until they are needed, mostly for
security purposes<br>
(like credentials to enroll in an AD domain). The
metadata is<br>
configured as URLs to a REST service.<br>
<br>
Very little is passed into the REST call, mostly
UUIDs of the<br>
instance, image, etc. to ensure a stable API. What
this means though<br>
is that the REST service may need to make calls
into nova or glance to<br>
get information, like looking up the image
metadata in glance.<br>
<br>
Currently the dynamic metadata handler _can_
generate auth headers if<br>
an authenticated request is made to it, but
consider that a common use<br>
case is fetching metadata from within an instance
using something like:<br>
<br>
% curl <a moz-do-not-send="true"
href="http://169.254.169.254/openstack/2016-10-06/vendor_data2.json"
rel="noreferrer" target="_blank">http://169.254.169.254/opensta<wbr>ck/2016-10-06/vendor_data2.<wbr>json</a><br>
<br>
This will come into the nova metadata service
unauthenticated.<br>
<br>
So a few questions:<br>
<br>
1. Is it possible to configure paste (I'm a
relative newbie) both<br>
authenticated and unauthenticated requests are
accepted such that IF<br>
an authenticated request comes it, those
credentials can be used,<br>
otherwise fall back to something else?<br>
</blockquote>
<br>
<br>
Only if they are on different URLs, I think. Its
auth_token middleware<br>
for all services but Keystone. Keystone, the rles
are similar, but the<br>
implementation is a little different.<br>
</blockquote>
<br>
Ok. I'm fine with the unauthenticated path if the
service we can just create a separate service user for
it.<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
2. If an unauthenticated request comes in, how
best to obtain a token<br>
to use? Is it best to create a service user for
the REST services<br>
(perhaps several), use a shared user, something
else?<br>
</blockquote>
<br>
<br>
No unauthenticated requests, please. If the call is
to Keystone, we<br>
could use the X509 Tokenless approach, but if the
call comes from the<br>
new server, you won't have a cert by the time you
need to make the call,<br>
will you?<br>
</blockquote>
<br>
Not sure which cert you're referring too but yeah, the
metadata service is unauthenticated. The requests can
come in from the instance which has no credentials
(via <a moz-do-not-send="true"
href="http://169.254.169.254/" rel="noreferrer"
target="_blank">http://169.254.169.254/</a>).<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
Shared service users are probably your best bet. We
can limit the roles<br>
that they get. What are these calls you need to
make?<br>
</blockquote>
<br>
To glance for image metadata, Keystone for project
information and nova for instance information. The
REST call passes in various UUIDs for these so they
need to be dereferenced. There is no guarantee that
these would be called in all cases but it is a
possibility.<br>
<br>
rob<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
I guess if config_drive is True then this isn't
really a problem as<br>
the metadata will be there in the instance
already.<br>
<br>
thanks<br>
<br>
rob<br>
<br>
______________________________<wbr>______________________________<wbr>______________
<br>
<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe:<br>
<a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</blockquote>
<br>
<br>
<br>
______________________________<wbr>______________________________<wbr>______________
<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</blockquote>
<br>
<br>
______________________________<wbr>______________________________<wbr>______________
<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</blockquote>
<br>
</div>
</div>
Sounded like you had this sorted. True?
<div class="HOEnZb">
<div class="h5"><br>
<br>
<br>
______________________________<wbr>______________________________<wbr>______________<br>
OpenStack Development Mailing List (not for usage
questions)<br>
Unsubscribe: <a moz-do-not-send="true"
href="http://OpenStack-dev-request@lists.openstack.org?subject:unsubscribe"
rel="noreferrer" target="_blank">OpenStack-dev-request@lists.op<wbr>enstack.org?subject:unsubscrib<wbr>e</a><br>
<a moz-do-not-send="true"
href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev"
rel="noreferrer" target="_blank">http://lists.openstack.org/cgi<wbr>-bin/mailman/listinfo/openstac<wbr>k-dev</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">Rackspace
Australia</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">__________________________________________________________________________
OpenStack Development Mailing List (not for usage questions)
Unsubscribe: <a class="moz-txt-link-abbreviated" href="mailto:OpenStack-dev-request@lists.openstack.org?subject:unsubscribe">OpenStack-dev-request@lists.openstack.org?subject:unsubscribe</a>
<a class="moz-txt-link-freetext" href="http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev">http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev</a>
</pre>
</blockquote>
<p><br>
</p>
</body>
</html>