[openstack-dev] [quantum] RPC communication agent to quantum server
Gary Kotton
gkotton at redhat.com
Tue Feb 5 11:19:01 UTC 2013
On 02/05/2013 04:52 AM, Dan Wendlandt wrote:
>
> On Mon, Feb 4, 2013 at 8:02 AM, Ravi Chunduru <ravivsn at gmail.com
> <mailto:ravivsn at gmail.com>> wrote:
>
> Thanks Gary.
>
> I feel RPC should use keystone authentication else it is a
> security concern.
>
>
> My understanding is that depending on your config, certain of the
> message bus services used by openstack projects for RPC support basic
> auth, but I was not aware of any that used keystone. Keystone is
> generally used for authenticating access to the openstack rest APIs,
> either by tenants, admins, or others services (e.g., nova calling
> quantum).
Dan, you are correct. Keystone is not used with the RPC.
If the RPC is a concern then there is an configuration option to set
this as encrypted. I have never tried it...
>
> Dan
>
>
>
> On Mon, Feb 4, 2013 at 4:06 AM, Gary Kotton <gkotton at redhat.com
> <mailto:gkotton at redhat.com>> wrote:
>
> On 02/03/2013 07:43 PM, Ravi Chunduru wrote:
>> Gary,
>> Thanks for the pointers on L3 agent.
>> Will there be a keystone authentication for l2 agents in Grizzly?
>
> No, for the agents using the RPC communication there is no
> keystone authentication. This is another channel of
> communication. It is similar to that in nova. Each of the
> modules is able to send one another messages.
>
>>
>> Thanks,
>> -Ravi
>>
>>
>> On Sun, Feb 3, 2013 at 7:19 AM, Gary Kotton
>> <gkotton at redhat.com <mailto:gkotton at redhat.com>> wrote:
>>
>> On 02/02/2013 07:52 PM, Ravi Chunduru wrote:
>>> L3 agent uses Qclient to communicate with Quantum server
>>> while Plugin agents used RPC.
>>> I understand there is a BP for L3 agent to use RPC in
>>> coming days.
>>
>> Hi Ravi,
>> In Grizzly the L3 agent makes use of the RPC to interface
>> with the Quantum plugin. In Folsom the L3 agent makes use
>> of the Quantum client API to retrieve the l3 data.
>> Yes, there is keystone authentication. Can you please
>> look at:
>> https://github.com/openstack/quantum/blob/stable/folsom/quantum/agent/l3_agent.py#L120
>> This is via the parameters in the INI file:
>> https://github.com/openstack/quantum/blob/stable/folsom/etc/l3_agent.ini#L13
>>
>>
>>
>>>
>>> I was going through OVS agent code, found that it does
>>> not authenticate with keystone, which I feel is a
>>> security concern.
>>>
>>
>> The code that you are referring to is most probably for
>> the l2 agent interface.
>>
>>> self.rpc_context = context.RequestContext('quantum',
>>> 'quantum',
>>>
>>> is_admin=False)
>>>
>>> auth token is not sent while creating context.
>>>
>>> Any considerations to do that way?
>>>
>>> Thanks,
>>>
>>> --
>>> Ravi
>>>
>>>
>>> _______________________________________________
>>> OpenStack-dev mailing list
>>> OpenStack-dev at lists.openstack.org <mailto:OpenStack-dev at lists.openstack.org>
>>> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>>
>>
>>
>>
>> --
>> Ravi
>
>
>
>
> --
> Ravi
>
> _______________________________________________
> OpenStack-dev mailing list
> OpenStack-dev at lists.openstack.org
> <mailto:OpenStack-dev at lists.openstack.org>
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
>
>
>
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Dan Wendlandt
> Nicira, Inc: www.nicira.com <http://www.nicira.com>
> twitter: danwendlandt
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20130205/27487880/attachment.html>
More information about the OpenStack-dev
mailing list