[openstack-dev] [nova][keystone] auth for new metadata plugins

Rob Crittenden rcritten at redhat.com
Mon Aug 15 21:10:54 UTC 2016


Review https://review.openstack.org/#/c/317739/ added a new dynamic 
metadata handler to nova. The basic jist is that rather than serving 
metadata statically, it can be done dyamically, so that certain values 
aren't provided until they are needed, mostly for security purposes 
(like credentials to enroll in an AD domain). The metadata is configured 
as URLs to a REST service.

Very little is passed into the REST call, mostly UUIDs of the instance, 
image, etc. to ensure a stable API. What this means though is that the 
REST service may need to make calls into nova or glance to get 
information, like looking up the image metadata in glance.

Currently the dynamic metadata handler _can_ generate auth headers if an 
authenticated request is made to it, but consider that a common use case 
is fetching metadata from within an instance using something like:

% curl http://169.254.169.254/openstack/2016-10-06/vendor_data2.json

This will come into the nova metadata service unauthenticated.

So a few questions:

1. Is it possible to configure paste (I'm a relative newbie) both 
authenticated and unauthenticated requests are accepted such that IF an 
authenticated request comes it, those credentials can be used, otherwise 
fall back to something else?

2. If an unauthenticated request comes in, how best to obtain a token to 
use? Is it best to create a service user for the REST services (perhaps 
several), use a shared user, something else?

I guess if config_drive is True then this isn't really a problem as the 
metadata will be there in the instance already.

thanks

rob



More information about the OpenStack-dev mailing list