[openstack-dev] [nova][keystone] auth for new metadata plugins
Michael Still
mikal at stillhq.com
Fri Sep 2 00:48:58 UTC 2016
On Thu, Sep 1, 2016 at 11:58 AM, Adam Young <ayoung at redhat.com> wrote:
> On 08/31/2016 07:56 AM, Michael Still wrote:
>
> There is a quick sketch of what a service account might look like at
> https://review.openstack.org/#/c/363606/ -- I need to do some more
> fiddling to get the new option group working, but I could do that if we
> wanted to try and get this into Newton.
>
> So, I don't think we need it. I think that doing an identity for the new
> node *in order* to register it with an IdP is backwards: register it, and
> use the identity from the IdP via Federation.
>
> Anything authenticated should be done from the metadata server or from
> Nova itself, based on the token used to launch the workflow.
>
I'm not sure we're on the same page here. The flows would be something like
this:
- Instance boot request
- Initiating user token is available, and is passed through to the
vendordata REST service
- Metadata _might_ be generated, if the instance is using config drive
- Metadata request from within the instance (any use case not using config
drive)
- No user token, this is just cloud-init running on the instance,
although it could be other client software too
- We don't have a token to pass to the vendordata REST service, so we
currently pass nothing, keystone middleware denies request
So, its those post-boot requests from inside the instance that have me
concerned.
Michael
--
Rackspace Australia
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160902/116c3ce3/attachment.html>
More information about the OpenStack-dev
mailing list