Auth_token is the middleware piece in OpenStack responsible for validating tokens and passing authentication and authorization information down to the services. It has been a long time complaint of those wishing to move to the V3 identity API that auth_token only supported the v2 API for authentication.
Then auth_token middleware adopted authentication plugins and the people rejoiced!
Or it went by almost completely unnoticed. Auth is not an area people like to mess with once it’s working and people are still coming to terms with configuring via plugins.
The benefit of authentication plugins is that it allows you to use any plugin you like for authentication - including the v3 plugins. A downside is that being able to load any plugin means that there isn’t the same set of default options present in the sample config files that would indicate the new options available for setting. Particularly as we have to keep the old options around for compatibility.
The most common configuration I expect for v3 authentication with auth_token middleware is:
1 2 3 4 5 6 7 8 9 10 11 |
|
The password
plugin will query the auth_url
for supported API versions and then use either v2 or v3 auth depending on what parameters you’ve specified.
If you want to save a round trip (once on startup) you can use the v3password
plugin which takes the same parameters but requires a V3 URL to be specified in auth_url
.
An unfortunate thing we’ve noticed from this is that there is going to be some confusion as most plugins present an auth_url
parameter (used by the plugin to know where to authenticate the service user) along with the existing auth_uri
parameter (reported in the headers of 403 responses to tell users where to authenticate).
This is a known issue we need to address and will likely result in changing the name of the auth_uri
parameter as the concept of an auth_url
is used by all existing clients and plugins.
For further proof that this works as expected checkout devstack which has been operating this way for a couple of weeks.
NOTE: Support for authentication plugins was released in keystonemiddleware 1.3.0 released 2014-12-18.