Available authentication services in MidoNet

The MidoNet Cluster package includes two authentication providers: Keystone authentication and mock authentication. You can select the current authentication provider by modifying the value of the cluster.auth.provider_class key using mn-conf to one of the following values:

 

Table 2.1. Authentication Provider Classes

ClassDescription

org.midonet.cluster.auth.keystone.KeystoneService

Uses external Keystone identity service, version 2 or version 3.

org.midonet.cluster.auth.MockAuthService

Disables authentication.


This section describes the Keystone authentication service, the mock authentication and some additional configurations options specific to each provider.

 Keystone authentication

In order to use the OpenStack Keystone authentication service with MidoNet, you must configure the KeystoneService provider class:

echo "cluster.auth.provider_class : org.midonet.cluster.auth.keystone.KeystoneService" | mn-conf set -t default
[Note]Note

MidoNet version 5.0.2 introduced support for Keystone version 3, and a new authentication provider class org.midonet.cluster.auth.keystone.KeystoneService, which replaces the previous org.midonet.cluster.auth.keystone.v2_0.KeystoneService. However, the legacy provider is kept for compatibility reasons and provides the same capabilities as the new Keystone authentication provider, supporting both Keystone version 2 and 3.

[Important]Important

Since MidoNet version 5.0.2, the default Keystone authentication is Keystone version 3. If you are upgrading from a previous MidoNet version, you must modify the Keystone configuration in order to continue using Keystone version 2. See the section called “Enabling Keystone authentication”.

[Important]Important

You must restart all MidoNet Cluster instances after changing the authentication provider.

To enable Keystone authentication, you must configure the MidoNet cluster with the credentials of an administrative user. The cluster uses this credentials to authenticate third-party requests to the MidoNet API. MidoNet supports two Keystone authentication methods:

  • Password authentication, where you configure the user name and password credentials of an administrative user.
  • Token authentication, where you configure the administrative token used by Keystone.
[Important]Important

The token authentication takes precedence over the password authentication.

For additional Keystone configuration options, see the section called “Enabling Keystone authentication”

 Mock authentication

Mock authentication disables the authentication system by returning fake tokens to authenticating clients, and ignoring the sent tokens during authorization. To enable the mock authentication configure the MockAuthService provider class.

echo "cluster.auth.provider_class : org.midonet.cluster.auth.MockAuthService" | mn-conf set -t default
[Warning]Warning

Mock authentication is the default authentication provider for the MidoNet Cluster. However, this mode is used for testing purposes but should not be used in production.

Questions? Discuss on Mailing Lists or Chat.
Found an error? Report a bug.


loading table of contents...