Using the Keystone authentication service

This section explains how to use the Keystone authentication service with MidoNet.

 Enabling Keystone authentication

In order to use the OpenStack Keystone authentication service with MidoNet, you must configure the following keys in the MidoNet configuration.

 cluster.auth.provider_class

The fully qualified path of the Java class that provides the Keystone authentication service.

org.midonet.cluster.auth.keystone.KeystoneService
[Note]Note

Since MidoNet version 5.0.2, the legacy authentication provider org.midonet.cluster.auth.keystone.v2_0.KeystoneService is available for compatibility reasons, but it provides the same capabilities as the new provider, supporting both Keystone version 2 and 3. The default Keystone version is 3.

 cluster.auth.admin_role

Identifies the name of the admin role in MidoNet. The admin has read and write access to all the resources. We recommend re-using the OpenStack admin role. Optionally you can create a separate admin role for MidoNet.

 cluster.auth.keystone.version

The version of the Keystone API. The following values are allowed:

 

Table 2.2. Keystone Version

VersionDescription

2

Uses the Keystone version 2 API.

3

Uses the Keystone version 3 API (default).


 cluster.auth.keystone.protocol

Identifies the protocol used for the Keystone service. The following values are allowed:

 

Table 2.3. Keystone Protocol

ClassDescription

http

Uses plain text HTTP to communicate with the Keystone service (default).

https

Uses encrypted HTTPS to communicate with the Keystone service (recommended).


 cluster.auth.keystone.host

Identifies the host of the Keystone service (default is localhost).

 cluster.auth.keystone.port

Identifies the port number of the Keystone service (default is 35357).

 cluster.auth.keystone.user_name

The user name to authenticate with Keystone when using password authentication.

 cluster.auth.keystone.user_password

The password to authenticate with Keystone when using password authentication.

 cluster.auth.keystone.admin_token

The administrative token to authenticate with Keystone when using token authentication.

 cluster.auth.keystone.tenant_name

Specifies the name of the tenant that is used when logging into Keystone. The log-in authentication to Keystone requires the username, password, and tenant name of the user. By specifying the tenant name here, you can avoid the need for applications to supply the tenant name when logging into Keystone through the MidoNet API.

 cluster.auth.keystone.domain_name

For Keystone version 3, specifies the name of the domain that is used when logging in to Keystone.

 Disabling Keystone authentication

MidoNet lets you disable authentication by using a mock authentication service.

Using this service has the effect that no outside authentication service is used. Instead, MidoNet will return fake tokens to the authenticating clients. Likewise, the provider will ignore any tokens sent by the client when authorizing an API request.

To use the mock authentication service, you must configure the following keys in the MidoNet configuration.

 cluster.auth.provider_class

The fully qualified path of the Java class that provides the mock authentication service.

org.midonet.cluster.auth.MockAuthService
Questions? Discuss on Mailing Lists or Chat.
Found an error? Report a bug.


loading table of contents...