{ "info": { "author": "Gorka Eguileor", "author_email": "gorka@eguileor.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 2 - Pre-Alpha", "Intended Audience :: Developers", "License :: OSI Approved :: Apache Software License", "Natural Language :: English", "Programming Language :: Python :: 2", "Programming Language :: Python :: 2.6", "Programming Language :: Python :: 2.7", "Programming Language :: Python :: 3", "Programming Language :: Python :: 3.3", "Programming Language :: Python :: 3.4", "Programming Language :: Python :: 3.5" ], "description": "Cinder Authentications\n===============================\n\n\n\n.. image:: https://img.shields.io/pypi/v/cinder_auths.svg\n :target: https://pypi.python.org/pypi/cinder_auths\n\n.. image:: https://img.shields.io/travis/akrog/cinder_auths.svg\n :target: https://travis-ci.org/akrog/cinder_auths\n\n.. image:: https://readthedocs.org/projects/cinder-auths/badge/?version=latest\n :target: https://cinder-auths.readthedocs.io/en/latest/?badge=latest\n :alt: Documentation Status\n\n.. image:: https://img.shields.io/pypi/pyversions/cinder_auths.svg\n :target: https://pypi.python.org/pypi/cinder_auths\n\n.. image:: https://pyup.io/repos/github/akrog/cinder_auths/shield.svg\n :target: https://pyup.io/repos/github/akrog/cinder_auths/\n :alt: Updates\n\n.. image:: https://img.shields.io/:license-apache-blue.svg\n :target: http://www.apache.org/licenses/LICENSE-2.0\n\n\nCinder Authentication Examples\n\n* Free software: Apache Software License 2.0\n* Documentation: https://cinder-auths.readthedocs.io.\n\nThis repository is just meant as an example of the basic mechanism of Cinder\nAuthentication, how we can create custom plugins, and what are the current\nlimitations in Cinder in this regard and how to work around them.\n\nIn this repository there are 2 examples implemented:\n\n* Plain Passwords: Authenticate using plain passwords.\n* OTP: Authenticate usingone time passwords.\n\nCinder, and most if not all OpenStack projects, use Paste Deployment (a system\nfor finding and configuring WSGI applications and servers) as well as WebOb\n(WSGI request and response objects) on the API services, that is where the\nauthentication and authorization occurs.\n\nThis means that to create a custom Authentication mechanism we'll need to make\nthe API service receive the authentication parameters -user, project,\ntoken/password- from the client and do the authentication. Due to the nature\nof the Cinder architecture all internal communications between Cinder services\nare considered secure and will not perform any additional validations and the\nuser and project present in the request's context will be considered truthful.\n\nThe steps to create a custom authenticator is:\n\n1- Create a filter factory (library)\n2- Install the authentication library\n3- Add the pipelines to Cinder's api-paste configuration\n4- Configure cinder to use this newly created authentication\n5- Restart the Cinder-API services\n\n\nCreating a filter factory\n-------------------------\n\nThis repository creates 2 simple filter factories:\n\n- cinder_auths.plain_pwd_factory: Also accessible as\n cinder_auths.cinder_auths.BaseAuthFilter.factory\n- cinder_auths.otp_factory: Also accessible as\n cinder_auths.cinder_auths.OTPAuthFilter.factory\n\nTo illustrate the different mechanisms that can be used to configure these\nplugins, and not because it makes sense from an engineering perspective, we\nhave added 2 configuration parameters and one of them can be configure in 2\ndifferent ways.\n\nThe 2 ways we can use to pass configuration parameters are via api-paste\nconfiguration file (/etc/cinder/api-paste.ini) and via cinder configuration\nfile (/etc/cinder/cinder.conf).\n\nOf the two configuration parameters we have added the first and mandatory one\nis the list of authorized users which are defined in the api-paste.ini file\nunder the name `passwords` in the filter.\n\nThis parameters is a list of space separated tuples in the form of\nUser:Project:Password.\n\nThe second configuration parameter is optional and allows us to define the\npassword of an admin user, since all other users will be non-admin.\n\nThis configuration option can be configured in the api-paste file using the\n`admin_password` parameter or the cinder conf using the same name under the\n`[DEFAULT]` section. If both of them are defined the one in the api-paste file\ntakes precedence.\n\nIf this configuration option is defined, and it's not empty, the code will\nautomatically add an admin user in the admin project.\n\nThe clients will use the `X-Auth-Token` header to provide the user, project,\nand password using the `:` separator: `user:project:password`.\n\n\n\nInstalling the library\n----------------------\n\nWe can install this directly using `sudo pip install cinder_auths`.\n\n\n\nAdding api-paste pipelines\n--------------------------\n\nWe have to edit the file /etc/cinder/api-paste.ini file to add the filter we\nwant to use together with its configuration as well as creating a pipeline for\nthis authenticator on each of the different API versions we currently have.\n\nThis means that we have to add to `[composite:openstack_volume_api_v1]` one\nline with `plain_pwd = cors http_proxy_to_wsgi request_id faultwrap sizelimit\nosprofiler plain_pwd apiv1`, to `[composite:openstack_volume_api_v2]` the line\n`plain_pwd = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler\nplain_pwd apiv2`, and to `[composite:openstack_volume_api_v3]` the line\n`plain_pwd = cors http_proxy_to_wsgi request_id faultwrap sizelimit osprofiler\nplain_pwd apiv3`. All these are a copy of the respective `noauth` pipelines\nreplacing noauth with `plain_pwd`.\n\nThen we add the `plain_pwd` filter with the desired configuration::\n\n [filter:plain_pwd]\n paste.filter_factory = cinder_auths:plain_pwd_factory\n passwords = user1:project1:password1 user2:project2:password2\n admin_password = geguileo\n\n\n\nCinder configuration\n--------------------\n\nHere we need to configure the `auth_strategy` we want Cinder to use under the\n`[DEFAULT]` group. This configuration option defaults to `keystone`, so we'll\nhave to set it to `plain_pwd` which is the pipeline name we have added, the\nname of the filter is irrelevant even if in this case we have used the same\nname.\n\nWe can also add the `admin_password` option under `[DEFAULT]` if we didn't do\nit in the api-paste configuration file.\n\nAnd here's were we find a problem with the existing Cinder code, because right\nnow it only accepts 2 names `keystone` and `noauth`, so we can't really set\n`auth_strategy = palin_pwd` without changing the code.\n\nSo the solutions we have right now, until we change Cinder, are:\n\n- Replace the `noauth` filter with our `plain_pwd` configuration and configure\n cinder with `auth_strategy = noauth`.\n- Manually change the cinder code in `/usr/lib/python2.7/site-packages/cinder/\n common/config.py` and replace `choices=['noauth', 'keystone'],` with\n `choices=['noauth', 'keystone', 'plain_pwd', 'otp'],`.\n\n\n\nTesting it\n----------\n\nOnce we have restarted the Cinder-API service we can just list volumes with::\n\n $ curl -i http://192.168.121.165:8776/v3/admin/volumes/detail -H \"Accept: application/json\" -H \"X-Auth-Token: admin:admin:geguileo\"\n\nThe URL may be different depending on which version of openstack you are using.\n\n\n=======\nHistory\n=======\n\n0.1.0 (2017-10-06)\n------------------\n\n* First release on PyPI.\n", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/akrog/cinder_auths", "keywords": "cinder_auths", "license": "Apache Software License 2.0", "maintainer": "", "maintainer_email": "", "name": "cinder_auths", "package_url": "https://pypi.org/project/cinder_auths/", "platform": "", "project_url": "https://pypi.org/project/cinder_auths/", "project_urls": { "Homepage": "https://github.com/akrog/cinder_auths" }, "release_url": "https://pypi.org/project/cinder_auths/0.1.1/", "requires_dist": null, "requires_python": "", "summary": "Cinder Authentication Examples", "version": "0.1.1" }, "last_serial": 3230811, "releases": { "0.1.0": [ { "comment_text": "", "digests": { "md5": "ec489099c3e507f886d8916292f535b5", "sha256": "7339030759d28a329aecc77a08d9a253b6808750403b820bc7709beabb40c2ad" }, "downloads": -1, "filename": "cinder_auths-0.1.0.tar.gz", "has_sig": false, "md5_digest": "ec489099c3e507f886d8916292f535b5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16519, "upload_time": "2017-10-06T15:15:04", "url": "https://files.pythonhosted.org/packages/a2/08/13d2716f576f60b28cda9651f35b4837765a8638a757371d43ec77548a11/cinder_auths-0.1.0.tar.gz" } ], "0.1.1": [ { "comment_text": "", "digests": { "md5": "42928a7cd7996abe885dd61785363d81", "sha256": "e5b47cb39598c2ca7e59994a92db1287e5551a7e4835340e39a5f54cccbcd55a" }, "downloads": -1, "filename": "cinder_auths-0.1.1-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "42928a7cd7996abe885dd61785363d81", "packagetype": "bdist_wheel", "python_version": "2.7", "requires_python": null, "size": 9326, "upload_time": "2017-10-06T15:29:29", "url": "https://files.pythonhosted.org/packages/7d/28/b35645a483c7d15a34d9cd92ed0a890b99420f5bbc62fcb2d8fcb50f1db2/cinder_auths-0.1.1-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "9654752be18457b2c02a210cec2361e1", "sha256": "5245496b15bb95345fcb38df7db3baaea5879196cd149f95193408b575e7d98a" }, "downloads": -1, "filename": "cinder_auths-0.1.1.tar.gz", "has_sig": false, "md5_digest": "9654752be18457b2c02a210cec2361e1", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16384, "upload_time": "2017-10-06T15:29:26", "url": "https://files.pythonhosted.org/packages/e9/e3/22cca25e59c0f00d83b7e0f1c3279d300e6e0e0fd490650c76ead1348e0a/cinder_auths-0.1.1.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "42928a7cd7996abe885dd61785363d81", "sha256": "e5b47cb39598c2ca7e59994a92db1287e5551a7e4835340e39a5f54cccbcd55a" }, "downloads": -1, "filename": "cinder_auths-0.1.1-py2.py3-none-any.whl", "has_sig": false, "md5_digest": "42928a7cd7996abe885dd61785363d81", "packagetype": "bdist_wheel", "python_version": "2.7", "requires_python": null, "size": 9326, "upload_time": "2017-10-06T15:29:29", "url": "https://files.pythonhosted.org/packages/7d/28/b35645a483c7d15a34d9cd92ed0a890b99420f5bbc62fcb2d8fcb50f1db2/cinder_auths-0.1.1-py2.py3-none-any.whl" }, { "comment_text": "", "digests": { "md5": "9654752be18457b2c02a210cec2361e1", "sha256": "5245496b15bb95345fcb38df7db3baaea5879196cd149f95193408b575e7d98a" }, "downloads": -1, "filename": "cinder_auths-0.1.1.tar.gz", "has_sig": false, "md5_digest": "9654752be18457b2c02a210cec2361e1", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 16384, "upload_time": "2017-10-06T15:29:26", "url": "https://files.pythonhosted.org/packages/e9/e3/22cca25e59c0f00d83b7e0f1c3279d300e6e0e0fd490650c76ead1348e0a/cinder_auths-0.1.1.tar.gz" } ] }