ironic/releasenotes/notes/http-basic-auth-f8c0536eba989918.yaml
Steve Baker c6112b01c3 Enable Basic HTTP authentication middleware
When the config option ``auth_strategy`` is set to ``http_basic`` then
non-public API calls require a valid HTTP Basic authentication header
to be set. The config option ``http_basic_auth_user_file`` defaults to
``/etc/ironic/htpasswd`` and points to a file which supports the
Apache htpasswd syntax[1]. This file is read for every request, so no
service restart is required when changes are made.

The only password digest supported is bcrypt, and the ``bcrypt``
python library is used for password checks since it supports ``$2y$``
prefixed bcrypt passwords as generated by the Apache htpasswd utility.

To try HTTP basic authentication, the following can be done:

* Set ``/etc/ironic/ironic.conf`` ``DEFAULT`` ``auth_strategy`` to ``http_basic``
* Populate the htpasswd file with entries, for example:
  ``htpasswd -nbB myName myPassword >> /etc/ironic/htpasswd``
* Make basic authenticated HTTP requests, for example:
  ``curl --user myName:myPassword http://localhost:6385/v1/drivers``

[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html

Change-Id: I7b89155d8bbd2f48e186c12adea9d6932cd0bfe2
Story: 2007656
Task: 39825
Depends-On: https://review.opendev.org/729070
2020-06-05 01:15:08 +12:00

33 lines
1.6 KiB
YAML

---
features:
- |
Enable Basic HTTP authentication middleware.
Having noauth as the only option for standalone ironic causes constraints
on how the API is exposed on the network. Having some kind of
authentication layer behind a TLS deployment eases these constraints.
When the config option ``auth_strategy`` is set to ``http_basic`` then
non-public API calls require a valid HTTP Basic authentication header to
be set. The config option ``http_basic_auth_user_file`` defaults to
``/etc/ironic/htpasswd`` and points to a file which supports the Apache
htpasswd syntax[1]. This file is read for every request, so no service
restart is required when changes are made.
Like the ``noauth`` auth strategy, the ``http_basic`` auth strategy is
intended for standalone deployments of ironic, and integration with other
OpenStack services cannot depend on a service catalog.
The only password digest supported is bcrypt, and the ``bcrypt`` python
library is used for password checks since it supports ``$2y$`` prefixed
bcrypt passwords as generated by the Apache htpasswd utility.
To try HTTP basic authentication, the following can be done:
* Set ``/etc/ironic/ironic.conf`` ``DEFAULT`` ``auth_strategy`` to
* ``http_basic`` Populate the htpasswd file with entries, for example:
``htpasswd -nbB myName myPassword >> /etc/ironic/htpassw
* Make basic authenticated HTTP requests, for example:
``curl --user myName:myPassword http://localhost:6385/v1/drivers``
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html