c6112b01c3
When the config option ``auth_strategy`` is set to ``http_basic`` then non-public API calls require a valid HTTP Basic authentication header to be set. The config option ``http_basic_auth_user_file`` defaults to ``/etc/ironic/htpasswd`` and points to a file which supports the Apache htpasswd syntax[1]. This file is read for every request, so no service restart is required when changes are made. The only password digest supported is bcrypt, and the ``bcrypt`` python library is used for password checks since it supports ``$2y$`` prefixed bcrypt passwords as generated by the Apache htpasswd utility. To try HTTP basic authentication, the following can be done: * Set ``/etc/ironic/ironic.conf`` ``DEFAULT`` ``auth_strategy`` to ``http_basic`` * Populate the htpasswd file with entries, for example: ``htpasswd -nbB myName myPassword >> /etc/ironic/htpasswd`` * Make basic authenticated HTTP requests, for example: ``curl --user myName:myPassword http://localhost:6385/v1/drivers`` [1] https://httpd.apache.org/docs/current/misc/password_encryptions.html Change-Id: I7b89155d8bbd2f48e186c12adea9d6932cd0bfe2 Story: 2007656 Task: 39825 Depends-On: https://review.opendev.org/729070
33 lines
1.6 KiB
YAML
33 lines
1.6 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Enable Basic HTTP authentication middleware.
|
|
|
|
Having noauth as the only option for standalone ironic causes constraints
|
|
on how the API is exposed on the network. Having some kind of
|
|
authentication layer behind a TLS deployment eases these constraints.
|
|
|
|
When the config option ``auth_strategy`` is set to ``http_basic`` then
|
|
non-public API calls require a valid HTTP Basic authentication header to
|
|
be set. The config option ``http_basic_auth_user_file`` defaults to
|
|
``/etc/ironic/htpasswd`` and points to a file which supports the Apache
|
|
htpasswd syntax[1]. This file is read for every request, so no service
|
|
restart is required when changes are made.
|
|
|
|
Like the ``noauth`` auth strategy, the ``http_basic`` auth strategy is
|
|
intended for standalone deployments of ironic, and integration with other
|
|
OpenStack services cannot depend on a service catalog.
|
|
|
|
The only password digest supported is bcrypt, and the ``bcrypt`` python
|
|
library is used for password checks since it supports ``$2y$`` prefixed
|
|
bcrypt passwords as generated by the Apache htpasswd utility.
|
|
|
|
To try HTTP basic authentication, the following can be done:
|
|
* Set ``/etc/ironic/ironic.conf`` ``DEFAULT`` ``auth_strategy`` to
|
|
* ``http_basic`` Populate the htpasswd file with entries, for example:
|
|
``htpasswd -nbB myName myPassword >> /etc/ironic/htpassw
|
|
* Make basic authenticated HTTP requests, for example:
|
|
``curl --user myName:myPassword http://localhost:6385/v1/drivers``
|
|
|
|
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
|