openstack/ironic
Code Issues Proposed changes
ironic/doc/source/admin/user-image-basic-auth.rst
Adam Rozman 3ea4bb234c implement basic-auth support for user image download process 
This feature was proposed in https://bugs.launchpad.net/ironic-python-agent/+bug/2021947

Change-Id: I70733fbf6b06c4e99888c6c38212e578c65ef92f
Signed-off-by: Adam Rozman <adam.rozman@est.tech>
2023-11-13 15:37:27 +02:00

2.2 KiB
Raw Blame History

HTTP(s) Authentication strategy for user image servers

How to enable the feature via global configuration options

There are 3 variables that could be used to manage image server authentication strategy. The 3 variables are structured such a way that 1 of them image_server_auth_strategy (string) provides the option to specify the desired authentication strategy. Currently the only supported authentication strategy is http_basic that represents the HTTP(S) Basic Authentication also known as the RFC 7616 internet standard.

The other two variables image_server_password and image_server_user provide username and password credentials for any authentication strategy that requires username and credentials to enable the authentication during image download processes. image_server_auth_strategy not just enables the feature but enforces checks on the values of the 2 related credentials. Currently only the http_basic strategy is utilizing the image_server_password and image_server_user variables.

When a authentication strategy is selected against the user image server an exception will be raised in case any of the credentials are None or an empty string. The variables belong to the deploy configuration group and could be configured via the global Ironic configuration file.

The authentication strategy configuration affects the download process for disk images, live ISO images and the deploy images.

Example

Example of activating the http-basic strategy via /etc/ironic/ironic.conf:

[deploy]
...
image_server_auth_strategy = http_basic
image_server_user = username
image_server_password = password
...

Known limitations

This implementation of the authentication strategy for user image handling is implemented via the global Ironic configuration process thus it doesn't provide node specific customization options.

When image_server_auth_strategy is set to any valid value all image sources will be treated with the same authentication strategy and Ironic will use the same credentials against all sources.