35 lines
1.6 KiB
YAML
35 lines
1.6 KiB
YAML
---
|
|
features:
|
|
- |
|
|
Enable Basic HTTP authentication middleware.
|
|
|
|
Having noauth as the only option for standalone ironic causes constraints
|
|
on how the API is exposed on the network. Having some kind of
|
|
authentication layer behind a TLS deployment eases these constraints.
|
|
|
|
When the config option ``auth_strategy`` is set to ``http_basic`` then
|
|
non-public API calls require a valid HTTP Basic authentication header to
|
|
be set. The config option ``http_basic_auth_user_file`` defaults to
|
|
``/etc/ironic/htpasswd`` and points to a file which supports the Apache
|
|
htpasswd syntax[1]. This file is read for every request, so no service
|
|
restart is required when changes are made.
|
|
|
|
Like the ``noauth`` auth strategy, the ``http_basic`` auth strategy is
|
|
intended for standalone deployments of ironic, and integration with other
|
|
OpenStack services cannot depend on a service catalog.
|
|
|
|
The only password digest supported is bcrypt, and the ``bcrypt`` python
|
|
library is used for password checks since it supports ``$2y$`` prefixed
|
|
bcrypt passwords as generated by the Apache htpasswd utility.
|
|
|
|
To try HTTP basic authentication, the following can be done:
|
|
|
|
* Set ``/etc/ironic/ironic.conf`` ``DEFAULT`` ``auth_strategy`` to
|
|
``http_basic``
|
|
* Populate the htpasswd file with entries, for example:
|
|
``htpasswd -nbB myName myPassword >> /etc/ironic/htpassw``
|
|
* Make basic authenticated HTTP requests, for example:
|
|
``curl --user myName:myPassword http://localhost:6385/v1/drivers``
|
|
|
|
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html
|