ironic/releasenotes/notes/http-basic-auth-f8c0536eba9...

35 lines
1.6 KiB
YAML

---
features:
- |
Enable Basic HTTP authentication middleware.
Having noauth as the only option for standalone ironic causes constraints
on how the API is exposed on the network. Having some kind of
authentication layer behind a TLS deployment eases these constraints.
When the config option ``auth_strategy`` is set to ``http_basic`` then
non-public API calls require a valid HTTP Basic authentication header to
be set. The config option ``http_basic_auth_user_file`` defaults to
``/etc/ironic/htpasswd`` and points to a file which supports the Apache
htpasswd syntax[1]. This file is read for every request, so no service
restart is required when changes are made.
Like the ``noauth`` auth strategy, the ``http_basic`` auth strategy is
intended for standalone deployments of ironic, and integration with other
OpenStack services cannot depend on a service catalog.
The only password digest supported is bcrypt, and the ``bcrypt`` python
library is used for password checks since it supports ``$2y$`` prefixed
bcrypt passwords as generated by the Apache htpasswd utility.
To try HTTP basic authentication, the following can be done:
* Set ``/etc/ironic/ironic.conf`` ``DEFAULT`` ``auth_strategy`` to
``http_basic``
* Populate the htpasswd file with entries, for example:
``htpasswd -nbB myName myPassword >> /etc/ironic/htpassw``
* Make basic authenticated HTTP requests, for example:
``curl --user myName:myPassword http://localhost:6385/v1/drivers``
[1] https://httpd.apache.org/docs/current/misc/password_encryptions.html