openstack-manuals/doc/admin-guide-cloud/source/orchestration-auth-model.rst
Joseph Robinson 8e9507bf9a Moving .rst format files to main admin-guide-cloud folder
This change moves the .rst files into the main adming-guide-cloud
folder now conversion is complete. changes to the project config
and to the openstack manuals to stop sync of .xml files
are also needed.

Change-Id: I498e8d6ac3cb80da413e23b14a0959abd58e7d79
Implements: blueprint reorganise-user-guides
2015-08-21 09:37:08 +02:00

142 lines
5.1 KiB
ReStructuredText

.. highlight: ini
:linenothreshold: 3
.. _orchestration-auth-model:
=================================
Orchestration authorization model
=================================
Orchestration authorization model defines the process of authorization
that orchestration module uses to authorize requests during so called
deferred operations. The typical example of such operation is
autoscaling group update when Orchestration requests other components
(OpenStack Compute, Openstack Networking or others) to extend (reduce)
capacity of autoscaling group.
Currently, Orchestration provides two kinds of authorization models:
* Password authorization,
* Authorization with OpenStack Identity trusts.
Password authorization
~~~~~~~~~~~~~~~~~~~~~~
Password authorization is the initial authorization model that was
supported by Orchestration module. This kind of authorization requires
from a user to pass a password to Orchestration. Orchestration stores
the encrypted password in the database and uses it for deferred
operations.
The following steps are executed for password authorization:
#. User requests a stack creation, providing a token and
username/password (python-heatclient or OpenStack dashboard
normally requests the token for you).
#. If the stack contains any resources marked as requiring deferred
operations, orchestration engine will fail validation checks if no
username/password is provided.
#. The username/password are encrypted and stored in the Orchestration
DB.
#. Stack creation is completed.
#. At some later stage, Orchestration retrieves the credentials and
requests another token on behalf of the user. The token is not
limited in scope and provides access to all the roles of the stack
owner.
Keystone trusts authorization
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
OpenStack Identity trusts is a new authorization method available
since the Icehouse release.
A trust is an OpenStack Identity extension that provides a method
to enable delegation, and optionally impersonation via OpenStack
Identity. The key terminology is *trustor* (the user delegating) and
*trustee* (the user being delegated to).
To create a trust, the *trustor* (in this case, the user creating the
stack in Orchestration module) provides OpenStack Identity with the
following information:
* The ID of the *trustee* (who you want to delegate to, in this case,
the Orchestration module user).
* The roles to be delegated (configurable via the ``heat.conf``, but
it needs to contain whatever roles are required to perform the
deferred operations on the users behalf, for example, launching an
OpenStack Compute instance in response to an AutoScaling event).
* Whether to enable impersonation.
OpenStack Identity then provides a trust_id, which can be consumed by
*only* the trustee to obtain a *trust scoped token*. This token is
limited in scope such that the trustee has limited access to those
roles delegated, along with effective impersonation of the trustor
user if it was selected when creating the trust. More information is
available in the :ref:`Identity management <identity_management>`
section.
The following steps are executed for trusts authorization:
#. User creates a stack via an API request (only the token is
required).
#. Orchestration uses the token to create a trust between the stack
owner (trustor) and the Orchestration module user (trustee),
delegating a special role (or roles) as defined in the
*trusts_delegated_roles* list in the Orchestration configuration
file. By default, Orchestration module sets all the roles from
trustor available for trustee. Deployers may modify this list to
reflect local RBAC policy, for example, to ensure the heat process
can only access those services expected while impersonating a
stack owner.
#. Orchestration stores the encrypted *trust id* in the Orchestration
DB.
#. When a deferred operation is required, Orchestration retrieves the
*trust id* and requests a trust scoped token which enables the
service user to impersonate the stack owner for the duration of
the deferred operation, for example, to launch some OpenStack
Compute instances on behalf of the stack owner in response to an
AutoScaling event.
Authorization model configuration
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Password authorization model had been the default authorization model
enabled for the Orchestration module before the Kilo release. Since
the Kilo release, the trusts authorization model has been enabled by
default.
To enable the password authorization model, the following change
should be made in ``heat.conf``:
.. code-block:: ini
deferred_auth_method=password
To enable the trusts authorization model, the following change should
be made in ``heat.conf``:
.. code-block:: ini
deferred_auth_method=trusts
To specify the trustor roles that it delegates to trustee during
authorization, the ``trusts_delegated_roles`` parameter should be
specified in ``heat.conf``. If ``trusts_delegated_roles`` is not
defined, then all the trustor roles are delegated to trustee.
.. note::
The trustor delegated roles should be pre-configured in the
OpenStack Identity before using it in the Orchestration module.