starlingx/distcloud
Code Issues Proposed changes
Files
2b198a80098fddd2b5a8cd8eea2ade98674142c7
distcloud/distributedcloud/dcmanager/api
History
Hugo Brito 2b198a8009 Add OIDC authentication support to DCManager API 
This commit introduces OpenID Connect (OIDC) authentication
support to the DCManager API, allowing requests to be authenticated
using either Keystone tokens or OIDC tokens.

Behavior overview:
- The REST API will authenticate using Keystone when the
  `X-Auth-Token` header is provided (existing behavior).
- When the `OIDC-Token` header is provided, OIDC authentication
  is performed instead.
- If both tokens are present, default to Keystone authentication.

For OIDC authentication:
- The REST API retrieves OIDC IDP configuration parameters from
  `system service-parameters` under `kube-apiserver`:
  - `oidc-issuer-url`
  - `oidc-client-id`
  - `oidc-username-claim`
  - `oidc-groups-claim`
- If OIDC parameters are not configured, authentication fails
  with an unauthenticated response.
- If configured, the REST API validates the OIDC token with the
  IDP issuer and extracts claims.
- OIDC arguments and claims are cached.
- External users and groups are mapped to internal
  Project+Role tuples based on StarlingX rolebindings.

Test Plan:
PASS: Authenticate REST API requests with Keystone (`X-Auth-Token`).
PASS: Authenticate REST API requests with OIDC (`OIDC-Token`).
PASS: Verify Keystone is used when both tokens are present.
PASS: Verify unauthenticated response when OIDC parameters are
      missing.
PASS: Validate token claims and role mappings are applied correctly.
PASS: Confirm cached tokens continue to authorize during temporary
      IDP connectivity loss.
PASS: Force to OIDC token validation to return claims as None and verify
      the api returns a NotAuthorized exception.

Depends-On: https://review.opendev.org/c/starlingx/integ/+/970455

Story: 2011646
Task: 53594

Change-Id: I830084fcad9b6413477e703514325030c7dc58a2
Signed-off-by: Hugo Brito <hugo.brito@windriver.com>
2026-01-12 17:55:41 -03:00
..
controllers
Add OIDC authentication support to DCManager API
2026-01-12 17:55:41 -03:00
policies
Implement configurator role RBAC for dc related processes
2025-05-05 16:44:05 +00:00
__init__.py
Move content to subdir to support relocated packaging
2019-11-04 13:57:02 -05:00
api_config.py
Apply black formatter to dcmanager/api
2024-07-03 15:52:22 -03:00
app.py
Add OIDC authentication support to DCManager API
2026-01-12 17:55:41 -03:00
policy.py
Apply black formatter to dcmanager/api
2024-07-03 15:52:22 -03:00
README.rst
Move content to subdir to support relocated packaging
2019-11-04 13:57:02 -05:00

README.rst

api

DC Manager API is Web Server Gateway Interface (WSGI) application to receive and process API calls, including keystonemiddleware to do the authentication, parameter check and validation, convert API calls to job rpc message, and then send the job to DC Manager Manager through the queue. If the job will be processed by DC Manager Manager in synchronous way, the DC Manager API will wait for the response from the DC Manager Manager. Otherwise, the DC Manager API will send response to the API caller first, and then send the job to DC Manager Manager in asynchronous way.

Multiple DC Manager API could run in parallel, and also can work in multi-worker mode.

Multiple DC Manager API will be designed and run in stateless mode, persistent data will be accessed (read and write) from the DC Manager Database through the DAL module.

Setup and encapsulate the API WSGI app

app.py:

Setup and encapsulate the API WSGI app, including integrate the keystonemiddleware app

api_config.py:

API configuration loading and init

enforcer.py

Enforces policies on the version2 APIs

View Git Blame Copy Permalink