Authentication With Keystone

Glance may optionally be integrated with Keystone. Setting this up is relatively straightforward, as the Keystone distribution includes the necessary middleware. Once you have installed Keystone and edited your configuration files, newly created images will have their owner attribute set to the tenant of the authenticated users, and the is_public attribute will cause access to those images for which it is false to be restricted to only the owner, users with admin context, or tenants/users with whom the image has been shared.

Configuring the Glance servers to use Keystone

Keystone is integrated with Glance through the use of middleware. The default configuration files for both the Glance API and the Glance Registry use a single piece of middleware called unauthenticated-context, which generates a request context containing blank authentication information. In order to configure Glance to use Keystone, the authtoken and context middlewares must be deployed in place of the unauthenticated-context middleware. The authtoken middleware performs the authentication token validation and retrieves actual user authentication information. It can be found in the Keystone distribution.

Note

The Glance Registry Service and its APIs have been DEPRECATED in the Queens release and are subject to removal at the beginning of the ‘S’ development cycle, following the OpenStack standard deprecation policy.

For more information, see the Glance specification document Actually Deprecate the Glance Registry.

Configuring Glance API to use Keystone

Configuring Glance API to use Keystone is relatively straight forward. The first step is to ensure that declarations for the two pieces of middleware exist in the glance-api-paste.ini. Here is an example for authtoken:

[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
auth_url = http://localhost:5000
project_domain_id = default
project_name = service_admins
user_domain_id = default
username = glance_admin
password = password1234

The actual values for these variables will need to be set depending on your situation. For more information, please refer to the Keystone documentation on the auth_token middleware.

In short:

  • The auth_url variable points to the Keystone service. This information is used by the middleware to actually query Keystone about the validity of the authentication tokens.

  • The auth credentials (project_name, project_domain_id, user_domain_id, username, and password) will be used to retrieve a service token. That token will be used to authorize user tokens behind the scenes.

Finally, to actually enable using Keystone authentication, the application pipeline must be modified. By default, it looks like:

[pipeline:glance-api]
pipeline = versionnegotiation unauthenticated-context apiv1app

Your particular pipeline may vary depending on other options, such as the image cache. This must be changed by replacing unauthenticated-context with authtoken and context:

[pipeline:glance-api]
pipeline = versionnegotiation authtoken context apiv1app

Configuring Glance Registry to use Keystone

Note

The Glance Registry Service and its APIs have been DEPRECATED in the Queens release and are subject to removal at the beginning of the ‘S’ development cycle, following the OpenStack standard deprecation policy.

For more information, see the Glance specification document Actually Deprecate the Glance Registry.

Configuring Glance Registry to use Keystone is also relatively straight forward. The same middleware needs to be added to glance-registry-paste.ini as was needed by Glance API; see above for an example of the authtoken configuration.

Again, to enable using Keystone authentication, the appropriate application pipeline must be selected. By default, it looks like:

[pipeline:glance-registry-keystone]
pipeline = authtoken context registryapp

To enable the above application pipeline, in your main glance-registry.conf configuration file, select the appropriate deployment flavor by adding a flavor attribute in the paste_deploy group:

[paste_deploy]
flavor = keystone

Note

If your authentication service uses a role other than admin to identify which users should be granted admin-level privileges, you must define it in the admin_role config attribute in both glance-registry.conf and glance-api.conf.