Skip to content

Instantly share code, notes, and snippets.

@zenhack

zenhack/Auth-Blueprint.md

Created December 10, 2015 15:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save zenhack/74b231d76b4364d0be12 to your computer and use it in GitHub Desktop.
Save zenhack/74b231d76b4364d0be12 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
Auth-Blueprint.md

This document is a blueprint for the to-be-implemented authentication and authorization support in HaaS. Pull request #491 is tracking the implementation effort.

Conceptual Model

Authorization

  • Two kinds of authorization exist:
    • Admin authorization, which allows access to admin-only API calls (e.g. switch_register...)
    • Project authorization, which allows managing the resources of a particular project.

The details of exactly which operations require what authorization will be described in docs/rest_api.md in the HaaS source tree.

Authentication

Authentication is entirely backend-dependent. Individual extensions define what requirements the request must meet in order to perform authentication.

Implementation

Each authentication backend is a standard HaaS python extension, and must implement the interface described in (the newly written) haas.auth.

The main request handler will invoke the extensions authenticate() method before dispatching to the particular API call. The API call can use require_admin() and require_project_access() as needed to implement specific policy.

Initial backends

Initially, there will be two backends:

  • A null backend, which simply authorizes everything (and requires no specific authentication).
  • A backend based on usernames and passwords stored in the DB.
    • Use HTTP Basic Auth for the autheticate() step.
    • Users can be members of projects, which determines project access
    • The users table has a column is_admin, which is checked for admin access.

A Keystone backend will likely be soon to follow.

API namespace

The username/password/database backend uses custom api calls (for creating users, adding/removing them to/from projects, etc). Since this is the first time we've had an API call defined from an extension, we need to pause and consider the implications. The main thing I see is that we should have some way of namespacing API calls defined in extensions. Proposal:

  • All API calls defined by extensions go somewhere under /ext
  • Auth related API calls go under /ext/auth.

Bootstrapping

With the username/password backend, there must be a way to populate the database with an initial admin user. Proposal: write a script which prompts for a username and password, and adds the initial user to the database.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment