This document is a blueprint for the to-be-implemented authentication and authorization support in HaaS. Pull request #491 is tracking the implementation effort.
- Two kinds of authorization exist:
- Admin authorization, which allows access to admin-only API calls (e.g. switch_register...)
- Project authorization, which allows managing the resources of a particular project.
The details of exactly which operations require what authorization will
be described in docs/rest_api.md
in the HaaS source tree.
Authentication is entirely backend-dependent. Individual extensions define what requirements the request must meet in order to perform authentication.
Each authentication backend is a standard HaaS python extension, and must implement the interface described in (the newly written) haas.auth.
The main request handler will invoke the extensions authenticate()
method before dispatching to the particular API call. The API call can
use require_admin()
and require_project_access()
as needed to
implement specific policy.
Initially, there will be two backends:
- A
null
backend, which simply authorizes everything (and requires no specific authentication). - A backend based on usernames and passwords stored in the DB.
- Use HTTP Basic Auth for the
autheticate()
step. - Users can be members of projects, which determines project access
- The users table has a column
is_admin
, which is checked for admin access.
- Use HTTP Basic Auth for the
A Keystone backend will likely be soon to follow.
The username/password/database backend uses custom api calls (for creating users, adding/removing them to/from projects, etc). Since this is the first time we've had an API call defined from an extension, we need to pause and consider the implications. The main thing I see is that we should have some way of namespacing API calls defined in extensions. Proposal:
- All API calls defined by extensions go somewhere under
/ext
- Auth related API calls go under
/ext/auth
.
With the username/password backend, there must be a way to populate the database with an initial admin user. Proposal: write a script which prompts for a username and password, and adds the initial user to the database.