Orchestration authorization model defines the process of authorization that orchestration module uses to authorize requests during so called deferred operations. The typical example of such operation is autoscaling group update when Orchestration requests other components (OpenStack Compute, Openstack Networking or others) to extend (reduce) capacity of autoscaling group.
Currently, Orchestration provides two kinds of authorization models:
Password authorization is the initial authorization model that was supported by Orchestration module. This kind of authorization requires from a user to pass a password to Orchestration. Orchestration stores the encrypted password in the database and uses it for deferred operations.
The following steps are executed for password authorization:
OpenStack Identity trusts is a new authorization method available since the Icehouse release.
A trust is an OpenStack Identity extension that provides a method to enable delegation, and optionally impersonation via OpenStack Identity. The key terminology is trustor (the user delegating) and trustee (the user being delegated to).
To create a trust, the trustor (in this case, the user creating the stack in Orchestration module) provides OpenStack Identity with the following information:
OpenStack Identity then provides a trust_id, which can be consumed by only the trustee to obtain a trust scoped token. This token is limited in scope such that the trustee has limited access to those roles delegated, along with effective impersonation of the trustor user if it was selected when creating the trust. More information is available in the Identity management section.
The following steps are executed for trusts authorization:
Password authorization model had been the default authorization model enabled for the Orchestration module before the Kilo release. Since the Kilo release, the trusts authorization model has been enabled by default.
To enable the password authorization model, the following change should be made in heat.conf:
deferred_auth_method=password
To enable the trusts authorization model, the following change should be made in heat.conf:
deferred_auth_method=trusts
To specify the trustor roles that it delegates to trustee during authorization, the trusts_delegated_roles parameter should be specified in heat.conf. If trusts_delegated_roles is not defined, then all the trustor roles are delegated to trustee.
Note
The trustor delegated roles should be pre-configured in the OpenStack Identity before using it in the Orchestration module.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License http://creativecommons.org/licenses/by/3.0/legalcode.