The Orchestration authorization model defines the authorization process for requests during deferred operations. A common example is an auto-scaling group update. During the auto-scaling update operation, the Orchestration service requests resources of other components (such as servers from Compute or networks from Networking) to extend or reduce the capacity of an auto-scaling group.
The Orchestration service provides the following authorization models:
The Orchestration service supports password authorization. Password authorization requires that a user pass a username and password to the Orchestration service. Encrypted password are stored in the database, and used for deferred operations.
Password authorization involves the following steps:
A trust is an OpenStack Identity extension that enables delegation, and optionally impersonation through the OpenStack Identity service. The key terminology is trustor (the user delegating) and trustee (the user being delegated to).
To create a trust, the trustor (in this case, the user creating the stack in the Orchestration service) provides the OpenStack Identity service with the following information:
heat.conf
file. Ensure the configuration contains whatever
roles are required to perform the deferred operations on the
user’s behalf. For example, launching an OpenStack Compute
instance in response to an auto-scaling event.The OpenStack Identity service provides a trust ID, which is consumed by only the trustee to obtain a trust scoped token. This token is limited in scope, such that the trustee has limited access to those roles delegated. In addition, the trustee has effective impersonation of the trustor user if it was selected when creating the trust. For more information, see Identity management trusts.
Trusts authorization involves the following steps:
Initially, the password authorization model was the default authorization model. Since the Kilo release, the Identity trusts authorization model is enabled for the Orchestration service by default.
To enable the password authorization model, change the following
parameter in the heat.conf
file:
deferred_auth_method=password
To enable the trusts authorization model, change the following
two parameters in the heat.conf
file.
Specify the authentication method for the deferred Orchestration actions. This parameter triggers creating trust ID and stores it in the Orchestration database:
deferred_auth_method=trusts
Allow reauthentication with the trust scoped token issued by using the stored trust ID for long running tasks:
reauthentication_auth_method=trusts
To specify the trustor roles that it delegates to trustee during
authorization, specify the trusts_delegated_roles
parameter
in the heat.conf
file. If trusts_delegated_roles
is not
defined, then all the trustor roles are delegated to trustee.
Note
The trustor delegated roles must be pre-configured in the OpenStack Identity service before using them in the Orchestration service.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.