Authentication With Keystone

Glance may optionally be integrated with Keystone. Setting this up is
relatively straightforward, as the Keystone distribution includes the
necessary middleware. Once you have installed Keystone and edited your
configuration files, newly created images will have their owner attribute set to the tenant of the
authenticated users, and the is_public
attribute will cause access to those images for which it is false to be restricted to only the owner, users
with admin context, or tenants/users with whom the image has been
shared.

Configuring the
Glance servers to use Keystone

Keystone is integrated with Glance through the use of middleware. The
default configuration file for the Glance API uses a single piece of
middleware called unauthenticated-context, which generates
a request context containing blank authentication information. In order
to configure Glance to use Keystone, the authtoken and
context middlewares must be deployed in place of the
unauthenticated-context middleware. The
authtoken middleware performs the authentication token
validation and retrieves actual user authentication information. It can
be found in the Keystone distribution.

Configuring Glance API
to use Keystone

Configuring Glance API to use Keystone is relatively straight
forward. The first step is to ensure that declarations for the two
pieces of middleware exist in the glance-api-paste.ini.
Here is an example for authtoken:

[filter:authtoken]
paste.filter_factory = keystonemiddleware.auth_token:filter_factory
auth_url = http://localhost:5000
project_domain_id = default
project_name = service_admins
user_domain_id = default
username = glance_admin
password = password1234

The actual values for these variables will need to be set depending
on your situation. For more information, please refer to the Keystone documentation
on the auth_token middleware.

In short:

• The auth_url variable points to the Keystone service.
  This information is used by the middleware to actually query Keystone
  about the validity of the authentication tokens.
• The auth credentials (project_name,
  project_domain_id, user_domain_id,
  username, and password) will be used to
  retrieve a service token. That token will be used to authorize user
  tokens behind the scenes.

Finally, to actually enable using Keystone authentication, the
application pipeline must be modified. By default, it looks like:

[pipeline:glance-api]
pipeline = versionnegotiation unauthenticated-context apiv1app

Your particular pipeline may vary depending on other options, such as
the image cache. This must be changed by replacing
unauthenticated-context with authtoken and
context:

[pipeline:glance-api]
pipeline = versionnegotiation authtoken context apiv1app