Authentication and authorization

Authentication and authorization

All requests to the API may only be performed by an authenticated agent.

The preferred authentication system is the OpenStack Identity service, code-named keystone.

Identity service authentication

To authenticate, an agent issues an authentication request to an Identity service endpoint. In response to valid credentials, Identity service responds with an authentication token and a service catalog that contains a list of all services and endpoints available for the given token.

Multiple endpoints may be returned for Message service according to physical locations and performance/availability characteristics of different deployments.

Normally, Identity service middleware provides the X-Project-Id header based on the authentication token submitted by the Message service client.

For this to work, clients must specify a valid authentication token in the X-Auth-Token header for each request to the Message service API. The API validates authentication tokens against Identity service before servicing each request.

No authentication

If authentication is not enabled, clients must provide the X-Project-Id header themselves.


Configure the authentication and authorization strategy through these options:

Description of authentication configuration options
Configuration option = Default value Description
auth_strategy = (String) Backend to use for authentication. For no auth, keep it empty. Existing strategies: keystone. See also the keystone_authtoken section below
Description of trustee configuration options
Configuration option = Default value Description
auth_section = None (Unknown) Config Section from which to load plugin specific options
auth_type = None (Unknown) Authentication type to load
auth_url = None (Unknown) Authentication URL
default_domain_id = None (Unknown) Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
default_domain_name = None (Unknown) Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
domain_id = None (Unknown) Domain ID to scope to
domain_name = None (Unknown) Domain name to scope to
password = None (Unknown) User’s password
project_domain_id = None (Unknown) Domain ID containing project
project_domain_name = None (Unknown) Domain name containing project
project_id = None (Unknown) Project ID to scope to
project_name = None (Unknown) Project name to scope to
trust_id = None (Unknown) Trust ID
user_domain_id = None (Unknown) User’s domain id
user_domain_name = None (Unknown) User’s domain name
user_id = None (Unknown) User id
username = None (Unknown) Username
Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.