Scyld Cloud Auth

Scyld Cloud Auth is the component providing a common means for authenticating and authorizing services within an SCM domain. A user must establish an account before making use of any services, generally by registering through the Cloud Portal. If LDAP is configured as the authentication backend, user accounts are created using the configured LDAP attributes. See the LDAP section of this guide for more information.

Users can make use of SCM components via their web-based APIs by first acquiring an authentication token from Scyld Cloud Auth’s API. Other SCM components use Scyld Cloud Auth to then authenticate the user by validating this token and further to determine what level of access the user may have on particular resources.

Scyld Cloud Auth defines roles that encapsulate a set of privileges and assigns users to these roles. It is up to the SCM resource service to match a user request with a role or permission by querying the Scyld Cloud Auth and either grant or deny access.

About OAuth

OAuth is an open standard for authorization designed specifically for web services. It enables a resource owner to authorize third-party access to its resources without directly sharing an end user’s credentials. Scyld Cloud Auth makes use of the OAuth protocol solely to authenticate a user; a successful request results in the distribution of a token. Subsequent requests to SCM components use this token, rather than OAuth. The OAuth protocol requires some manipulation of the SCM headers, and clients generally make use of client libraries to handle the complexity.

SCM Roles

The following user roles are supported in SCM:

The admin user account is created during installation and assigned to this role. This account has visibility into all users and resources in the portal.
This administrative role is assigned to the user account used by the Cloud Controller.
This administrative role is assigned to the user account used by the Cloud Accountant.
This role permits a regular user to manage additional users on their account. From the Scyld Cloud Portal, an account_owner would have visibility into his/her users, managing access to resources, quotas, and additional permissions.

Scyld Cloud Auth Setup

Configuration settings for Scyld Cloud Auth can be found in the cloudauth.ini file. Important configuration settings are listed below:

Space-separated list of hosts that are permitted to authenticate users via password and allow a user’s first login. This should be restricted to the portal only.
Space-separated list of hosts that are permitted to authenticate users via password. This should be restricted to SCW hosts. IPs and standard CIDR notation is supported.
Boolean, default is False. When True, Single Sign-On (SSO) logins through Scyld Cloud Portal are allowed. Additional configuration for Scyld Cloud Portal is required.

LDAP Settings

If SCM is using LDAP for user authentication, then the LDAP settings from the cloudportal.ini file need to be in the cloudauth.ini file.

Changing User Passwords

To reset a password for the user account userid, including that of the admin user, follow these steps:

# source /var/www/wsgi/cloudauth/env/bin/activate
# scmpasswd /var/www/wsgi/cloudauth/scyld-cloud-auth/scyld-cloud-auth/cloudauth.ini userid