Support Keystoneless Undercloud (basic auth or noauth)

The goal of this proposal is to introduce the community to the idea of removing Keystone from TripleO undercloud and run the remaining OpenStack services either with basic authentication or noauth (i.e. Standalone mode).

Problem Description

With the goal of having a thin undercloud we’ve been simplifying the undercloud architecture since a few cycles and have removed a number of OpenStack services. After moving to use network_data_v2 and ephemeral_heat by default, we are left only with neutron, ironic and ironic-inspector services.

Keystone authentication and authorization does not add lot of value to the undercloud. We use admin and admin project for everything. There are also few service users (one per service) for communication between services. Most of the overcloud deployment and configuration is done as the os user. Also, for large deployments we increase token expiration time to a large value which is orthogonal to keystone security.

Proposed Change


At present, we have keystone running in the undercloud providing catalog, authentication/authorization services to the remaining deployed services neutron, ironic and ironic-inspector. Ephemeral heat uses a fake keystone client which does not talk to keystone.

All these remaining services are capabale of running standalone using either http_basic or noauth auth_strategy and clients using openstacksdk and keystoneauth can use HTTPBasicAuth or NoAuth identity plugins with the standalone services.

The proposal is to deploy these OpenStack services either with basic auth or noauth and remove keystone from the undercloud by default.

  • Deploy ironic/ironic-inspector/neutron with http_basic (default) or noauth

This would also allow us to remove some additional services like memcached from the undercloud mainly used for authtoken caching.


  • Keep keystone in the undercloud as before.

Security Impact

There should not be any significant security implications by disabling keystone on the undercloud as there are no multi-tenancy and RABC requirements for undercloud users/operators. Deploying baremetal and networking services with http_basic authentication would protect against any possible intrusion as before.

Upgrade Impact

There will be no upgrade impact; this change will be transparent to the end-user.

Other End User Impact


Performance Impact

Disabling authentication and authorization would make the API calls faster and the overall resource requirements of undercloud would reduce.

Other Deployer Impact


Developer Impact



  • Add THT support for configuring auth_strategy for ironic and neutron services and manage htpasswd files used for basic authentication by the ironic services.

IronicAuthStrategy: http_basic
NeutronAuthStrategy: http_basic
  • Normally, Identity service middleware provides a X-Project-Id header based on the authentication token submitted by the service client. However when keystone is not available neutron expects project_id in the POST requests (i.e create API). Also, metalsmith communicates with neutron to create ctlplane ports for instances.

    Add a middleware for neutron API http_basic pipeline to inject a fake project_id in the context.

  • Add basic authentication middleware to oslo.middleware and use it for undercloud neutron.

  • Create/Update clouds.yaml to use auth_type: http_basic and use endpoint overrides for the public endpoints with <service_name>_endpoint_override entries. We would leverage the EndpointMap and change extraconfig/post_deploy to create and update clouds.yaml.

      password: piJsuvz3lKUtCInsiaQd4GZ1w
      username: admin
    auth_type: http_basic
    baremetal_api_version: '1'
    network_api_version: '2'


Primary assignee:


Other contributors:

Work Items


Ephemeral heat and network-data-v2 are used as defaults.

Documentation Impact

Update the undercloud installation and upgrade guides.