The Networking API v2.0 uses the Keystone Identity Service as the default authentication service. When Keystone is enabled, users that submit requests to the OpenStack Networking service must provide an authentication token in X-Auth-Token request header. You obtain the token by authenticating to the Keystone endpoint. For more information about Keystone, see the OpenStack Identity Service API v2.0 Reference.
When Keystone is enabled, the
tenant_id
attribute is not
required in create requests because the tenant ID is
derived from the authentication token.
The default authorization settings allow only administrative users to create resources on behalf of a different tenant.
OpenStack Networking uses information received from Keystone to authorize user requests. OpenStack Networking handles the following types of authorization policies:
Operation-based policies
Specify access criteria for specific operations, possibly with fine-grained control over specific attributes.
Resource-based policies
Access a specific resource. Permissions might or might not be granted depending on the permissions configured for the resource. Currently available for only the network resource.
The actual authorization policies enforced in OpenStack Networking might vary from deployment to deployment.