Skip to main content

Overview

All Xloud platform services expose REST APIs secured by Xloud Identity (Keystone). Authentication is token-based with configurable expiry, and authorization is enforced through a role-based access control (RBAC) policy engine. This page covers the full API security stack: authentication flows, application credentials for automated access, rate limiting, audit logging, CORS configuration, and service-to-service mutual TLS.
Prerequisites
  • An active Xloud account with the member or admin role
  • CLI tools installed: openstack CLI (setup guide)
  • For application credentials: access to Project → Identity → Application Credentials

Token-Based Authentication

All API requests require a valid token issued by Xloud Identity. Tokens are scoped to a project and carry the user’s role assignments for that project.

Token Scopes

ScopeDescriptionUse Case
Project-scopedBound to a specific projectStandard user operations
Domain-scopedBound to a domainDomain administrator operations
System-scopedPlatform-wide admin operationsInfrastructure management
UnscopedNo project or domain bindingToken exchange only
Authenticate and get a token
source admin-openrc.sh

# Verify the active token
openstack token issue
Expected output
+------------+----------------------------------------------------------+
| Field      | Value                                                    |
+------------+----------------------------------------------------------+
| expires    | 2025-03-18T11:00:00+0000                                 |
| id         | gAAAAABm...                                              |
| project_id | a1b2c3d4...                                              |
| user_id    | e5f6g7h8...                                              |
+------------+----------------------------------------------------------+
Authenticate via API directly
curl -si -X POST https://<vip>:5000/v3/auth/tokens \
  -H "Content-Type: application/json" \
  -d '{
    "auth": {
      "identity": {
        "methods": ["password"],
        "password": {
          "user": {
            "name": "admin",
            "domain": {"name": "Default"},
            "password": "<password>"
          }
        }
      },
      "scope": {
        "project": {"name": "admin", "domain": {"name": "Default"}}
      }
    }
  }' | grep -i x-subject-token

Application Credentials

Application credentials allow automation scripts and CI/CD pipelines to authenticate without embedding a username and password. They are scoped to a project, have configurable expiry, and can be restricted to specific API operations using access rules.
Never store your account password in scripts or configuration files. Use application credentials instead. Application credentials can be revoked individually without changing the account password.

Navigate to Application Credentials

Navigate to Project → Identity → Application Credentials and click Create Application Credential.

Configure the credential

FieldRecommended ValueNotes
Nameci-deployment-prodDescriptive name identifying the use case
SecretAuto-generatedStore the secret securely — it is shown only once
Expiration DateSet an expiryRequired for compliance environments
RolesSelect only required rolesFollow least-privilege
UnrestrictedNoLeave unchecked to allow role inheritance restrictions
The secret is displayed only once after creation. Store it immediately in a secrets manager or CI/CD vault. It cannot be retrieved again.

Download the RC file

Click Download openrc file. Source this file in your automation environment to authenticate using the application credential.
The downloaded RC file uses OS_AUTH_TYPE=v3applicationcredential — no password is stored in plaintext.

RBAC Policy Enforcement

Xloud enforces access control using oslo.policy rules. Every API operation checks the caller’s token against the service’s policy file before executing.

Default Role Hierarchy

RoleScopePermissions
adminSystem or projectFull access to all operations
memberProjectStandard create/read/update/delete within the project
readerProjectRead-only access to project resources
heat_stack_ownerProjectManage orchestration stacks
load-balancer_adminProjectManage load balancers

Custom Policy Overrides

View current compute policy
docker exec nova_api cat /etc/nova/policy.yaml 2>/dev/null || \
  docker exec nova_api cat /etc/nova/policy.json
Example: restrict live migration to system-admin only
# /etc/xavs/nova-api/policy.yaml
"os_compute_api:os-migrate-server:migrate_live": "role:admin and system_scope:all"
Xloud uses the standard RBAC model. Custom policy overrides should be placed in service-specific policy files and deployed via the XAVS config overlay mechanism. Do not modify policy files directly inside containers — changes are lost on restart.

API Rate Limiting

Rate limiting protects the platform from abuse and ensures fair resource allocation between projects. Limits are enforced at the HAProxy layer and within individual services.
Limit TypeDefaultConfigurable
Compute API (per user)50 POST / minuteYes
Compute API (per project)200 requests / minuteYes
Identity token issuance100 / minuteYes
Image upload10 / hourYes
Configure compute rate limits
# /etc/xavs/globals.d/_60_rate_limits.yml
nova_api_rate_limits: |
  (POST, "*", .*, 50, MINUTE);
  (GET, "*", .*, 300, MINUTE)

CORS Configuration

Cross-Origin Resource Sharing (CORS) controls which origins can make browser-based API requests. Configure allowed origins to match your Dashboard and any custom web applications.
Restrict CORS origins
# /etc/xavs/globals.d/_60_cors.yml
keystone_cors_allowed_origin: "https://connect.<your-domain>"
nova_cors_allowed_origin: "https://connect.<your-domain>"
neutron_cors_allowed_origin: "https://connect.<your-domain>"
Do not set allowed_origin: "*" in production. This allows any website to make authenticated API calls on behalf of a user with an active session cookie, enabling CSRF attacks.

Service-to-Service Authentication (Mutual TLS)

Platform services authenticate to each other using service user accounts. When internal TLS is enabled, these connections also use mutual TLS certificate validation. Service accounts are created during deployment with minimal permissions scoped to inter-service operations only. These accounts should not be used for manual operations.
List service users
openstack user list --domain service

Audit Logging for API Calls

All API calls are recorded in the audit log with the caller identity, token scope, target resource, and operation result. See the Compliance and Auditing page for log format, retention, and aggregation configuration.
View recent API audit events
docker exec keystone grep "req-" /var/log/kolla/keystone/keystone.log | tail -20

Next Steps

Compliance and Auditing

Audit log format, retention, and compliance framework mapping

Identity and Access

Users, projects, domains, and federation configuration

Infrastructure Security

TLS configuration and certificate management

Application Credentials

Detailed application credential management guide