---
features:
  - |
    Enable Basic HTTP authentication middleware.

    Having noauth as the only option for standalone ironic causes constraints
    on how the API is exposed on the network. Having some kind of
    authentication layer behind a TLS deployment eases these constraints.

    When the config option ``auth_strategy`` is set to ``http_basic`` then
    non-public API calls require a valid HTTP Basic authentication header to
    be set. The config option ``http_basic_auth_user_file`` defaults to
    ``/etc/ironic/htpasswd`` and points to a file which supports the Apache
    htpasswd syntax[1]. This file is read for every request, so no service
    restart is required when changes are made.

    Like the ``noauth`` auth strategy, the ``http_basic`` auth strategy is
    intended for standalone deployments of ironic, and integration with other
    OpenStack services cannot depend on a service catalog.

    The only password digest supported is bcrypt, and the ``bcrypt`` python
    library is used for password checks since it supports ``$2y$`` prefixed
    bcrypt passwords as generated by the Apache htpasswd utility.

    To try HTTP basic authentication, the following can be done:

    * Set ``/etc/ironic/ironic.conf`` ``DEFAULT`` ``auth_strategy`` to
      ``http_basic``
    * Populate the htpasswd file with entries, for example:
      ``htpasswd -nbB myName myPassword >> /etc/ironic/htpassw``
    * Make basic authenticated HTTP requests, for example:
      ``curl --user myName:myPassword http://localhost:6385/v1/drivers``

    [1] https://httpd.apache.org/docs/current/misc/password_encryptions.html