Plugin Options¶
Usage¶
Using plugins via CLI¶
Plugins can be configured via CLI options, using argparse’s ArgumentParser.
This is commonly used to produce client tooling that communicates with
OpenStack APIs and therefore needs to allow authentication. For example,
openstackclient allows configuration using CLI options.
When using auth plugins via CLI you can specify parameters via CLI options or
via environment configuration, with CLI options superseding environment
configuration. CLI options are specified with the pattern --os- and the
parameter name. For example, to use the password plugin via CLI options you
can specify:
openstack --os-auth-type password \
--os-auth-url http://keystone.example.com:5000/ \
--os-username myuser \
--os-password mypassword \
--os-project-name myproject \
--os-default-domain-name mydomain \
operation
Environment variables are specified using the pattern OS_ followed by the
uppercase parameter name replacing - with _. Using the password
example again:
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://keystone.example.com:5000/
export OS_USERNAME=myuser
export OS_PASSWORD=mypassword
export OS_PROJECT_NAME=myproject
export OS_DEFAULT_DOMAIN_NAME=mydomain
Using plugins via clouds.yaml¶
Plugins can be configured via clouds.yaml files, which are supported by
openstacksdk. When using a clouds.yaml, you specify the plugin name as
auth_type within the cloud entry and then specify all plugin options within
the auth key of the cloud entry. For example, to use the password plugin
for a cloud entry mycloud in a clouds.yaml file you can specify:
clouds:
mycloud:
auth_type: password
auth:
auth_url: http://keystone.example.com:5000/
username: myuser
password: mypassword
project_name: myproject
default_domain_name: mydomain
Using plugins via config file¶
Plugins can be configured using INI-style configuration file, using oslo.config. This is commonly used to allow OpenStack service to talk to each other though it can be used for any service that wishes to authenticate against Keystone and uses oslo.config. For example, this configuration style is used to allow the Compute service (Nova) to talk to the Networking service (Neutron), Block Storage service (Cinder), and others.
When using the plugins via config file you define the plugin name as
auth_type. The options of the plugin are then specified while replacing
- with _ to be valid in configuration.
For example to use the password plugin in a config file you would specify:
[section]
auth_type = password
auth_url = http://keystone.example.com:5000/
username = myuser
password = mypassword
project_name = myproject
default_domain_name = mydomain
Using plugins via other mechanisms¶
Beyond the three configuration mechanisms described here, different services may implement loaders in their own way and you should consult their relevant documentation. However, the same auth options will always be available.
Built-in Plugins¶
This is a listing of all included plugins and the options that they accept. Plugins are listed alphabetically and not in any order of priority.
admin_token¶
Authenticate with an existing token and a known endpoint.
This plugin is primarily useful for development or for use with identity service ADMIN tokens. Because this token is used directly there is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect use this scope information.
Because there is no service catalog the endpoint that is supplied with initialization is used for all operations performed with this plugin so must be the full base URL to an actual service.
- endpoint:
The endpoint that will always be used
- CLI options:
--os-endpoint,--os-url- Environment variables:
OS_ENDPOINT,OS_URL
- token:
The token that will always be used
- CLI options:
--os-token- Environment variables:
OS_TOKEN
http_basic¶
Use HTTP Basic authentication to perform requests.
This can be used to instantiate clients for services deployed in standalone mode.
There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.
- endpoint:
The endpoint that will always be used
- CLI options:
--os-endpoint- Environment variables:
OS_ENDPOINT
- password:
User’s password
- CLI options:
--os-password- Environment variables:
OS_PASSWORD
- username:
Username
- CLI options:
--os-username,--os-user-name- Environment variables:
OS_USERNAME,OS_USER_NAME
none¶
Use no tokens to perform requests.
This can be used to instantiate clients for services deployed in noauth/standalone mode.
There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.
- endpoint:
The endpoint that will always be used
- CLI options:
--os-endpoint- Environment variables:
OS_ENDPOINT
password¶
Authenticate with a username and password.
Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.
As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be provided an unversioned URL to operate against.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- default-domain-id:
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options:
--os-default-domain-id- Environment variables:
OS_DEFAULT_DOMAIN_ID
- default-domain-name:
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options:
--os-default-domain-name- Environment variables:
OS_DEFAULT_DOMAIN_NAME
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- password:
User’s password
- CLI options:
--os-password- Environment variables:
OS_PASSWORD
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id,--os-tenant-id- Environment variables:
OS_PROJECT_ID,OS_TENANT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name,--os-tenant-name- Environment variables:
OS_PROJECT_NAME,OS_TENANT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- user-domain-id:
User’s domain id
- CLI options:
--os-user-domain-id- Environment variables:
OS_USER_DOMAIN_ID
- user-domain-name:
User’s domain name
- CLI options:
--os-user-domain-name- Environment variables:
OS_USER_DOMAIN_NAME
- user-id:
User id
- CLI options:
--os-user-id- Environment variables:
OS_USER_ID
- username:
Username
- CLI options:
--os-username,--os-user-name- Environment variables:
OS_USERNAME,OS_USER_NAME
token¶
Given an existing token rescope it to another target.
Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.
As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be provided an unversioned URL to operate against.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- default-domain-id:
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options:
--os-default-domain-id- Environment variables:
OS_DEFAULT_DOMAIN_ID
- default-domain-name:
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options:
--os-default-domain-name- Environment variables:
OS_DEFAULT_DOMAIN_NAME
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id,--os-tenant-id- Environment variables:
OS_PROJECT_ID,OS_TENANT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name,--os-tenant-name- Environment variables:
OS_PROJECT_NAME,OS_TENANT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- token:
Token to authenticate with
- CLI options:
--os-token- Environment variables:
OS_TOKEN
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v2password¶
Authenticate with a username and password.
Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- password:
Password to use
- CLI options:
--os-password- Environment variables:
OS_PASSWORD
- tenant-id:
Tenant ID
- CLI options:
--os-tenant-id- Environment variables:
OS_TENANT_ID
- tenant-name:
Tenant Name
- CLI options:
--os-tenant-name- Environment variables:
OS_TENANT_NAME
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- user-id:
User ID to login with
- CLI options:
--os-user-id- Environment variables:
OS_USER_ID
- username:
Username to login with
- CLI options:
--os-username,--os-user-name- Environment variables:
OS_USERNAME,OS_USER_NAME
v2token¶
Given an existing token rescope it to another target.
Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- tenant-id:
Tenant ID
- CLI options:
--os-tenant-id- Environment variables:
OS_TENANT_ID
- tenant-name:
Tenant Name
- CLI options:
--os-tenant-name- Environment variables:
OS_TENANT_NAME
- token:
Token
- CLI options:
--os-token- Environment variables:
OS_TOKEN
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3adfspassword¶
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- identity-provider-url:
An Identity Provider URL, where the SAML authentication request will be sent. (mandatory)
- CLI options:
--os-identity-provider-url- Environment variables:
OS_IDENTITY_PROVIDER_URL
- password:
Password (mandatory)
- CLI options:
--os-password- Environment variables:
OS_PASSWORD
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- service-provider-endpoint:
Service Provider’s Endpoint (mandatory)
- CLI options:
--os-service-provider-endpoint- Environment variables:
OS_SERVICE_PROVIDER_ENDPOINT
- service-provider-entity-id:
Service Provider’s SAML Entity ID (mandatory)
- CLI options:
--os-service-provider-entity-id- Environment variables:
OS_SERVICE_PROVIDER_ENTITY_ID
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- username:
Username (mandatory)
- CLI options:
--os-username- Environment variables:
OS_USERNAME
v3applicationcredential¶
Authenticate with an application credential.
Authenticate to the identity service using the provided application credential secret and ID or name. If a name is used, you must also provide a username and user domain to assist in lookup.
- application_credential_id:
Application credential ID
- CLI options:
--os-application_credential_id- Environment variables:
OS_APPLICATION_CREDENTIAL_ID
- application_credential_name:
Application credential name
- CLI options:
--os-application_credential_name- Environment variables:
OS_APPLICATION_CREDENTIAL_NAME
- application_credential_secret:
Application credential auth secret (mandatory)
- CLI options:
--os-application_credential_secret- Environment variables:
OS_APPLICATION_CREDENTIAL_SECRET
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- user-domain-id:
User’s domain ID
- CLI options:
--os-user-domain-id- Environment variables:
OS_USER_DOMAIN_ID
- user-domain-name:
User’s domain name
- CLI options:
--os-user-domain-name- Environment variables:
OS_USER_DOMAIN_NAME
- user-id:
User’s user ID
- CLI options:
--os-user-id- Environment variables:
OS_USER_ID
- username:
User’s username
- CLI options:
--os-username,--os-user-name- Environment variables:
OS_USERNAME,OS_USER_NAME
v3fedkerb¶
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- mutual-auth:
Configures Kerberos Mutual Authentication
- CLI options:
--os-mutual-auth- Environment variables:
OS_MUTUAL_AUTH
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3kerberos¶
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- mutual-auth:
Configures Kerberos Mutual Authentication
- CLI options:
--os-mutual-auth- Environment variables:
OS_MUTUAL_AUTH
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3multifactor¶
Authenticate using multiple factors.
Authenticate to the identity service using a combination of factors, such as username/password and a TOTP code.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- auth_methods:
Methods to authenticate with. (mandatory)
- CLI options:
--os-auth_methods- Environment variables:
OS_AUTH_METHODS
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3oauth1¶
- access-key:
OAuth Access Key (mandatory)
- CLI options:
--os-access-key- Environment variables:
OS_ACCESS_KEY
- access-secret:
OAuth Access Secret (mandatory)
- CLI options:
--os-access-secret- Environment variables:
OS_ACCESS_SECRET
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- consumer-key:
OAuth Consumer ID/Key (mandatory)
- CLI options:
--os-consumer-key- Environment variables:
OS_CONSUMER_KEY
- consumer-secret:
OAuth Consumer Secret (mandatory)
- CLI options:
--os-consumer-secret- Environment variables:
OS_CONSUMER_SECRET
v3oauth2clientcredential¶
Authenticate with an OAuth2.0 client credential.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- oauth2_client_id:
Client id for OAuth2.0 (mandatory)
- CLI options:
--os-oauth2_client_id- Environment variables:
OS_OAUTH2_CLIENT_ID
- oauth2_client_secret:
Client secret for OAuth2.0 (mandatory)
- CLI options:
--os-oauth2_client_secret- Environment variables:
OS_OAUTH2_CLIENT_SECRET
- oauth2_endpoint:
Endpoint for OAuth2.0 (mandatory)
- CLI options:
--os-oauth2_endpoint- Environment variables:
OS_OAUTH2_ENDPOINT
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3oauth2mtlsclientcredential¶
Authenticate with an OAuth2.0 mTLS client credential.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- oauth2-client-id:
Client credential ID for OAuth2.0 Mutual-TLS Authorization (mandatory)
- CLI options:
--os-oauth2-client-id- Environment variables:
OS_OAUTH2_CLIENT_ID
- oauth2-endpoint:
Endpoint for OAuth2.0 Mutual-TLS Authorization (mandatory)
- CLI options:
--os-oauth2-endpoint- Environment variables:
OS_OAUTH2_ENDPOINT
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3oidcaccesstoken¶
Authenticate with the OIDC Access Token flow.
- access-token:
OAuth 2.0 Access Token (mandatory)
- CLI options:
--os-access-token- Environment variables:
OS_ACCESS_TOKEN
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3oidcauthcode¶
Authenticate with the OIDC Authorization Code flow.
- access-token-endpoint:
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options:
--os-access-token-endpoint- Environment variables:
OS_ACCESS_TOKEN_ENDPOINT
- access-token-type:
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- CLI options:
--os-access-token-type- Environment variables:
OS_ACCESS_TOKEN_TYPE
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- client-id:
OAuth 2.0 Client ID
- CLI options:
--os-client-id- Environment variables:
OS_CLIENT_ID
- client-secret:
OAuth 2.0 Client Secret
- CLI options:
--os-client-secret- Environment variables:
OS_CLIENT_SECRET
- code:
OAuth 2.0 Authorization Code (mandatory)
- CLI options:
--os-code,--os-authorization-code- Environment variables:
OS_CODE,OS_AUTHORIZATION_CODE
- discovery-endpoint:
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options:
--os-discovery-endpoint- Environment variables:
OS_DISCOVERY_ENDPOINT
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- openid-scope:
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options:
--os-openid-scope- Environment variables:
OS_OPENID_SCOPE
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- redirect-uri:
OpenID Connect Redirect URL
- CLI options:
--os-redirect-uri- Environment variables:
OS_REDIRECT_URI
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3oidcclientcredentials¶
Authenticate with the OIDC Client Credentials flow.
- access-token-endpoint:
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options:
--os-access-token-endpoint- Environment variables:
OS_ACCESS_TOKEN_ENDPOINT
- access-token-type:
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- CLI options:
--os-access-token-type- Environment variables:
OS_ACCESS_TOKEN_TYPE
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- client-id:
OAuth 2.0 Client ID
- CLI options:
--os-client-id- Environment variables:
OS_CLIENT_ID
- client-secret:
OAuth 2.0 Client Secret
- CLI options:
--os-client-secret- Environment variables:
OS_CLIENT_SECRET
- discovery-endpoint:
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options:
--os-discovery-endpoint- Environment variables:
OS_DISCOVERY_ENDPOINT
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- openid-scope:
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options:
--os-openid-scope- Environment variables:
OS_OPENID_SCOPE
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3oidcdeviceauthz¶
Authenticate with the OAuth 2.0 Device Authorization flow.
- access-token-endpoint:
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options:
--os-access-token-endpoint- Environment variables:
OS_ACCESS_TOKEN_ENDPOINT
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- client-id:
OAuth 2.0 Client ID
- CLI options:
--os-client-id- Environment variables:
OS_CLIENT_ID
- client-secret:
OAuth 2.0 Client Secret
- CLI options:
--os-client-secret- Environment variables:
OS_CLIENT_SECRET
- code-challenge-method:
PKCE Challenge Method (RFC 7636)
- CLI options:
--os-code-challenge-method- Environment variables:
OS_CODE_CHALLENGE_METHOD
- device-authorization-endpoint:
OAuth 2.0 Device Authorization Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options:
--os-device-authorization-endpoint- Environment variables:
OS_DEVICE_AUTHORIZATION_ENDPOINT
- discovery-endpoint:
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options:
--os-discovery-endpoint- Environment variables:
OS_DISCOVERY_ENDPOINT
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- openid-scope:
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options:
--os-openid-scope- Environment variables:
OS_OPENID_SCOPE
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3oidcpassword¶
Authenticate with the OIDC Resource Owner Password Credentials flow.
- access-token-endpoint:
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options:
--os-access-token-endpoint- Environment variables:
OS_ACCESS_TOKEN_ENDPOINT
- access-token-type:
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- CLI options:
--os-access-token-type- Environment variables:
OS_ACCESS_TOKEN_TYPE
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- client-id:
OAuth 2.0 Client ID
- CLI options:
--os-client-id- Environment variables:
OS_CLIENT_ID
- client-secret:
OAuth 2.0 Client Secret
- CLI options:
--os-client-secret- Environment variables:
OS_CLIENT_SECRET
- discovery-endpoint:
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options:
--os-discovery-endpoint- Environment variables:
OS_DISCOVERY_ENDPOINT
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- idp_otp_key:
A key to be used in the Identity Provider access token endpoint to pass the OTP value. E.g. totp
- CLI options:
--os-idp_otp_key- Environment variables:
OS_IDP_OTP_KEY
- openid-scope:
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options:
--os-openid-scope- Environment variables:
OS_OPENID_SCOPE
- password:
Password (mandatory)
- CLI options:
--os-password- Environment variables:
OS_PASSWORD
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- username:
Username (mandatory)
- CLI options:
--os-username- Environment variables:
OS_USERNAME
v3password¶
Authenticate with a username and password.
Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- password:
User’s password
- CLI options:
--os-password- Environment variables:
OS_PASSWORD
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- user-domain-id:
User’s domain ID
- CLI options:
--os-user-domain-id- Environment variables:
OS_USER_DOMAIN_ID
- user-domain-name:
User’s domain name
- CLI options:
--os-user-domain-name- Environment variables:
OS_USER_DOMAIN_NAME
- user-id:
User’s user ID
- CLI options:
--os-user-id- Environment variables:
OS_USER_ID
- username:
User’s username
- CLI options:
--os-username,--os-user-name- Environment variables:
OS_USERNAME,OS_USER_NAME
v3samlpassword¶
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- identity-provider:
Identity Provider’s name (mandatory)
- CLI options:
--os-identity-provider- Environment variables:
OS_IDENTITY_PROVIDER
- identity-provider-url:
An Identity Provider URL, where the SAML2 authentication request will be sent. (mandatory)
- CLI options:
--os-identity-provider-url- Environment variables:
OS_IDENTITY_PROVIDER_URL
- password:
Password (mandatory)
- CLI options:
--os-password- Environment variables:
OS_PASSWORD
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- protocol:
Protocol for federated plugin (mandatory)
- CLI options:
--os-protocol- Environment variables:
OS_PROTOCOL
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- username:
Username (mandatory)
- CLI options:
--os-username- Environment variables:
OS_USERNAME
v3token¶
Given an existing token rescope it to another target.
Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- token:
Token to authenticate with
- CLI options:
--os-token- Environment variables:
OS_TOKEN
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
v3tokenlessauth¶
Authenticate without a token, using an X.509 certificate.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
v3totp¶
Authenticate with a Time-based One-Time Password.
Authenticate to the identity service using a time-based one-time password. This is typically used in combination with another plugin as part of a multi-factor configuration.
- auth-url:
Authentication URL (mandatory)
- CLI options:
--os-auth-url- Environment variables:
OS_AUTH_URL
- domain-id:
Domain ID to scope to
- CLI options:
--os-domain-id- Environment variables:
OS_DOMAIN_ID
- domain-name:
Domain name to scope to
- CLI options:
--os-domain-name- Environment variables:
OS_DOMAIN_NAME
- passcode:
User’s TOTP passcode
- CLI options:
--os-passcode- Environment variables:
OS_PASSCODE
- project-domain-id:
Domain ID containing project
- CLI options:
--os-project-domain-id- Environment variables:
OS_PROJECT_DOMAIN_ID
- project-domain-name:
Domain name containing project
- CLI options:
--os-project-domain-name- Environment variables:
OS_PROJECT_DOMAIN_NAME
- project-id:
Project ID to scope to
- CLI options:
--os-project-id- Environment variables:
OS_PROJECT_ID
- project-name:
Project name to scope to
- CLI options:
--os-project-name- Environment variables:
OS_PROJECT_NAME
- system-scope:
Scope for system operations
- CLI options:
--os-system-scope- Environment variables:
OS_SYSTEM_SCOPE
- trust-id:
ID of the trust to use as a trustee use
- CLI options:
--os-trust-id- Environment variables:
OS_TRUST_ID
- user-domain-id:
User’s domain ID
- CLI options:
--os-user-domain-id- Environment variables:
OS_USER_DOMAIN_ID
- user-domain-name:
User’s domain name
- CLI options:
--os-user-domain-name- Environment variables:
OS_USER_DOMAIN_NAME
- user-id:
User’s user ID
- CLI options:
--os-user-id- Environment variables:
OS_USER_ID
- username:
User’s username
- CLI options:
--os-username,--os-user-name- Environment variables:
OS_USERNAME,OS_USER_NAME
Additional Plugins¶
keystoneauth is designed to be pluggable and Python packages exist that provide additional plugins.
