Plugin Options¶
Using plugins via config file¶
When using the plugins via config file you define the plugin name as
auth_type
. The options of the plugin are then specified while replacing
-
with _
to be valid in configuration.
For example to use the password plugin in a config file you would specify:
[section]
auth_url = http://keystone.example.com:5000/
auth_type = password
username = myuser
password = mypassword
project_name = myproject
default_domain_name = mydomain
Using plugins via CLI¶
When using auth plugins via CLI via os-client-config
or shade
you can
specify parameters via environment configuration by using the pattern OS_
followed by the uppercase parameter name replacing -
with _
.
For example to use the password plugin via environment variable you specify:
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://keystone.example.com:5000/
export OS_USERNAME=myuser
export OS_PASSWORD=mypassword
export OS_PROJECT_NAME=myproject
export OS_DEFAULT_DOMAIN_NAME=mydomain
Specifying operations via CLI parameter will override the environment
parameter. These are specified with the pattern --os-
and the parameter
name. Using the password example again:
openstack --os-auth-type password \
--os-auth-url http://keystone.example.com:5000/ \
--os-username myuser \
--os-password mypassword \
--os-project-name myproject \
--os-default-domain-name mydomain \
operation
Additional loaders¶
The configuration and CLI loaders are quite commonly used however similar
concepts are found in other situations such as os-client-config
in which
you specify authentication and other cloud parameters in a clouds.yaml
file.
Loaders such as these use the same plugin options listed below, but via their
own mechanism. In os-client-config
the password plugin looks like:
clouds:
mycloud:
auth_type: password
auth:
auth_url: http://keystone.example.com:5000/
auth_type: password
username: myuser
password: mypassword
project_name: myproject
default_domain_name: mydomain
However different services may implement loaders in their own way and you should consult their relevant documentation. The same auth options will be available.
Available Plugins¶
This is a listing of all included plugins and the options that they accept. Plugins are listed alphabetically and not in any order of priority.
admin_token¶
Use an existing token and a known endpoint to perform requests.
This plugin is primarily useful for development or for use with identity service ADMIN tokens. Because this token is used directly there is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect use this scope information.
Because there is no service catalog the endpoint that is supplied with initialization is used for all operations performed with this plugin so must be the full base URL to an actual service.
- endpoint
The endpoint that will always be used
- token
The token that will always be used
none¶
Use no tokens to perform requests.
This can be used to instantiate clients for services deployed in noauth/standalone mode.
There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.
- endpoint
The endpoint that will always be used
password¶
Authenticate via a username and password.
Authenticate to the identity service using an inbuilt username and password. This is the standard and most common form of authentication.
As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be providen an unversioned URL to operate against.
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- default-domain-id
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- default-domain-name
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- user-id
User id
- username
Username
- user-domain-id
User’s domain id
- user-domain-name
User’s domain name
- password
User’s password
token¶
Given an existing token rescope it to another target.
This plugin uses the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.
As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be providen an unversioned URL to operate against.
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- default-domain-id
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- default-domain-name
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- token
Token to authenticate with
v2password¶
- auth-url
Authentication URL
- tenant-id
Tenant ID
- tenant-name
Tenant Name
- trust-id
Trust ID
- username
Username to login with
- user-id
User ID to login with
- password
Password to use
v2token¶
- auth-url
Authentication URL
- tenant-id
Tenant ID
- tenant-name
Tenant Name
- trust-id
Trust ID
- token
Token
v3adfspassword¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- identity-provider
Identity Provider’s name
- protocol
Protocol for federated plugin
- identity-provider-url
An Identity Provider URL, where the SAML authentication request will be sent.
- service-provider-endpoint
Service Provider’s Endpoint
- service-provider-entity-id
Service Provider’s SAML Entity ID
- username
Username
- password
Password
v3applicationcredential¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- user-id
User ID
- username
Username
- user-domain-id
User’s domain id
- user-domain-name
User’s domain name
- application_credential_secret
Application credential auth secret
- application_credential_id
Application credential ID
- application_credential_name
Application credential name
v3fedkerb¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- identity-provider
Identity Provider’s name
- protocol
Protocol for federated plugin
- mutual-auth
Configures Kerberos Mutual Authentication
v3kerberos¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- mutual-auth
Configures Kerberos Mutual Authentication
v3multifactor¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- auth_methods
Methods to authenticate with.
v3oauth1¶
- auth-url
Authentication URL
- consumer-key
OAuth Consumer ID/Key
- consumer-secret
OAuth Consumer Secret
- access-key
OAuth Access Key
- access-secret
OAuth Access Secret
v3oidcaccesstoken¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- identity-provider
Identity Provider’s name
- protocol
Protocol for federated plugin
- access-token
OAuth 2.0 Access Token
v3oidcauthcode¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- identity-provider
Identity Provider’s name
- protocol
Protocol for federated plugin
- client-id
OAuth 2.0 Client ID
- client-secret
OAuth 2.0 Client Secret
- openid-scope
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- access-token-endpoint
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- discovery-endpoint
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- access-token-type
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- redirect-uri
OpenID Connect Redirect URL
- code
OAuth 2.0 Authorization Code
v3oidcclientcredentials¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- identity-provider
Identity Provider’s name
- protocol
Protocol for federated plugin
- client-id
OAuth 2.0 Client ID
- client-secret
OAuth 2.0 Client Secret
- openid-scope
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- access-token-endpoint
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- discovery-endpoint
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- access-token-type
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
v3oidcpassword¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- identity-provider
Identity Provider’s name
- protocol
Protocol for federated plugin
- client-id
OAuth 2.0 Client ID
- client-secret
OAuth 2.0 Client Secret
- openid-scope
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- access-token-endpoint
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- discovery-endpoint
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- access-token-type
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- username
Username
- password
Password
v3password¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- user-id
User ID
- username
Username
- user-domain-id
User’s domain id
- user-domain-name
User’s domain name
- password
User’s password
v3samlpassword¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- identity-provider
Identity Provider’s name
- protocol
Protocol for federated plugin
- identity-provider-url
An Identity Provider URL, where the SAML2 authentication request will be sent.
- username
Username
- password
Password
v3token¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- token
Token to authenticate with
v3tokenlessauth¶
- auth-url
Authentication URL
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
v3totp¶
- auth-url
Authentication URL
- system-scope
Scope for system operations
- domain-id
Domain ID to scope to
- domain-name
Domain name to scope to
- project-id
Project ID to scope to
- project-name
Project name to scope to
- project-domain-id
Domain ID containing project
- project-domain-name
Domain name containing project
- trust-id
Trust ID
- user-id
User ID
- username
Username
- user-domain-id
User’s domain id
- user-domain-name
User’s domain name
- passcode
User’s TOTP passcode