Plugin Options

Using plugins via config file

When using the plugins via config file you define the plugin name as auth_type. The options of the plugin are then specified while replacing - with _ to be valid in configuration.

For example to use the password plugin in a config file you would specify:

[section]
auth_url = http://keystone.example.com:5000/
auth_type = password
username = myuser
password = mypassword
project_name = myproject
default_domain_name = mydomain

Using plugins via CLI

When using auth plugins via CLI via os-client-config or shade you can specify parameters via environment configuration by using the pattern OS_ followed by the uppercase parameter name replacing - with _.

For example to use the password plugin via environment variable you specify:

export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://keystone.example.com:5000/
export OS_USERNAME=myuser
export OS_PASSWORD=mypassword
export OS_PROJECT_NAME=myproject
export OS_DEFAULT_DOMAIN_NAME=mydomain

Specifying operations via CLI parameter will override the environment parameter. These are specified with the pattern --os- and the parameter name. Using the password example again:

openstack --os-auth-type password \
          --os-auth-url http://keystone.example.com:5000/ \
          --os-username myuser \
          --os-password mypassword \
          --os-project-name myproject \
          --os-default-domain-name mydomain \
          operation

Additional loaders

The configuration and CLI loaders are quite commonly used however similar concepts are found in other situations such as os-client-config in which you specify authentication and other cloud parameters in a clouds.yaml file.

Loaders such as these use the same plugin options listed below, but via their own mechanism. In os-client-config the password plugin looks like:

clouds:
  mycloud:
    auth_type: password
    auth:
      auth_url: http://keystone.example.com:5000/
      auth_type: password
      username: myuser
      password: mypassword
      project_name: myproject
      default_domain_name: mydomain

However different services may implement loaders in their own way and you should consult their relevant documentation. The same auth options will be available.

Available Plugins

This is a listing of all included plugins and the options that they accept. Plugins are listed alphabetically and not in any order of priority.

admin_token

Use an existing token and a known endpoint to perform requests.

This plugin is primarily useful for development or for use with identity service ADMIN tokens. Because this token is used directly there is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect use this scope information.

Because there is no service catalog the endpoint that is supplied with initialization is used for all operations performed with this plugin so must be the full base URL to an actual service.


endpoint

The endpoint that will always be used

token

The token that will always be used

none

Use no tokens to perform requests.

This can be used to instantiate clients for services deployed in noauth/standalone mode.

There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.


endpoint

The endpoint that will always be used

password

Authenticate via a username and password.

Authenticate to the identity service using an inbuilt username and password. This is the standard and most common form of authentication.

As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be providen an unversioned URL to operate against.


auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

default-domain-id

Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

default-domain-name

Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

user-id

User id

username

Username

user-domain-id

User’s domain id

user-domain-name

User’s domain name

password

User’s password

token

Given an existing token rescope it to another target.

This plugin uses the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.

As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be providen an unversioned URL to operate against.


auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

default-domain-id

Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

default-domain-name

Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.

token

Token to authenticate with

v2password

auth-url

Authentication URL

tenant-id

Tenant ID

tenant-name

Tenant Name

trust-id

Trust ID

username

Username to login with

user-id

User ID to login with

password

Password to use

v2token

auth-url

Authentication URL

tenant-id

Tenant ID

tenant-name

Tenant Name

trust-id

Trust ID

token

Token

v3adfspassword

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

identity-provider

Identity Provider’s name

protocol

Protocol for federated plugin

identity-provider-url

An Identity Provider URL, where the SAML authentication request will be sent.

service-provider-endpoint

Service Provider’s Endpoint

service-provider-entity-id

Service Provider’s SAML Entity ID

username

Username

password

Password

v3applicationcredential

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

user-id

User ID

username

Username

user-domain-id

User’s domain id

user-domain-name

User’s domain name

application_credential_secret

Application credential auth secret

application_credential_id

Application credential ID

application_credential_name

Application credential name

v3fedkerb

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

identity-provider

Identity Provider’s name

protocol

Protocol for federated plugin

mutual-auth

Configures Kerberos Mutual Authentication

v3kerberos

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

mutual-auth

Configures Kerberos Mutual Authentication

v3multifactor

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

auth_methods

Methods to authenticate with.

v3oauth1

auth-url

Authentication URL

consumer-key

OAuth Consumer ID/Key

consumer-secret

OAuth Consumer Secret

access-key

OAuth Access Key

access-secret

OAuth Access Secret

v3oidcaccesstoken

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

identity-provider

Identity Provider’s name

protocol

Protocol for federated plugin

access-token

OAuth 2.0 Access Token

v3oidcauthcode

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

identity-provider

Identity Provider’s name

protocol

Protocol for federated plugin

client-id

OAuth 2.0 Client ID

client-secret

OAuth 2.0 Client Secret

openid-scope

OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.

access-token-endpoint

OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

discovery-endpoint

OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration

access-token-type

OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”

redirect-uri

OpenID Connect Redirect URL

code

OAuth 2.0 Authorization Code

v3oidcclientcredentials

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

identity-provider

Identity Provider’s name

protocol

Protocol for federated plugin

client-id

OAuth 2.0 Client ID

client-secret

OAuth 2.0 Client Secret

openid-scope

OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.

access-token-endpoint

OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

discovery-endpoint

OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration

access-token-type

OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”

v3oidcpassword

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

identity-provider

Identity Provider’s name

protocol

Protocol for federated plugin

client-id

OAuth 2.0 Client ID

client-secret

OAuth 2.0 Client Secret

openid-scope

OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.

access-token-endpoint

OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.

discovery-endpoint

OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration

access-token-type

OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”

username

Username

password

Password

v3password

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

user-id

User ID

username

Username

user-domain-id

User’s domain id

user-domain-name

User’s domain name

password

User’s password

v3samlpassword

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

identity-provider

Identity Provider’s name

protocol

Protocol for federated plugin

identity-provider-url

An Identity Provider URL, where the SAML2 authentication request will be sent.

username

Username

password

Password

v3token

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

token

Token to authenticate with

v3tokenlessauth

auth-url

Authentication URL

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

v3totp

auth-url

Authentication URL

system-scope

Scope for system operations

domain-id

Domain ID to scope to

domain-name

Domain name to scope to

project-id

Project ID to scope to

project-name

Project name to scope to

project-domain-id

Domain ID containing project

project-domain-name

Domain name containing project

trust-id

Trust ID

user-id

User ID

username

Username

user-domain-id

User’s domain id

user-domain-name

User’s domain name

passcode

User’s TOTP passcode