Before working with the Identity service, you’ll need to create a connection
to your OpenStack cloud by following the Connect user guide. This will
provide you with the conn
variable used in the examples below.
The OpenStack Identity service is the default identity management system for OpenStack. The Identity service authentication process confirms the identity of a user and an incoming request by validating a set of credentials that the user supplies. Initially, these credentials are a user name and password or a user name and API key. When the Identity service validates user credentials, it issues an authentication token that the user provides in subsequent requests. An authentication token is an alpha-numeric text string that enables access to OpenStack APIs and resources. A token may be revoked at any time and is valid for a finite duration.
A user is a digital representation of a person, system, or service that uses OpenStack cloud services. The Identity service validates that incoming requests are made by the user who claims to be making the call. Users have a login and can access resources by using assigned tokens. Users can be directly assigned to a particular project and behave as if they are contained in that project.
def list_users(conn):
print("List Users:")
for user in conn.identity.users():
print(user)
Full example: identity resource list
Credentials are data that confirms the identity of the user. For example, user name and password, user name and API key, or an authentication token that the Identity service provides.
def list_credentials(conn):
print("List Credentials:")
for credential in conn.identity.credentials():
print(credential)
Full example: identity resource list
A project is a container that groups or isolates resources or identity objects.
def list_projects(conn):
print("List Projects:")
for project in conn.identity.projects():
print(project)
Full example: identity resource list
A domain is an Identity service API v3 entity and represents a collection of projects and users that defines administrative boundaries for the management of Identity entities. Users can be granted the administrator role for a domain. A domain administrator can create projects, users, and groups in a domain and assign roles to users and groups in a domain.
def list_domains(conn):
print("List Domains:")
for domain in conn.identity.domains():
print(domain)
Full example: identity resource list
A group is an Identity service API v3 entity and represents a collection of users that are owned by a domain. A group role granted to a domain or project applies to all users in the group. Adding users to, or removing users from, a group respectively grants, or revokes, their role and authentication to the associated domain or project.
def list_groups(conn):
print("List Groups:")
for group in conn.identity.groups():
print(group)
Full example: identity resource list
A service is an OpenStack service, such as Compute, Object Storage, or Image service, that provides one or more endpoints through which users can access resources and perform operations.
def list_services(conn):
print("List Services:")
for service in conn.identity.services():
print(service)
Full example: identity resource list
An endpoint is a network-accessible address, usually a URL, through which you can access a service.
def list_endpoints(conn):
print("List Endpoints:")
for endpoint in conn.identity.endpoints():
print(endpoint)
Full example: identity resource list
A region is an Identity service API v3 entity and represents a general division in an OpenStack deployment. You can associate zero or more sub-regions with a region to make a tree-like structured hierarchy.
def list_regions(conn):
print("List Regions:")
for region in conn.identity.regions():
print(region)
Full example: identity resource list
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.