OpenStackClient leverages python-keystoneclient authentication plugins to support a number of different authentication methods.
The user provides some number of authentication credential options.
If an authentication type is not provided (--os-auth-type
), the
authentication options are examined to determine if one of the default
types can be used. If no match is found an error is reported and OSC exits.
Note that the authentication call to the Identity service has not yet occurred. It is deferred until the last possible moment in order to reduce the number of unnecessary queries to the server, such as when further processing detects an invalid command.
The Keystone client library implements the base set of plugins. Additional plugins may be available from the Keystone project or other sources.
There are at least three authentication types that are always available:
--os-auth-url
,
--os-project-name
, --os-username
; Optional: --os-password
]--os-auth-url
, --os-token
]admin_token
configured
in keystone.conf
. It will also work with other services and a regular
scoped token such as one obtained from a token issue
command.
[Required: --os-url
, --os-token
]--os-auth-type
option.The authentication process in OpenStackClient is all contained in and handled
by the ClientManager
object.
api.auth
:keystoneclient.auth.plugin
entry point.clouds.yaml
if --os-cloud
is provided.ClientManager
is created and supplied with the set of options from the
command line, environment and/or clouds.yaml
:--os-auth-type
is provided and is a valid and available plugin--os-auth-type
is not provided an authentication plugin
is selected based on the existing options. This is a short-circuit
evaluation, the first match wins.--os-url
and --os-token
are both present token_endpoint
is selected--os-username
is supplied password
is selected--os-token
is supplied token
is selectedClientManager
makes the actual initial request to the Identity service.--os-auth-url
is not supplied for any of the types except
Token/Endpoint, exit with an error.To authenticate against an Identity Server API v3, the
OS_IDENTITY_API_VERSION
environment variable or
--os-identity-api-version
option must be changed to 3
, instead of the
default 2.0
. Similarly OS_AUTH_URL
or os-auth-url
should also be
updated.
$ export OS_IDENTITY_API_VERSION=3 (Defaults to 2.0)
$ export OS_AUTH_URL=http://localhost:5000/v3
Since Identity API v3 authentication is a bit more complex, there are additional
options that may be set, either as command line options or environment
variables. The most common case will be a user supplying both user name and
password, along with the project name; previously in v2.0 this would be
sufficient, but since the Identity API v3 has a Domain
component, we need
to tell the client in which domain the user and project exists.
If using a user name and password to authenticate, specify either it’s owning domain name or ID.
--os-user-domain-name
or OS_USER_DOMAIN_NAME
--os-user-domain-id
or OS_USER_DOMAIN_ID
If using a project name as authorization scope, specify either it’s owning domain name or ID.
--os-project-domain-name
or OS_PROJECT_DOMAIN_NAME
--os-project-domain-id
or OS_PROJECT_DOMAIN_ID
If using a domain as authorization scope, set either it’s name or ID.
--os-domain-name
or OS_DOMAIN_NAME
--os-domain-id
or OS_DOMAIN_ID
Note that if the user and project share the same domain, then simply setting
--os-default-domain
or OS_DEFAULT_DOMAIN
to the domain ID is sufficient.
Thus, a minimal set of environment variables would be:
$ export OS_IDENTITY_API_VERSION=3
$ export OS_AUTH_URL=http://localhost:5000/v3
$ export OS_DEFAULT_DOMAIN=default
$ export OS_USERNAME=admin
$ export OS_PASSWORD=secret
$ export OS_PROJECT_NAME=admin
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.