Jump to: navigation, search

CLIAuth

CLI Auth

Using OpenStack from CLI is currently different for each project. Let's fix that!

Originally started as a bug. This page addresses how openstack users will interact with glance/nova (and other) CLI tools for the ESSEX release.

STATUS: DRAFT

This will be absorbed into UnifiedCLI as that gets developed.

Issues:

  • examples are for environment variables, should cover library api as well?
  • standardize method for generating a token / getting endpoint list (keystone client?)
  • integration with swift client?

State of Diablo

To configure python-novaclient you use environment variables:


NOVA_URL=http://example.com:5000/v2.0/
NOVA_VERSION=1.1
NOVA_USERNAME=openstack
NOVA_API_KEY=yadayada
NOVA_PROJECT_ID=myproject


Whereas to configure glance we set:


OS_AUTH_USER=<YOUR USERNAME>
OS_AUTH_KEY=<YOUR API KEY>
OS_AUTH_TENANT=<YOUR TENANT ID>
OS_AUTH_URL=<THIS SHOULD POINT TO KEYSTONE>
OS_AUTH_STRATEGY=keystone


Glance also provides a script tools/nova_to_os_env.sh which helps convert these nova users interact with glance.

Thus, at this time there are multiple and competing techniques for auth being used in OS projects. For essex, a consistent and unified strategy should be designed and implemented across the CLIs.

And to configure Swift we set:


ST_AUTH=<auth token URL>   # --auth
ST_USER=<username>   # --user
ST_KEY=<auth key>   # --key


Goals

Support two flows:

  • PASSWORD FLOW: User can either specify ids/names/passwords and the CLI will communicate with keystone to get a token
  • TOKEN FLOW: User can specify the token (having already been through the keystone dance to retrieve it)

The password flow is useful when the client have to do many calls (in a scripted fashion) or also when used via an API.

Both glance and nova cli would update their code & docs to reflect the new env variables - but would continue supporting during ESSEX their deprecated variables. (pulling from them if new-style variables aren't set)

Password Flow

  • require specification of user id or name
  • for essex keystone will support default tenant, a client can override the default tenant by specifying it
  • require keystone endpoint


require:
OS_AUTH_URL=<THIS SHOULD POINT TO KEYSTONE> # --os_auth_url
OS_PASSWORD=<YOUR PASSWORD> # --os_password
OS_USERNAME=<YOUR USER NAME> # --os_username

# allow one of the following:
OS_TENANT_ID=<YOUR TENANT ID> # --os_tenant_id
OS_TENANT_NAME=<YOUR TENANT NAME> # --os_tenant_name


notes

  • IDs vs NAMEs in Keystone: While both ids and names are meant to be unique, IDs are immutable whereas the name can change
  • tenant is required until default tenants / unscoped tokens / ... is further defined in keystone

Token Flow

If a client is going to make multiple calls, caching it locally is more efficient for both the user and service. (See discussion in glance bug)


OS_AUTH_URL=<THIS SHOULD POINT TO KEYSTONE> # --os_auth_url
OS_TOKEN=<YOUR TOKEN> # --os_token


notes

  • If user sets variables for both password and token flows, the token should take preference
  • perhaps this flow only works if you also know the endpoint of the glance/nova service (eg, you need to supply both the token & endpont)

Additional Variables

Some clients have additional variables to control authentication behaviour. Where they exist these should follow the same convention.

OS_REGION_NAME=<region>    # Glance
OS_AUTH_STRATEGY=noauth|keystone   # Glance


Setting parameters via flag

Any environment variable parameter can alternatively be specified via flag. This flag should be the same as a downcase version of the environment variable. For example: OS_AUTH_URL can be specified with the --os_auth_url flag. This will hopefully lessen confusion between the values used for authentication and the values that a given command might require, e.g. creating a user in Keystone required both an authentication username as well as the name of the user to be created.

Library Implementations

Python implementations should internally use names that are similar to CLI variables, so that all projects refer to these concepts in the same way. For example:

  • os_auth_url
  • os_password
  • os_username # or os_user.id
  • os_tenant_id # or os_tenant.id
  • os_tenant_name # or os_tenant.name