Jump to: navigation, search

QuantumCliAuth

Quantum CLI and Keystone integration

Summary:

Enable Auth in Quantum CLI via either the Username credentials or Token credentials (obtained from Keystone endpoint by supplying those Username credentials).

Info:

Auth credentials can be divided in two types and are henceforth referred by those type names:

  • Username credentials include: username, password, tenant-name, auth-url, region-name (optional)
  • Token credentials include: token-id, service endpoint url

Use Cases:

  1. Enables Quantum CLI cmd execution by passing Username credentials
  2. Enables Quantum CLI cmd execution by passing Token credentials
  3. Enables passing these values via either the cli parameters or env parameters

New variables to be defined

The user can supply these values via either the cli arguments or setting the environment variable. When both cli and env value is specified for any of these parameters, the cli one takes preference. The following new variables will be introduced in the cli:

Cli parameter
--os_username
--os_password
--os_tenant_name
--os_auth_url
--os_region_name
--os_auth_token
--endpoint_url

CLI Behaviour

  • Token Credentials or Username Credentials are completely specified when all the non-optional parameters involved (mentioned above) are defined.
  • If the user provides both Username credentials and Token credentials then the latter takes preference. In this case if Token credentials are completely specified then Username credentials will be ignored. Hence if the cmd fails for any reason (e.g. unauthorization ) then it doesn't make any attempt to use the Username credentials. However, if the Token credentials are not completely specified then the api call is not initiated and client will try to use the Username credentials.
  • While using the Username/Token credentials, if it is not completely specified then no API call is made and user is asked to provide the missing params.
  • The region-name variable used with Username credentials is optional. The Quantum Client doesn't possess a database of the available regions. After authenticating to keystone using username, password and tenant-name, the CLI tries to find the 'network' service for the given region-name in the Service Catalog returned in the response.
    • If region-name was specified, the service endpoint url corresponding to that region-name is used and if there is no such region in the Catalog, the cmd fails.
    • If region-name was not specified, then the CLI expects only one region in the Catalog returned to have a 'network' service. In case of more than one or no regions, the cmd fails.
  • If endpoint_url is specified, the region-name will be ignored.

API call behaviour

Auth API call:

The Username credentials are used to obtain the token and service endpoint url and then the service api call is made using these. This leads to an interesting optimization of caching tokens so that when a cmd is executed again with Username credentials, the cached values may be used instead of making an Auth call again. However, caching is absolutely out of the scope of this bp. Keystone versions supported: v2.0

Service API call:

The service api call is implemented already and will be used with minimal or no changes.

Failure cases and messages

TODO (Deepak): Add info on different failure cases and exceptions.

  • 401: Authorization error: Either the token provided is wrong or expired.
  • 403: Authorization error: Invalid credentials
  • Other Http error codes: Could not authenticate.
  • Syntax error in values (e.g. url): Invalid credentials

Tests

Tests should be written for all the failure and normal use cases possible.

Retrieved from "https://wiki.openstack.org/w/index.php?title=QuantumCliAuth&oldid=17322"