Originally started as a bug. This page addresses how openstack users will interact with glance/nova (and other) CLI tools for the ESSEX release.
State of Diablo
To configure python-novaclient you use environment variables:
NOVA_URL=http://example.com:5000/v2.0/ NOVA_VERSION=1.1 NOVA_USERNAME=openstack NOVA_API_KEY=yadayada NOVA_PROJECT_ID=myproject
Whereas to configure glance we set:
OS_AUTH_USER=<YOUR USERNAME> OS_AUTH_KEY=<YOUR API KEY> OS_AUTH_TENANT=<YOUR TENANT ID> OS_AUTH_URL=<THIS SHOULD POINT TO KEYSTONE> OS_AUTH_STRATEGY=keystone
Glance also provides a script tools/nova_to_os_env.sh which helps convert these nova users interact with glance.
Support two flows:
- PASSWORD FLOW: User can either specify ids/names/passwords and the CLI will communicate with keystone to get a token
- TOKEN FLOW: User can specify the token (having already been through the keystone dance to retrieve it)
The password flow is useful when the client have to do many calls (in a scripted fashion) or also when used via an API.
Both glance and nova cli would updated their code & docs to reflect the new env variables - but would continue supporting during ESSEX their deprecated variables. (pulling from them if new-style variables aren't set)
- require specification of user id or name
- until the time where keystone support of default tenant is well defined require specification of tenant id or name
- require keystone endpoint
OS_AUTH_URL=<THIS SHOULD POINT TO KEYSTONE> OS_PASSWORD=<YOUR PASSWORD> # require: one of the following OS_USER_ID=<YOUR USER ID> OS_USER_NAME=<YOUR USER NAME> # require one of the following: OS_TENANT_ID=<YOUR TENANT ID> OS_TENANT_NAME=<YOUR TENANT ID>
- IDs vs NAMEs in Keystone: While both ids and names are meant to be unique, IDs are immutable whereas the name can change
- tenant is required until default tenants / unscoped tokens / ... is further defined in keystone
If a client is going to make multiple calls, caching it locally is more efficient for both the user and service. (See discussion in glance bug)
OS_AUTH_URL=<THIS SHOULD POINT TO KEYSTONE> OS_TOKEN=<YOUR TOKEN>
- If user sets variables for both password and token flows, the token should take preference
- perhaps this flow only works if you also know the endpoint of the glance/nova service (eg, you need to supply both the token & endpont)