Jump to: navigation, search

Keystone/BP-keystoneclient-api

(https://blueprints.launchpad.net/python-keystoneclient/+spec/solidify-python-api)

KeystoneClient python API

The client as written is focused entirely on the CLI interface and providing commands to interact with Keystone. It should also provide a consistent python API and documented properties that can be used by any other OpenStack python client so that they can get the benefits of a single, well defined code path that tracks and deals with authentication and authorization.

  • initiate the client with username, password, and auth_url at a minimum
    • by default, the client should attempt to lazy load a project, token, and the mgmt URL for keystone
    • if provided in the client initialization, those values should override
    • if a token is provided, authentication is not tried automatically, and no lazy loading takes place
  • if a tenant isn't defined in initialization, the client should attempt to see if a default tenant is defined for that user and authenticate a token to that client


#!highlight python
c = client(username=..., password=..., auth_url=...)
  • project optional
  • support optional token_id=..., mgmt_url= for administrative bootstrapping
  • support optional token_ref=... to initialize client with a cached/stored token

c.auth_ref

  • define properties on the client that preserve and cache the token, username, user id, tenant name, tenant id, and relevant service catalog endpoints for easy use by other clients


#!highlight python
c = client()
c.auth_ref.user_name
c.auth_ref.user_id
c.auth_ref.tenant_name
c.auth_ref.tenant_id
c.auth_ref.auth_url
c.auth_ref.???.(public url for service?)
c.url_for('compute') # default to endpoint='public'
c.url_for('compute', endpoint='private')


  • the client should cache the token retrieved during authentication for the lifetime of the token, optionally caching it on disk, so that we don't need to make repeated authentication calls.
  • the authenticate() method should provide clear failures and strings (to the limits of reasonable security) on the reasons for authentication failure through documented exceptions
  • the client should have a representation of the user, the tenant, and possible tenants available that are lazily loaded and available for external clients to utilize


#!highlight python
c = client()
c.user
c.tenant
Retrieved from "https://wiki.openstack.org/w/index.php?title=Keystone/BP-keystoneclient-api&oldid=16894"