Revision as of 13:58, 25 March 2012

Deepak: WORK IN PROGRESS

Quantum CLI and Keystone integration

Summary:

Enable Auth in Quantum CLI via either the Username credentials or Token credentials (obtained from Keystone endpoint by supplying those Username credentials).

Info

Auth credentials can be divided in two types and are henceforth referred by those type names: Username credentials includes: username, password, tenant-name, auth-url, region-name (optional) Token credentials includes: token-id, service endpoint url

Use Cases:

Allow a user to authenticate with Username credentials
Allow a user to authenticate with Token credentials
Allow a user to pass these values via either the cli parameters or env parameters

New variables to be defined

The user can supply these values via either the cli arguments or setting the environment variable. When both cli and env value is specified for any of these parameters, the cli one takes preference. The following new variables will be introduced in the cli:

Cli parameter

--os_username

--os_password

--os_tenant_name

--os_auth_url

--os_region_name

--os_auth_token

--endpoint_url

CLI Behaviour

Token Credentials or Username Credentials are completely specified when all the parameters involved (mentioned above) are defined.

If the user provides both Username credentials and Token credentials then the latter takes preference.

   In this case if Token credentials are completely specified then Username credentials will be ignored. Hence if the cmd fails for any reason (e.g. unauthorization ) then it doesn't make any attempt to use the Username credentials. However, if the Token credentials are not completely specified then the api call is not initiated and client will try to use the Username credentials.

While using the Username/Token credentials, if it is not completely specified then no API call is made and user is asked to provide the missing params. The OS_REGION_NAME variable used with Username credentials is optional. The Quantum Client doesn't possess a database of the available regions. After authenticating to keystone using username, password and tenant-name, the CLI tries to find the 'network' service for the given region-name in the Service Catalog returned in the response. If region-name was specified, the service endpoint url corresponding to that region-name is used and if there is no such region in the Catalog, the cmd fails. If region-name was not specified, then the CLI expects only one region in the Catalog returned to have a 'network' service. In case of more than one or no regions, the cmd fails.

API call behaviour

Auth API call:

The Username credentials are used to obtain the token and service endpoint url and then the service api call is made using these.

Service API call:

Proper Message in case of 401: Either the token provided is wrong or expired. Keystone versions supported: v2.0

@@ Line 8: / Line 8: @@
 == Info ==
 Auth credentials can be divided in two types and are henceforth referred by those type names:
-Username credentials includes: username, password, tenant-name, auth-url
+Username credentials includes: username, password, tenant-name, auth-url, region-name (optional)
 Token credentials includes: token-id, service endpoint url
@@ Line 39: / Line 39: @@
 == CLI Behaviour ==
-<!-- #TODO (Deepak): verify this behaviour with other projects' cli. -->
 Token Credentials or Username Credentials are completely specified when all the parameters involved (mentioned above) are defined.
@@ Line 45: / Line 44: @@
 If the user provides both Username credentials and Token credentials then the latter takes preference.
      In this case if Token credentials are completely specified then Username credentials will be ignored. Hence if the cmd fails for any reason (e.g. unauthorization ) then it doesn't make any attempt to use the Username credentials. However, if the Token credentials are not completely specified then the api call is not initiated and client will try to use the Username credentials.
 While using the Username/Token credentials, if it is not completely specified then no API call is made and user is asked to provide the missing params.
+The OS_REGION_NAME variable used with Username credentials is optional. The Quantum Client doesn't possess a database of the available regions. After authenticating to keystone using username, password and tenant-name, the CLI tries to find the 'network' service for the given region-name in the Service Catalog returned in the response.
+If region-name was specified, the service endpoint url corresponding to that region-name is used and if there is no such region in the Catalog, the cmd fails.
+If region-name was not specified, then the CLI expects only one region in the Catalog returned to have a 'network' service. In case of more than one or no regions, the cmd fails.
 == API call behaviour ==
-Auth API call: The Username credentials are used to obtain the token and service endpoint url and then the service api call is made using these.
+=== Auth API call: ===
+The Username credentials are used to obtain the token and service endpoint url and then the service api call is made using these.
 Service API call:
@@ Line 55: / Line 58: @@
 Proper Message in case of 401: Either the token provided is wrong or expired.
 Keystone versions supported: v2.0
-Username Credentials:

Difference between revisions of "QuantumCliAuth"