UnifiedCLI/Authentication
OSCLI Authentication
Part of the UnifiedCLI proposal
Essex
Essex mostly conforms to the original CLIAuth document.
Environment vs Option
All of the authentication information can be specified either on the command line with global options or in the environment. Command-line options have the usual option prefix of '--
' and all lower case letters in the option name. They have either '-
' (dash) or '_
' (underscore) characters separating the elements of the name. The corresponding environment variables have the same name but use all upper-case characters and only a '_
' (underscore) to separate the elements.
For example: The URL of the Identity endpoint can be specified with the --os_auth_url option or OS_AUTH_URL environment variable.
Password Flow
Password flow is commonly used for one-off, interactive and initial connections. It requires a tenant (name or ID), username, password and Identity endpoint be .
# Pick one of the following OS_TENANT_ID=<tenant-id> # --os_tenant_id OS_TENANT_NAME=<tenant-name> # --os_tenant_name OS_USERNAME=<username> # --os_username OS_PASSWORD=<password> # --os_password OS_AUTH_URL=<identity-api-endpoint> # --os_auth_url
Notes
- IDs vs NAMEs in Keystone: While both ids and names are meant to be unique, IDs are immutable whereas the name can change
Token Flow
The password flow authentication requires a trip through the Identity API on each invocation of a cli command. When performing multiple commands together (or in a script) it is more efficient to cache the authentication token and pass it to the CLI command.
The token flow requires a token from the Identity system (OS_TOKEN) and the endpoint to use for the desired service API (OS_URL).
Additional Variables
Some clients have additional variables to control authentication behaviour. Where they exist these should follow the same convention.
OS_REGION_NAME=<region> OS_AUTH_STRATEGY=noauth|keystone # Glance
Folsom
In the Folsom timeframe all existing and new CLIs shall be brought into compliance.
Environment vs Option
All of the authentication information can be specified either on the command line with global options or in the environment. Command-line options have the usual option prefix of '--
' and all lower case letters in the option name. They have only '-
' (dash) characters separating the elements of the name. The corresponding environment variables have the same name but use all upper-case characters and only a '_
' (underscore) to separate the elements.
For example: The URL of the Identity endpoint can be specified with the --os-auth-url option or OS_AUTH_URL environment variable.
Password Flow
Password flow is commonly used for one-off, interactive and initial connections. It requires a tenant (name or ID), username, password and Identity endpoint be .
# Pick one of the following OS_TENANT_ID=<tenant-id> # --os-tenant-id OS_TENANT_NAME=<tenant-name> # --os-tenant-name OS_USERNAME=<username> # --os-username OS_PASSWORD=<password> # --os-password OS_AUTH_URL=<identity-api-endpoint> # --os-auth-url
Notes
- IDs vs NAMEs in Keystone: While both ids and names are meant to be unique, IDs are immutable whereas the name can change
Token Flow
The password flow authentication requires a trip through the Identity API on each invocation of a cli command. When performing multiple commands together (or in a script) it is more efficient to cache the authentication token and pass it to the CLI command.
Note: Need to handle the endpoint specification as bypassing Identity eliminates the use of the service catalog too.