Jump to: navigation, search

UnifiedCLI/Authentication

< UnifiedCLI
Revision as of 22:59, 9 April 2012 by Dtroyer (talk)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

OSCLI Authentication

Part of the UnifiedCLI proposal

Essex

Essex mostly conforms to the original CLIAuth document.

Environment vs Option

All of the authentication information can be specified either on the command line with global options or in the environment. Command-line options have the usual option prefix of '--' and all lower case letters in the option name. They have either '-' (dash) or '_' (underscore) characters separating the elements of the name. The corresponding environment variables have the same name but use all upper-case characters and only a '_' (underscore) to separate the elements.

For example: The URL of the Identity endpoint can be specified with the --os_auth_url option or OS_AUTH_URL environment variable.

Password Flow

Password flow is commonly used for one-off, interactive and initial connections. It requires a tenant (name or ID), username, password and Identity endpoint be . 


# Pick one of the following
OS_TENANT_ID=<tenant-id>                   # --os_tenant_id
OS_TENANT_NAME=<tenant-name>               # --os_tenant_name

OS_USERNAME=<username>                     # --os_username
OS_PASSWORD=<password>                     # --os_password
OS_AUTH_URL=<identity-api-endpoint>        # --os_auth_url


Notes

  • IDs vs NAMEs in Keystone: While both ids and names are meant to be unique, IDs are immutable whereas the name can change

Token Flow

The password flow authentication requires a trip through the Identity API on each invocation of a cli command. When performing multiple commands together (or in a script) it is more efficient to cache the authentication token and pass it to the CLI command.

This is not implemented consistently in the Essex-era client binaries.

Additional Variables

Some clients have additional variables to control authentication behaviour. Where they exist these should follow the same convention. 


OS_REGION_NAME=<region>
OS_AUTH_STRATEGY=noauth|keystone   # Glance


Folsom

In the Folsom timeframe all existing and new CLIs shall be brought into compliance.

Environment vs Option

All of the authentication information can be specified either on the command line with global options or in the environment. Command-line options have the usual option prefix of '--' and all lower case letters in the option name. They have only '-' (dash) characters separating the elements of the name. The corresponding environment variables have the same name but use all upper-case characters and only a '_' (underscore) to separate the elements.

For example: The URL of the Identity endpoint can be specified with the --os-auth-url option or OS_AUTH_URL environment variable.

Password Flow

Password flow is commonly used for one-off, interactive and initial connections. It requires a tenant (name or ID), username, password and Identity endpoint be . 


# Pick one of the following
OS_TENANT_ID=<tenant-id>                   # --os-tenant-id
OS_TENANT_NAME=<tenant-name>               # --os-tenant-name

OS_USERNAME=<username>                     # --os-username
OS_PASSWORD=<password>                     # --os-password
OS_AUTH_URL=<identity-api-endpoint>        # --os-auth-url


Notes

  • IDs vs NAMEs in Keystone: While both ids and names are meant to be unique, IDs are immutable whereas the name can change

Token Flow

The password flow authentication requires a trip through the Identity API on each invocation of a cli command. When performing multiple commands together (or in a script) it is more efficient to cache the authentication token and pass it to the CLI command.

Note: Need to handle the endpoint specification as bypassing Identity eliminates the use of the service catalog too.

Retrieved from "https://wiki.openstack.org/w/index.php?title=UnifiedCLI/Authentication&oldid=1477"