-
Notifications
You must be signed in to change notification settings - Fork 2
Keystone Authentication
Revanth Kumar edited this page Dec 11, 2015
·
1 revision
Reference: http://developer.openstack.org/api-ref-identity-v2.html
Make sure the version of keystone api and Openstack match. For example keystone v3 has different and more sophisticated syntax than v2 which we will be using for Openstack Juno.
In v2 we do have the option to create tokens that are domain / project scoped. To create tokens specific to domain, Do not mention project in the request.
A sample domain scoped request looks like:
#!
curl -s -X POST http://10.0.0.10:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth": {"passwordCredentials":{"username": "revanth-admin", "password": "revanth"}}}' | python -m json.tool
A response json looks like:
#!
{
"access": {
"metadata": {
"is_admin": 0,
"roles": []
},
"serviceCatalog": [],
"token": {
"audit_ids": [
"FCPbfAKKQpeE6nPRzvW8vQ"
],
"expires": "2015-10-30T20:45:28Z",
"id": "fcdca627dccc42dca2b71f5715a1d74c",
"issued_at": "2015-10-30T19:45:28.455930"
},
"user": {
"id": "2049797c7ee1430081469889512dd8e6",
"name": "revanth-admin",
"roles": [],
"roles_links": [],
"username": "revanth-admin"
}
}
}
A sample tenant scoped request looks like:
#!
curl -s -X POST http://10.0.0.10:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth": {"tenantName": "UTD","passwordCredentials": {"username": "revanth-admin","password": "revanth"}}}' | python -m json.tool
A sample output:
#!
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"9fe2ff9ee4384b1894a90878d3e92bab",
"aca2a975a4004ee4b00b0c2967ccfa31"
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8774/v2/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"id": "3185b21f4daa437ea397de4478ba8f68",
"internalURL": "http://2.2.2.10:8774/v2/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"publicURL": "http://10.0.0.10:8774/v2/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "nova",
"type": "compute"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:9696",
"id": "c2e7e4fbc44848feb04907da68b085ec",
"internalURL": "http://2.2.2.10:9696",
"publicURL": "http://10.0.0.10:9696",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "neurton",
"type": "network"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8776/v2/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"id": "53d32e579c45432d85e13812391b608e",
"internalURL": "http://2.2.2.10:8776/v2/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"publicURL": "http://10.0.0.10:8776/v2/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinderv2",
"type": "volumev2"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:9292",
"id": "a38d87d73f924f50870e0a3d1d8f5ff5",
"internalURL": "http://2.2.2.10:9292",
"publicURL": "http://10.0.0.10:9292",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "glance",
"type": "image"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8777",
"id": "030689349fd5465481bc14714c2a350d",
"internalURL": "http://2.2.2.10:8777",
"publicURL": "http://10.0.0.10:8777",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "ceilometer",
"type": "metering"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8000/v1",
"id": "3c9d2c6c9f6346c1878533019c07f5c8",
"internalURL": "http://2.2.2.10:8000/v1",
"publicURL": "http://10.0.0.10:8000/v1",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "heat-cfn",
"type": "cloudformation"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8776/v1/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"id": "a6e0a4e28a00413d994bb1eb110470ec",
"internalURL": "http://2.2.2.10:8776/v1/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"publicURL": "http://10.0.0.10:8776/v1/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "cinder",
"type": "volume"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8773/services/Admin",
"id": "0bb6788bf60d4c29be6a9e5cb5153247",
"internalURL": "http://2.2.2.10:8773/services/Cloud",
"publicURL": "http://10.0.0.10:8773/services/Cloud",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "ec2",
"type": "ec2"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8004/v1/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"id": "5cc47f6fcb1041fbad65fb683d5e82bf",
"internalURL": "http://2.2.2.10:8004/v1/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"publicURL": "http://10.0.0.10:8004/v1/0c4234a80a9c47bdb7fa6f5b65cb7f70",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "heat",
"type": "orchestration"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:8080",
"id": "12018761ddfb498ba5a79e22e79975e0",
"internalURL": "http://2.2.2.10:8080/v1/AUTH_0c4234a80a9c47bdb7fa6f5b65cb7f70",
"publicURL": "http://10.0.0.10:8080/v1/AUTH_0c4234a80a9c47bdb7fa6f5b65cb7f70",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "swift",
"type": "object-store"
},
{
"endpoints": [
{
"adminURL": "http://2.2.2.10:35357/v2.0",
"id": "186503409564463a9c925470f63ac765",
"internalURL": "http://2.2.2.10:5000/v2.0",
"publicURL": "http://10.0.0.10:5000/v2.0",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "keystone",
"type": "identity"
}
],
"token": {
"audit_ids": [
"E_mCfXd6Rii6g-66VThE1Q"
],
"expires": "2015-10-30T20:55:49Z",
"id": "deca0fde1f5a4eb1b818d0dd85f68a87",
"issued_at": "2015-10-30T19:55:49.858295",
"tenant": {
"description": "",
"enabled": true,
"id": "0c4234a80a9c47bdb7fa6f5b65cb7f70",
"name": "UTD"
}
},
"user": {
"id": "2049797c7ee1430081469889512dd8e6",
"name": "revanth-admin",
"roles": [
{
"name": "_member_"
},
{
"name": "admin"
}
],
"roles_links": [],
"username": "revanth-admin"
}
}
}
In the token object we can see id ("id": "deca0fde1f5a4eb1b818d0dd85f68a87") which is the token. We can easily get confused to the id's presented in the response but we have to differentiate each basing on the parent object. For example the id ("id": "3185b21f4daa437ea397de4478ba8f68") in the serivceCatalog.endpoints object is the id of that endpoint (which in this case is nova) and should not be confused to token id.
From now on we need to use this token for future communication till the token retires.
Example:**
#!bash
curl -s -X POST http://192.168.0.9:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth": {"passwordCredentials":{"username": "admin", "password": "annavarapu8"}}}' | python -m json.tool
{
"access": {
"metadata": {
"is_admin": 0,
"roles": []
},
"serviceCatalog": [],
"token": {
"audit_ids": [
"Eie86D3nQWq80V22bwNVzQ"
],
"expires": "2015-10-31T00:31:19Z",
"id": "6bbe04d555064a8eadcbff03c040ae78",
"issued_at": "2015-10-30T23:31:19.985576"
},
"user": {
"id": "9c7c191f7d9f4621a32ac49592316d32",
"name": "admin",
"roles": [],
"roles_links": [],
"username": "admin"
}
}
}
#!bash
curl -s http://192.168.0.9:5000/v2.0/tenants -H "X-Auth-Token:6bbe04d555064a8eadcbff03c040ae78" | python -m json.tool
{
"tenants": [
{
"description": null,
"enabled": true,
"id": "0481a8cd94d1482180158fa3e1c92f07",
"name": "demo"
},
{
"description": null,
"enabled": true,
"id": "cfa203fd4bd64367bbcb7f8873a1a129",
"name": "admin"
}
],
"tenants_links": []
}