openstack
/
openstack-manuals
Code Issues Proposed changes

Rework entrypoint to authentication section 

Since the compute auth doc was reworked to be an up to date way to get a
novaclient Client object, make the docs clear on that point, and have
the page that gets you there talk about envvars and clouds.yaml files.

Next step will be adding SDK and REST pages.

Change-Id: Idbeec5d39ea26708516333be6f6c14ab3d326698
This commit is contained in:
Monty Taylor 2016-05-30 18:43:52 -04:00 committed by KATO Tomoyuki
parent 5933bcded0
commit a6ba35d286
5 changed files with 30 additions and 115 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
doc/user-guide/source/sdk_authenticate.rst
View File

@ -5,23 +5,24 @@ Authenticate
============
When using the SDK, you must authenticate against an OpenStack endpoint
before you can use OpenStack services. Each project uses a slightly
different syntax for authentication.
before you can use OpenStack services. Because all projects use Keystone
for authentication, the process is the same no matter which service
or library you have decided to use. Each library also has more advanced
and complicated ways to do things, should those be needed.
You must typically authenticate against a specific version of a service.
For example, a client might need to authenticate against Identity v2.0.
There are two basic ways to deal with your cloud config and credentials:
Python scripts that use the OpenStack SDK must have access to the
credentials contained in the OpenStack RC file. Because credentials are
sensitive information, do not include them in your scripts. This guide
assumes that users source the PROJECT-openrc.sh file and access the
credentials by using the environment variables in the Python scripts.
- Environment variables via an openrc.sh file
- clouds.yaml config file
The environment variables have been around the longest and are the form
you are most likely to receive from your cloud provider. If you have one
and only one cloud account, they are the most convenient way.
``clouds.yaml`` is a bit newer and was designed to help folks who have
more than one OpenStack cloud that they are using.
.. toctree::
:maxdepth: 2
sdk_authenticate_against_identity_endpoint.rst
sdk_authenticate_against_image_service_endpoint.rst
sdk_authenticate_against_compute_endpoint.rst
sdk_authenticate_against_networking_endpoint.rst
sdk_create_legacy_novaclient.rst

41
doc/user-guide/source/sdk_authenticate_against_identity_endpoint.rst
View File

@ -1,41 +0,0 @@
=========================================
Authenticate against an Identity endpoint
=========================================
To authenticate against the Identity v2.0 endpoint, instantiate a
`keystoneclient.v2\_0.client.Client <http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v2_0.client.html#keystoneclient.v2_0.client.Client>`__ object:
.. code-block:: python
from os import environ as env
import keystoneclient.v2_0.client as ksclient
keystone = ksclient.Client(auth_url=env['OS_AUTH_URL'],
username=env['OS_USERNAME'],
password=env['OS_PASSWORD'],
tenant_name=env['OS_TENANT_NAME'],
region_name=env['OS_REGION_NAME'])
After you instantiate a ``Client`` object, you can retrieve the token by
accessing its ``auth_token`` attribute object:
.. code-block:: python
import keystoneclient.v2_0.client as ksclient
keystone = ksclient.Client(...)
print keystone.auth_token
If the OpenStack cloud is configured to use public-key infrastructure
(PKI) tokens, the Python script output looks something like this::
MIIQUQYJKoZIhvcNAQcCoIIQQjCCED4CAQExCTAHBgUrDgMCGjCCDqcGCSqGSIb3DQEHAaCCDpgE
gg6UeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0xMC0yMFQxNjo1NjoyNi
4zNTg2MjUiLCAiZXhwaXJlcyI6ICIyMDEzLTEwLTIxVDE2OjU2OjI2WiIsICJpZCI6ICJwbGFjZWhv
...
R3g14FJ0BxtTPbo6WarZ+sA3PZwdgIDyGNI-0Oqv-8ih4gJC9C6wBCel1dUXJ0Mn7BN-SfuxkooVk6
e090bcKjTWet3CC8IEj7a6LyLRVTdvmKGA5-pgp2mS5fb3G2mIad4Zeeb-zQn9V3Xf9WUGxuiVu1Hn
fhuUpJT-s9mU7+WEC3-8qkcBjEpqVCvMpmM4INI=
.. note::
This example shows a subset of a PKI token. A complete token is over
5000 characters long.

20
doc/user-guide/source/sdk_authenticate_against_image_service_endpoint.rst
View File

@ -1,20 +0,0 @@
==============================================
Authenticate against an Image service endpoint
==============================================
To authenticate against an Image service endpoint, instantiate a
`glanceclient.v2.client.Client <http://docs.openstack.org/developer/python-glanceclient/ref/v2/client.html>`__ object:
.. code-block:: python
from os import environ as env
import glanceclient.v2.client as glclient
import keystoneclient.v2_0.client as ksclient
keystone = ksclient.Client(auth_url=env['OS_AUTH_URL'],
username=env['OS_USERNAME'],
password=env['OS_PASSWORD'],
tenant_name=env['OS_TENANT_NAME'],
region_name=env['OS_REGION_NAME'])
glance_endpoint = keystone.service_catalog.url_for(service_type='image')
glance = glclient.Client(glance_endpoint, token=keystone.auth_token)

33
doc/user-guide/source/sdk_authenticate_against_networking_endpoint.rst
View File

@ -1,33 +0,0 @@
==========================================
Authenticate against a Networking endpoint
==========================================
To authenticate against a Networking endpoint, instantiate a
``neutronclient.v2_0.client.Client`` object:
.. code-block:: python
from os import environ as env
from neutronclient.v2_0 import client as neutronclient
neutron = neutronclient.Client(auth_url=env['OS_AUTH_URL'],
username=env['OS_USERNAME'],
password=env['OS_PASSWORD'],
tenant_name=env['OS_TENANT_NAME'],
region_name=env['OS_REGION_NAME'])
You can also authenticate by explicitly specifying the endpoint and
token:
.. code-block:: python
from os import environ as env
import keystoneclient.v2_0.client as ksclient
from neutronclient.v2_0 import client as neutronclient
keystone = ksclient.Client(auth_url=env['OS_AUTH_URL'],
username=env['OS_USERNAME'],
password=env['OS_PASSWORD'],
tenant_name=env['OS_TENANT_NAME'],
region_name=env['OS_REGION_NAME'])
endpoint_url = keystone.service_catalog.url_for(service_type='network')
token = keystone.auth_token
neutron = neutronclient.Client(endpoint_url=endpoint_url, token=token)

22
doc/user-guide/source/sdk_authenticate_against_compute_endpoint.rst → doc/user-guide/source/sdk_create_legacy_novaclient.rst
View File

@ -1,9 +1,16 @@
=======================================
Authenticate against a Compute endpoint
=======================================
=============================
Create a Legacy Client Object
=============================
To authenticate against a Compute endpoint, instantiate a
`novaclient.v2.client.Client <http://docs.openstack.org/developer/python-novaclient/ref/v2/client.html>`__ object using `os-client-config`:
All of the legacy client objects can be constructed the same way - the only
difference is the first argument to ``make_client``. The examples will use
``compute`` to get a nova client, but neutron can be accessed instead by
replacing ``compute`` with ``network``.
To use the legacy ``python-novaclient`` with a Compute endpoint, instantiate a
`novaclient.v2.client.Client
<http://docs.openstack.org/developer/python-novaclient/ref/v2/client.html>`__
object using ``os-client-config``:
.. code-block:: python
@ -36,12 +43,13 @@ as the ``version`` parameter:
If you authenticate against an endpoint that uses a custom
authentication back end, you must provide the name of the plugin in the
`auth_type` parameter.
``auth_type`` parameter.
For instance, the Rackspace public cloud is an OpenStack deployment that has
an optional custom authentication back end. While normal keystone password
authentication works perfectly well, you may want to use the
custom Rackspace keystoneauth API Key plugin found in `rackspace-keystoneauth-plugin <https://pypi.python.org/pypi/rackspaceauth>`_.
custom Rackspace keystoneauth API Key plugin found in
`rackspace-keystoneauth-plugin <https://pypi.python.org/pypi/rackspaceauth>`_.
.. code-block:: python