Rework entrypoint to authentication section
Since the compute auth doc was reworked to be an up to date way to get a novaclient Client object, make the docs clear on that point, and have the page that gets you there talk about envvars and clouds.yaml files. Next step will be adding SDK and REST pages. Change-Id: Idbeec5d39ea26708516333be6f6c14ab3d326698
This commit is contained in:
parent
5933bcded0
commit
a6ba35d286
|
@ -5,23 +5,24 @@ Authenticate
|
|||
============
|
||||
|
||||
When using the SDK, you must authenticate against an OpenStack endpoint
|
||||
before you can use OpenStack services. Each project uses a slightly
|
||||
different syntax for authentication.
|
||||
before you can use OpenStack services. Because all projects use Keystone
|
||||
for authentication, the process is the same no matter which service
|
||||
or library you have decided to use. Each library also has more advanced
|
||||
and complicated ways to do things, should those be needed.
|
||||
|
||||
You must typically authenticate against a specific version of a service.
|
||||
For example, a client might need to authenticate against Identity v2.0.
|
||||
There are two basic ways to deal with your cloud config and credentials:
|
||||
|
||||
Python scripts that use the OpenStack SDK must have access to the
|
||||
credentials contained in the OpenStack RC file. Because credentials are
|
||||
sensitive information, do not include them in your scripts. This guide
|
||||
assumes that users source the PROJECT-openrc.sh file and access the
|
||||
credentials by using the environment variables in the Python scripts.
|
||||
- Environment variables via an openrc.sh file
|
||||
- clouds.yaml config file
|
||||
|
||||
The environment variables have been around the longest and are the form
|
||||
you are most likely to receive from your cloud provider. If you have one
|
||||
and only one cloud account, they are the most convenient way.
|
||||
|
||||
``clouds.yaml`` is a bit newer and was designed to help folks who have
|
||||
more than one OpenStack cloud that they are using.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
sdk_authenticate_against_identity_endpoint.rst
|
||||
sdk_authenticate_against_image_service_endpoint.rst
|
||||
sdk_authenticate_against_compute_endpoint.rst
|
||||
sdk_authenticate_against_networking_endpoint.rst
|
||||
|
||||
sdk_create_legacy_novaclient.rst
|
||||
|
|
|
@ -1,41 +0,0 @@
|
|||
=========================================
|
||||
Authenticate against an Identity endpoint
|
||||
=========================================
|
||||
|
||||
To authenticate against the Identity v2.0 endpoint, instantiate a
|
||||
`keystoneclient.v2\_0.client.Client <http://docs.openstack.org/developer/python-keystoneclient/api/keystoneclient.v2_0.client.html#keystoneclient.v2_0.client.Client>`__ object:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
from os import environ as env
|
||||
import keystoneclient.v2_0.client as ksclient
|
||||
keystone = ksclient.Client(auth_url=env['OS_AUTH_URL'],
|
||||
username=env['OS_USERNAME'],
|
||||
password=env['OS_PASSWORD'],
|
||||
tenant_name=env['OS_TENANT_NAME'],
|
||||
region_name=env['OS_REGION_NAME'])
|
||||
|
||||
After you instantiate a ``Client`` object, you can retrieve the token by
|
||||
accessing its ``auth_token`` attribute object:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
import keystoneclient.v2_0.client as ksclient
|
||||
keystone = ksclient.Client(...)
|
||||
print keystone.auth_token
|
||||
|
||||
If the OpenStack cloud is configured to use public-key infrastructure
|
||||
(PKI) tokens, the Python script output looks something like this::
|
||||
|
||||
MIIQUQYJKoZIhvcNAQcCoIIQQjCCED4CAQExCTAHBgUrDgMCGjCCDqcGCSqGSIb3DQEHAaCCDpgE
|
||||
gg6UeyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0xMC0yMFQxNjo1NjoyNi
|
||||
4zNTg2MjUiLCAiZXhwaXJlcyI6ICIyMDEzLTEwLTIxVDE2OjU2OjI2WiIsICJpZCI6ICJwbGFjZWhv
|
||||
...
|
||||
R3g14FJ0BxtTPbo6WarZ+sA3PZwdgIDyGNI-0Oqv-8ih4gJC9C6wBCel1dUXJ0Mn7BN-SfuxkooVk6
|
||||
e090bcKjTWet3CC8IEj7a6LyLRVTdvmKGA5-pgp2mS5fb3G2mIad4Zeeb-zQn9V3Xf9WUGxuiVu1Hn
|
||||
fhuUpJT-s9mU7+WEC3-8qkcBjEpqVCvMpmM4INI=
|
||||
|
||||
.. note::
|
||||
|
||||
This example shows a subset of a PKI token. A complete token is over
|
||||
5000 characters long.
|
|
@ -1,20 +0,0 @@
|
|||
==============================================
|
||||
Authenticate against an Image service endpoint
|
||||
==============================================
|
||||
|
||||
To authenticate against an Image service endpoint, instantiate a
|
||||
`glanceclient.v2.client.Client <http://docs.openstack.org/developer/python-glanceclient/ref/v2/client.html>`__ object:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
from os import environ as env
|
||||
import glanceclient.v2.client as glclient
|
||||
import keystoneclient.v2_0.client as ksclient
|
||||
|
||||
keystone = ksclient.Client(auth_url=env['OS_AUTH_URL'],
|
||||
username=env['OS_USERNAME'],
|
||||
password=env['OS_PASSWORD'],
|
||||
tenant_name=env['OS_TENANT_NAME'],
|
||||
region_name=env['OS_REGION_NAME'])
|
||||
glance_endpoint = keystone.service_catalog.url_for(service_type='image')
|
||||
glance = glclient.Client(glance_endpoint, token=keystone.auth_token)
|
|
@ -1,33 +0,0 @@
|
|||
==========================================
|
||||
Authenticate against a Networking endpoint
|
||||
==========================================
|
||||
|
||||
To authenticate against a Networking endpoint, instantiate a
|
||||
``neutronclient.v2_0.client.Client`` object:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
from os import environ as env
|
||||
from neutronclient.v2_0 import client as neutronclient
|
||||
neutron = neutronclient.Client(auth_url=env['OS_AUTH_URL'],
|
||||
username=env['OS_USERNAME'],
|
||||
password=env['OS_PASSWORD'],
|
||||
tenant_name=env['OS_TENANT_NAME'],
|
||||
region_name=env['OS_REGION_NAME'])
|
||||
|
||||
You can also authenticate by explicitly specifying the endpoint and
|
||||
token:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
from os import environ as env
|
||||
import keystoneclient.v2_0.client as ksclient
|
||||
from neutronclient.v2_0 import client as neutronclient
|
||||
keystone = ksclient.Client(auth_url=env['OS_AUTH_URL'],
|
||||
username=env['OS_USERNAME'],
|
||||
password=env['OS_PASSWORD'],
|
||||
tenant_name=env['OS_TENANT_NAME'],
|
||||
region_name=env['OS_REGION_NAME'])
|
||||
endpoint_url = keystone.service_catalog.url_for(service_type='network')
|
||||
token = keystone.auth_token
|
||||
neutron = neutronclient.Client(endpoint_url=endpoint_url, token=token)
|
|
@ -1,9 +1,16 @@
|
|||
=======================================
|
||||
Authenticate against a Compute endpoint
|
||||
=======================================
|
||||
=============================
|
||||
Create a Legacy Client Object
|
||||
=============================
|
||||
|
||||
To authenticate against a Compute endpoint, instantiate a
|
||||
`novaclient.v2.client.Client <http://docs.openstack.org/developer/python-novaclient/ref/v2/client.html>`__ object using `os-client-config`:
|
||||
All of the legacy client objects can be constructed the same way - the only
|
||||
difference is the first argument to ``make_client``. The examples will use
|
||||
``compute`` to get a nova client, but neutron can be accessed instead by
|
||||
replacing ``compute`` with ``network``.
|
||||
|
||||
To use the legacy ``python-novaclient`` with a Compute endpoint, instantiate a
|
||||
`novaclient.v2.client.Client
|
||||
<http://docs.openstack.org/developer/python-novaclient/ref/v2/client.html>`__
|
||||
object using ``os-client-config``:
|
||||
|
||||
.. code-block:: python
|
||||
|
||||
|
@ -36,12 +43,13 @@ as the ``version`` parameter:
|
|||
|
||||
If you authenticate against an endpoint that uses a custom
|
||||
authentication back end, you must provide the name of the plugin in the
|
||||
`auth_type` parameter.
|
||||
``auth_type`` parameter.
|
||||
|
||||
For instance, the Rackspace public cloud is an OpenStack deployment that has
|
||||
an optional custom authentication back end. While normal keystone password
|
||||
authentication works perfectly well, you may want to use the
|
||||
custom Rackspace keystoneauth API Key plugin found in `rackspace-keystoneauth-plugin <https://pypi.python.org/pypi/rackspaceauth>`_.
|
||||
custom Rackspace keystoneauth API Key plugin found in
|
||||
`rackspace-keystoneauth-plugin <https://pypi.python.org/pypi/rackspaceauth>`_.
|
||||
|
||||
.. code-block:: python
|
||||
|
Loading…
Reference in New Issue