python-keystoneclient/doc/source/using-api-v3.rst

=======================
Using the V3 Client API
=======================

Introduction
============

The main concepts in the Identity v3 API are:

 * :py:mod:`~keystoneclient.v3.credentials`
 * :py:mod:`~keystoneclient.v3.domain_configs`
 * :py:mod:`~keystoneclient.v3.domains`
 * :py:mod:`~keystoneclient.v3.endpoints`
 * :py:mod:`~keystoneclient.v3.groups`
 * :py:mod:`~keystoneclient.v3.policies`
 * :py:mod:`~keystoneclient.v3.projects`
 * :py:mod:`~keystoneclient.v3.regions`
 * :py:mod:`~keystoneclient.v3.role_assignments`
 * :py:mod:`~keystoneclient.v3.roles`
 * :py:mod:`~keystoneclient.v3.services`
 * :py:mod:`~keystoneclient.v3.tokens`
 * :py:mod:`~keystoneclient.v3.users`

The :py:mod:`keystoneclient.v3.client` API lets you query and make changes
through ``managers``. For example, to manipulate a project (formerly
called tenant), you interact with a
:py:class:`keystoneclient.v3.projects.ProjectManager` object.

You obtain access to managers through attributes of a
:py:class:`keystoneclient.v3.client.Client` object. For example, the
``projects`` attribute of a ``Client`` object is a projects manager::

    >>> from keystoneclient.v3 import client
    >>> keystone = client.Client(...)
    >>> keystone.projects.list() # List projects

While it is possible to instantiate a
:py:class:`keystoneclient.v3.client.Client` object (as done above for
clarity), the recommended approach is to use the discovery mechanism
provided by the :py:class:`keystoneclient.client.Client` class. The
appropriate class will be instantiated depending on the API versions
available::

    >>> from keystoneclient import client
    >>> keystone =
    ...    client.Client(auth_url='http://localhost:5000', ...)
    >>> type(keystone)
    <class 'keystoneclient.v3.client.Client'>

One can force the use of a specific version of the API, either by
using the ``version`` keyword argument::

    >>> from keystoneclient import client
    >>> keystone = client.Client(auth_url='http://localhost:5000',
                                 version=(2,), ...)
    >>> type(keystone)
    <class 'keystoneclient.v2_0.client.Client'>
    >>> keystone = client.Client(auth_url='http://localhost:5000',
                                 version=(3,), ...)
    >>> type(keystone)
    <class 'keystoneclient.v3.client.Client'>

Or by specifying directly the specific API version authentication URL
as the auth_url keyword argument::

    >>> from keystoneclient import client
    >>> keystone =
    ...     client.Client(auth_url='http://localhost:5000/v2.0', ...)
    >>> type(keystone)
    <class 'keystoneclient.v2_0.client.Client'>
    >>> keystone =
    ...     client.Client(auth_url='http://localhost:5000/v3', ...)
    >>> type(keystone)
    <class 'keystoneclient.v3.client.Client'>

Upon successful authentication, a :py:class:`keystoneclient.v3.client.Client`
object is returned (when using the Identity v3 API). Authentication and
examples of common tasks are provided below.

You can generally expect that when the client needs to propagate an
exception it will raise an instance of subclass of
:class:`keystoneclient.exceptions.ClientException`.

Authenticating Using Sessions
=============================

Instantiate a :py:class:`keystoneclient.v3.client.Client` using a
:py:class:`~keystoneauth1.session.Session` to provide the authentication
plugin, SSL/TLS certificates, and other data::

    >>> from keystoneauth1.identity import v3
    >>> from keystoneauth1 import session
    >>> from keystoneclient.v3 import client
    >>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3',
    ...                    user_id='myuserid',
    ...                    password='mypassword',
    ...                    project_id='myprojectid')
    >>> sess = session.Session(auth=auth)
    >>> keystone = client.Client(session=sess)

For more information on Sessions refer to: `Using Sessions`_.

.. _`Using Sessions`: using-sessions.html

Getting Metadata Responses
==========================

Instantiating :py:class:`keystoneclient.v3.client.Client` using
`include_metadata=True` will cause manager response to return
:py:class:`keystoneclient.base.Response` instead of just the data.
The metadata property will be available directly to the
:py:class:`keystoneclient.base.Response` and the response data will
be available as property `data` to it.

    >>> from keystoneauth1.identity import v3
    >>> from keystoneauth1 import session
    >>> from keystoneclient.v3 import client
    >>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3',
    ...                    user_id='myuserid',
    ...                    password='mypassword',
    ...                    project_id='myprojectid')
    >>> sess = session.Session(auth=auth)
    >>> keystone = client.Client(session=sess, include_metadata=True)
    >>> resp = keystone.projects.list()
    >>> resp.request_ids[0]
    req-1234-5678-...
    >>> resp.data
    [<Project ...>, <Project ...>, ...]

Non-Session Authentication (deprecated)
=======================================

The *deprecated* way to authenticate is to pass the username, the user's domain
name (which will default to 'Default' if it is not specified), and a
password::

    >>> from keystoneclient import client
    >>> auth_url = 'http://localhost:5000'
    >>> username = 'adminUser'
    >>> user_domain_name = 'Default'
    >>> password = 'secreetword'
    >>> keystone = client.Client(auth_url=auth_url, version=(3,),
    ...                          username=username, password=password,
    ...                          user_domain_name=user_domain_name)

A :py:class:`~keystoneauth1.session.Session` should be passed to the Client
instead. Using a Session you're not limited to authentication using a username
and password but can take advantage of other more secure authentication
methods.

You may optionally specify a domain or project (along with its project
domain name), to obtain a scoped token::

    >>> from keystoneclient import client
    >>> auth_url = 'http://localhost:5000'
    >>> username = 'adminUser'
    >>> user_domain_name = 'Default'
    >>> project_name = 'demo'
    >>> project_domain_name = 'Default'
    >>> password = 'secreetword'
    >>> keystone = client.Client(auth_url=auth_url, version=(3,),
    ...                          username=username, password=password,
    ...                          user_domain_name=user_domain_name,
    ...                          project_name=project_name,
    ...                          project_domain_name=project_domain_name)
Rename the client API docs Since developers want to use the APIs, the docs should be more enticing and say that it describes how to use the APIs. Also, called it "V3 Client API" since this reads better than "Client V3 API" and it matches the order in the module path. Change-Id: I79dd6f6891bf48b477b35157256a0219426d171c 2014-10-10 19:30:37 -05:00			`=======================`
			`Using the V3 Client API`
			`=======================`
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00
			`Introduction`
			`============`

			`The main concepts in the Identity v3 API are:`

Doc cleanup, make concepts links Rather than just mention the concepts, make each reference a link to the concept's representation in the API. Change-Id: I4dadca0395784eb43e5bbb3cfd65c56c8f56ed38 2014-10-10 19:42:06 -05:00			* :py:mod:`~keystoneclient.v3.credentials`
Support domain-specific configuration management Provide support for the domain-specific configuration storage available via the REST API. Domain configs are JSON blobs and we have fine grained control on them via the Identity API. This fine grained control is not defined yet in the client, though - for now, we can manage everything like Python dictionaries and use operations like "update" whenever we want to delete a specific group or option. This approach is similar to what is done in the federation mapping API to handle mapping rules. Functional tests are also included, this is useful to check if the new feature works in an integration environment. Co-Auhtored-By: Henry Nash <henryn@linux.vnet.ibm.com> Co-Authored-By: Rodrigo Duarte <rduartes@redhat.com> Closes-Bug: 1433306 Partially Implements: blueprint domain-config-ext Change-Id: Ie6795b8633fed38c58b79250c11c9a045b7f95a4 2015-03-24 17:57:25 +00:00			* :py:mod:`~keystoneclient.v3.domain_configs`
Doc cleanup, make concepts links Rather than just mention the concepts, make each reference a link to the concept's representation in the API. Change-Id: I4dadca0395784eb43e5bbb3cfd65c56c8f56ed38 2014-10-10 19:42:06 -05:00			* :py:mod:`~keystoneclient.v3.domains`
			* :py:mod:`~keystoneclient.v3.endpoints`
			* :py:mod:`~keystoneclient.v3.groups`
			* :py:mod:`~keystoneclient.v3.policies`
			* :py:mod:`~keystoneclient.v3.projects`
			* :py:mod:`~keystoneclient.v3.regions`
			* :py:mod:`~keystoneclient.v3.role_assignments`
			* :py:mod:`~keystoneclient.v3.roles`
			* :py:mod:`~keystoneclient.v3.services`
			* :py:mod:`~keystoneclient.v3.tokens`
			* :py:mod:`~keystoneclient.v3.users`
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00
Link to docstrings in using-api-v3 The references to classes and modules were just the names and didn't link to the docstrings for the class or module. With this change, names are now links to the class or module. Change-Id: I9c7c03e8221ca71c7fddc0682abadc7a78d371db 2014-06-12 14:30:07 -05:00			The :py:mod:`keystoneclient.v3.client` API lets you query and make changes
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00			through ``managers``. For example, to manipulate a project (formerly
			`called tenant), you interact with a`
Link to docstrings in using-api-v3 The references to classes and modules were just the names and didn't link to the docstrings for the class or module. With this change, names are now links to the class or module. Change-Id: I9c7c03e8221ca71c7fddc0682abadc7a78d371db 2014-06-12 14:30:07 -05:00			:py:class:`keystoneclient.v3.projects.ProjectManager` object.
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00
			`You obtain access to managers through attributes of a`
Link to docstrings in using-api-v3 The references to classes and modules were just the names and didn't link to the docstrings for the class or module. With this change, names are now links to the class or module. Change-Id: I9c7c03e8221ca71c7fddc0682abadc7a78d371db 2014-06-12 14:30:07 -05:00			:py:class:`keystoneclient.v3.client.Client` object. For example, the
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00			``projects`` attribute of a ``Client`` object is a projects manager::

			`>>> from keystoneclient.v3 import client`
			`>>> keystone = client.Client(...)`
			`>>> keystone.projects.list() # List projects`

			`While it is possible to instantiate a`
Link to docstrings in using-api-v3 The references to classes and modules were just the names and didn't link to the docstrings for the class or module. With this change, names are now links to the class or module. Change-Id: I9c7c03e8221ca71c7fddc0682abadc7a78d371db 2014-06-12 14:30:07 -05:00			:py:class:`keystoneclient.v3.client.Client` object (as done above for
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00			`clarity), the recommended approach is to use the discovery mechanism`
Link to docstrings in using-api-v3 The references to classes and modules were just the names and didn't link to the docstrings for the class or module. With this change, names are now links to the class or module. Change-Id: I9c7c03e8221ca71c7fddc0682abadc7a78d371db 2014-06-12 14:30:07 -05:00			provided by the :py:class:`keystoneclient.client.Client` class. The
			`appropriate class will be instantiated depending on the API versions`
			`available::`
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00
			`>>> from keystoneclient import client`
			`>>> keystone =`
			`... client.Client(auth_url='http://localhost:5000', ...)`
			`>>> type(keystone)`
			`<class 'keystoneclient.v3.client.Client'>`

			`One can force the use of a specific version of the API, either by`
			using the ``version`` keyword argument::

			`>>> from keystoneclient import client`
			`>>> keystone = client.Client(auth_url='http://localhost:5000',`
			`version=(2,), ...)`
			`>>> type(keystone)`
			`<class 'keystoneclient.v2_0.client.Client'>`
			`>>> keystone = client.Client(auth_url='http://localhost:5000',`
			`version=(3,), ...)`
			`>>> type(keystone)`
			`<class 'keystoneclient.v3.client.Client'>`

			`Or by specifying directly the specific API version authentication URL`
			`as the auth_url keyword argument::`

			`>>> from keystoneclient import client`
			`>>> keystone =`
			`... client.Client(auth_url='http://localhost:5000/v2.0', ...)`
			`>>> type(keystone)`
			`<class 'keystoneclient.v2_0.client.Client'>`
			`>>> keystone =`
			`... client.Client(auth_url='http://localhost:5000/v3', ...)`
			`>>> type(keystone)`
			`<class 'keystoneclient.v3.client.Client'>`

Link to docstrings in using-api-v3 The references to classes and modules were just the names and didn't link to the docstrings for the class or module. With this change, names are now links to the class or module. Change-Id: I9c7c03e8221ca71c7fddc0682abadc7a78d371db 2014-06-12 14:30:07 -05:00			Upon successful authentication, a :py:class:`keystoneclient.v3.client.Client`
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00			`object is returned (when using the Identity v3 API). Authentication and`
			`examples of common tasks are provided below.`

			`You can generally expect that when the client needs to propagate an`
			`exception it will raise an instance of subclass of`
Fix reference to ClientException keystoneclient doesn't use apiclient exceptions anymore. Change-Id: I7a5a732a9f3a2162d8c4b4083ee9a9c7d90e9e0d 2016-02-28 10:59:51 -06:00			:class:`keystoneclient.exceptions.ClientException`.
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00
Document session usage first Since we'd prefer developers to use the session method when constructing the Client instance, document it first. Change-Id: I8998a9962fd541bafae32b3443d7d4767da74257 2014-10-11 09:55:23 -05:00			`Authenticating Using Sessions`
			`=============================`
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00
Document session usage first Since we'd prefer developers to use the session method when constructing the Client instance, document it first. Change-Id: I8998a9962fd541bafae32b3443d7d4767da74257 2014-10-11 09:55:23 -05:00			Instantiate a :py:class:`keystoneclient.v3.client.Client` using a
Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			:py:class:`~keystoneauth1.session.Session` to provide the authentication
Document session usage first Since we'd prefer developers to use the session method when constructing the Client instance, document it first. Change-Id: I8998a9962fd541bafae32b3443d7d4767da74257 2014-10-11 09:55:23 -05:00			`plugin, SSL/TLS certificates, and other data::`

Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			`>>> from keystoneauth1.identity import v3`
			`>>> from keystoneauth1 import session`
Document session usage first Since we'd prefer developers to use the session method when constructing the Client instance, document it first. Change-Id: I8998a9962fd541bafae32b3443d7d4767da74257 2014-10-11 09:55:23 -05:00			`>>> from keystoneclient.v3 import client`
			`>>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3',`
			`... user_id='myuserid',`
			`... password='mypassword',`
			`... project_id='myprojectid')`
			`>>> sess = session.Session(auth=auth)`
			`>>> keystone = client.Client(session=sess)`

			For more information on Sessions refer to: `Using Sessions`_.

			.. _`Using Sessions`: using-sessions.html

Add Response class to return request-id to caller This change is required to return 'request_id' from client to log request_id mappings of cross-project requests. Instantiating class 'keystoneclient.v3.client.Client' using 'include_metadata=True' will cause manager response to return a new 'Response' class instead of just the data. This 'Response' class is going to have additional metadata properties available like 'request_ids' and the original data will be available as property 'data' to it. This change is backward compatible since user has to set a new parameter 'include_metadata=True' to client in order to get the request_id returned. Co-author: Dinesh Bhor <dinesh.bhor@nttdata.com> Partially Implements: blueprint return-request-id-to-caller Change-Id: Ibefaa484158ff08bfcacc1e2802d87fc26fd76a5 2016-06-15 12:51:04 +00:00			`Getting Metadata Responses`
			`==========================`

			Instantiating :py:class:`keystoneclient.v3.client.Client` using
			`include_metadata=True` will cause manager response to return
			:py:class:`keystoneclient.base.Response` instead of just the data.
			`The metadata property will be available directly to the`
			:py:class:`keystoneclient.base.Response` and the response data will
			be available as property `data` to it.

			`>>> from keystoneauth1.identity import v3`
			`>>> from keystoneauth1 import session`
			`>>> from keystoneclient.v3 import client`
			`>>> auth = v3.Password(auth_url='https://my.keystone.com:5000/v3',`
			`... user_id='myuserid',`
			`... password='mypassword',`
			`... project_id='myprojectid')`
			`>>> sess = session.Session(auth=auth)`
			`>>> keystone = client.Client(session=sess, include_metadata=True)`
			`>>> resp = keystone.projects.list()`
			`>>> resp.request_ids[0]`
			`req-1234-5678-...`
			`>>> resp.data`
			`[<Project ...>, <Project ...>, ...]`

Document session usage first Since we'd prefer developers to use the session method when constructing the Client instance, document it first. Change-Id: I8998a9962fd541bafae32b3443d7d4767da74257 2014-10-11 09:55:23 -05:00			`Non-Session Authentication (deprecated)`
			`=======================================`

			`The deprecated way to authenticate is to pass the username, the user's domain`
			`name (which will default to 'Default' if it is not specified), and a`
Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00			`password::`

			`>>> from keystoneclient import client`
			`>>> auth_url = 'http://localhost:5000'`
			`>>> username = 'adminUser'`
			`>>> user_domain_name = 'Default'`
			`>>> password = 'secreetword'`
			`>>> keystone = client.Client(auth_url=auth_url, version=(3,),`
			`... username=username, password=password,`
			`... user_domain_name=user_domain_name)`

Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			A :py:class:`~keystoneauth1.session.Session` should be passed to the Client
Document session usage first Since we'd prefer developers to use the session method when constructing the Client instance, document it first. Change-Id: I8998a9962fd541bafae32b3443d7d4767da74257 2014-10-11 09:55:23 -05:00			`instead. Using a Session you're not limited to authentication using a username`
			`and password but can take advantage of other more secure authentication`
			`methods.`

Documents keystone v3 API usage - part 1 docs/source/using-api.rst documents how to use the V2 API. This patch starts the equivalent documentation (using-api-v3.rst) about how to use Keystone v3 API. Introduction and Authentication sections have been written. Change-Id: I5a2d45d80ba712492717a75ac5901f5ca775daa4 Partial-Bug: #1260527 2013-12-20 13:24:03 +00:00			`You may optionally specify a domain or project (along with its project`
			`domain name), to obtain a scoped token::`

			`>>> from keystoneclient import client`
			`>>> auth_url = 'http://localhost:5000'`
			`>>> username = 'adminUser'`
			`>>> user_domain_name = 'Default'`
			`>>> project_name = 'demo'`
			`>>> project_domain_name = 'Default'`
			`>>> password = 'secreetword'`
			`>>> keystone = client.Client(auth_url=auth_url, version=(3,),`
			`... username=username, password=password,`
			`... user_domain_name=user_domain_name,`
			`... project_name=project_name,`
			`... project_domain_name=project_domain_name)`