python-keystoneclient/doc/source/using-api-v2.rst

=======================
Using the V2 client API
=======================

Introduction
============

The main concepts in the Identity v2 API are:

 * tenants
 * users
 * roles
 * services
 * endpoints

The V2 client API lets you query and make changes through
managers. For example, to manipulate tenants, you interact with a
``keystoneclient.v2_0.tenants.TenantManager`` object.

You obtain access to managers via attributes of the
``keystoneclient.v2_0.client.Client`` object. For example, the ``tenants``
attribute of the ``Client`` class is a tenant manager::

    >>> from keystoneclient.v2_0 import client
    >>> keystone = client.Client(...)
    >>> keystone.tenants.list() # List tenants

You create a valid ``keystoneclient.v2_0.client.Client`` object by passing
a :class:`~keystoneauth1.session.Session` to the constructor. Authentication
and examples of common tasks are provided below.

You can generally expect that when the client needs to propagate an exception
it will raise an instance of subclass of
``keystoneclient.exceptions.ClientException``

Authenticating
==============

There are two ways to authenticate against keystone:
 * against the admin endpoint with the admin token
 * against the public endpoint with a username and password

If you are an administrator, you can authenticate by connecting to the admin
endpoint and using the admin token (sometimes referred to as the service
token). The token is specified as the ``admin_token`` configuration option in
your keystone.conf config file, which is typically in /etc/keystone::

    >>> from keystoneauth1.identity import v2
    >>> from keystoneauth1 import session
    >>> from keystoneclient.v2_0 import client
    >>> token = '012345SECRET99TOKEN012345'
    >>> endpoint = 'http://192.168.206.130:35357/v2.0'
    >>> auth = v2.Token(auth_url=endpoint, token=token)
    >>> sess = session.Session(auth=auth)
    >>> keystone = client.Client(session=sess)

If you have a username and password, authentication is done against the
public endpoint. You must also specify a tenant that is associated with the
user::

    >>> from keystoneauth1.identity import v2
    >>> from keystoneauth1 import session
    >>> from keystoneclient.v2_0 import client
    >>> username='adminUser'
    >>> password='secretword'
    >>> tenant_name='openstackDemo'
    >>> auth_url='http://192.168.206.130:5000/v2.0'
    >>> auth = v2.Password(username=username, password=password,
    ...                    tenant_name=tenant_name, auth_url=auth_url)
    >>> sess = session.Session(auth=auth)
    >>> keystone = client.Client(session=sess)

Creating tenants
================

This example will create a tenant named *openstackDemo*::

    >>> from keystoneclient.v2_0 import client
    >>> keystone = client.Client(...)
    >>> keystone.tenants.create(tenant_name="openstackDemo",
    ...                         description="Default Tenant", enabled=True)
    <Tenant {'id': '9b7962da6eb04745b477ae920ad55939', 'enabled': True, 'description': 'Default Tenant', 'name': 'openstackDemo'}>

Creating users
==============

This example will create a user named *adminUser* with a password *secretword*
in the openstackDemo tenant. We first need to retrieve the tenant::

    >>> from keystoneclient.v2_0 import client
    >>> keystone = client.Client(...)
    >>> tenants = keystone.tenants.list()
    >>> my_tenant = [x for x in tenants if x.name=='openstackDemo'][0]
    >>> my_user = keystone.users.create(name="adminUser",
    ...                                 password="secretword",
    ...                                 tenant_id=my_tenant.id)

Creating roles and adding users
===============================

This example will create an admin role and add the *my_user* user to that
role, but only for the *my_tenant* tenant:

    >>> from keystoneclient.v2_0 import client
    >>> keystone = client.Client(...)
    >>> role = keystone.roles.create('admin')
    >>> my_tenant = ...
    >>> my_user = ...
    >>> keystone.roles.add_user_role(my_user, role, my_tenant)

Creating services and endpoints
===============================

This example will create the service and corresponding endpoint for the
Compute service::

    >>> from keystoneclient.v2_0 import client
    >>> keystone = client.Client(...)
    >>> service = keystone.services.create(name="nova", service_type="compute",
    ...                                    description="Nova Compute Service")
    >>> keystone.endpoints.create(
    ...     region="RegionOne", service_id=service.id,
    ...     publicurl="http://192.168.206.130:8774/v2/%(tenant_id)s",
    ...     adminurl="http://192.168.206.130:8774/v2/%(tenant_id)s",
    ...     internalurl="http://192.168.206.130:8774/v2/%(tenant_id)s")
Rename the client API docs Since developers want to use the APIs, the docs should be more enticing and say that it describes how to use the APIs. Also, called it "V3 Client API" since this reads better than "Client V3 API" and it matches the order in the module path. Change-Id: I79dd6f6891bf48b477b35157256a0219426d171c 2014-10-10 19:30:37 -05:00			`=======================`
Fixed grammatical errors in the V2 Client API doc In the using-api-v2.rst document, various inconsistencies in spelling of "openstackDemo", as well as the password under the "Creating Tenants" and "Creating Users" sections. Updated service names to adhere to the OpenStack service naming conventions. Fixed capitalization of "Client" to "client". Change-Id: Ib20782f5b05f7097158f606c6562f92126650b89 Closes-Bug: #1458015 2015-05-27 16:44:26 +00:00			`Using the V2 client API`
Rename the client API docs Since developers want to use the APIs, the docs should be more enticing and say that it describes how to use the APIs. Also, called it "V3 Client API" since this reads better than "Client V3 API" and it matches the order in the module path. Change-Id: I79dd6f6891bf48b477b35157256a0219426d171c 2014-10-10 19:30:37 -05:00			`=======================`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`Introduction`
			`============`
Replace refs to 'Keystone API' with 'Identity API' Formally, OpenStack Keystone implements the OpenStack Identity API, and this is a client to the API, not to Keystone itself. Change-Id: If568866221a29ba041f0f2cd56dc81deeb9ebc00 2012-10-24 07:12:30 -05:00
Rename using-api.rst to using-api-v2.rst Renaming file for consistency, since using-api-v3.rst is being written there: https://review.openstack.org/#/c/63408 Minor changes have been made to indicate that the file documents the keystone v2 API. Change-Id: I694b658a8b59d21615af5d88edc0f7b394ebbe7b Partial-Bug: #1260527 2013-12-24 15:57:20 +00:00			`The main concepts in the Identity v2 API are:`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`* tenants`
			`* users`
			`* roles`
			`* services`
			`* endpoints`

Rename the client API docs Since developers want to use the APIs, the docs should be more enticing and say that it describes how to use the APIs. Also, called it "V3 Client API" since this reads better than "Client V3 API" and it matches the order in the module path. Change-Id: I79dd6f6891bf48b477b35157256a0219426d171c 2014-10-10 19:30:37 -05:00			`The V2 client API lets you query and make changes through`
Rename using-api.rst to using-api-v2.rst Renaming file for consistency, since using-api-v3.rst is being written there: https://review.openstack.org/#/c/63408 Minor changes have been made to indicate that the file documents the keystone v2 API. Change-Id: I694b658a8b59d21615af5d88edc0f7b394ebbe7b Partial-Bug: #1260527 2013-12-24 15:57:20 +00:00			`managers. For example, to manipulate tenants, you interact with a`
Replace refs to 'Keystone API' with 'Identity API' Formally, OpenStack Keystone implements the OpenStack Identity API, and this is a client to the API, not to Keystone itself. Change-Id: If568866221a29ba041f0f2cd56dc81deeb9ebc00 2012-10-24 07:12:30 -05:00			``keystoneclient.v2_0.tenants.TenantManager`` object.
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
Correcting using-api-v2.rst Changes * removed extraneous word from Introduction section Closes-Bug: #1334915 Change-Id: I201ddb70a4d91e0d615e322abc43848993dee573 2014-06-26 20:48:53 -04:00			`You obtain access to managers via attributes of the`
updating base keystoneclient documentation * updated changelog * described CLI authentication for admin and user * tweaked API usage docs a bit with formatting and typos Change-Id: I61c3aab99bb0ecbad1de6d32a767558ca1a2ab5b 2012-09-28 15:57:25 +00:00			``keystoneclient.v2_0.client.Client`` object. For example, the ``tenants``
			attribute of the ``Client`` class is a tenant manager::
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`>>> from keystoneclient.v2_0 import client`
			`>>> keystone = client.Client(...)`
			`>>> keystone.tenants.list() # List tenants`

			You create a valid ``keystoneclient.v2_0.client.Client`` object by passing
Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			a :class:`~keystoneauth1.session.Session` to the constructor. Authentication
			`and examples of common tasks are provided below.`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
Fix typos in documents and comments Fix typos detected by toolkit misspellings. * pip install misspellings * git ls-files \| grep -v locale \| misspellings -f - Change-Id: Ifbbc29537d9d129aad238de6c37718c4fbb8349b 2014-01-23 16:30:19 +08:00			`You can generally expect that when the client needs to propagate an exception`
adding notes about dealing with exceptions in the client Change-Id: I661b10414e0281bc695236bb32f985b0ef5b7600 2013-04-03 09:44:20 -07:00			`it will raise an instance of subclass of`
			``keystoneclient.exceptions.ClientException``

Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00			`Authenticating`
			`==============`

Fixed grammatical errors in the V2 Client API doc In the using-api-v2.rst document, various inconsistencies in spelling of "openstackDemo", as well as the password under the "Creating Tenants" and "Creating Users" sections. Updated service names to adhere to the OpenStack service naming conventions. Fixed capitalization of "Client" to "client". Change-Id: Ib20782f5b05f7097158f606c6562f92126650b89 Closes-Bug: #1458015 2015-05-27 16:44:26 +00:00			`There are two ways to authenticate against keystone:`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00			`* against the admin endpoint with the admin token`
			`* against the public endpoint with a username and password`

			`If you are an administrator, you can authenticate by connecting to the admin`
			`endpoint and using the admin token (sometimes referred to as the service`
updating base keystoneclient documentation * updated changelog * described CLI authentication for admin and user * tweaked API usage docs a bit with formatting and typos Change-Id: I61c3aab99bb0ecbad1de6d32a767558ca1a2ab5b 2012-09-28 15:57:25 +00:00			token). The token is specified as the ``admin_token`` configuration option in
			`your keystone.conf config file, which is typically in /etc/keystone::`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			`>>> from keystoneauth1.identity import v2`
			`>>> from keystoneauth1 import session`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00			`>>> from keystoneclient.v2_0 import client`
			`>>> token = '012345SECRET99TOKEN012345'`
			`>>> endpoint = 'http://192.168.206.130:35357/v2.0'`
Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			`>>> auth = v2.Token(auth_url=endpoint, token=token)`
			`>>> sess = session.Session(auth=auth)`
			`>>> keystone = client.Client(session=sess)`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`If you have a username and password, authentication is done against the`
			`public endpoint. You must also specify a tenant that is associated with the`
			`user::`

Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			`>>> from keystoneauth1.identity import v2`
			`>>> from keystoneauth1 import session`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00			`>>> from keystoneclient.v2_0 import client`
			`>>> username='adminUser'`
Fixed grammatical errors in the V2 Client API doc In the using-api-v2.rst document, various inconsistencies in spelling of "openstackDemo", as well as the password under the "Creating Tenants" and "Creating Users" sections. Updated service names to adhere to the OpenStack service naming conventions. Fixed capitalization of "Client" to "client". Change-Id: Ib20782f5b05f7097158f606c6562f92126650b89 Closes-Bug: #1458015 2015-05-27 16:44:26 +00:00			`>>> password='secretword'`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00			`>>> tenant_name='openstackDemo'`
			`>>> auth_url='http://192.168.206.130:5000/v2.0'`
Update developer docs for keystoneauth session The developer docs should tell developers to use keystoneauth1 sessions rather than keystoneclient sessions or passing arguments to the Client constructors. keystoneclient sessions and constructing Clients using non-sessions is deprecated. Change-Id: Ica19b8d6fb2f5d1a9d0d22d4fe08abb266fd6a86 2016-02-28 10:44:44 -06:00			`>>> auth = v2.Password(username=username, password=password,`
			`... tenant_name=tenant_name, auth_url=auth_url)`
			`>>> sess = session.Session(auth=auth)`
			`>>> keystone = client.Client(session=sess)`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`Creating tenants`
			`================`

Fixed grammatical errors in the V2 Client API doc In the using-api-v2.rst document, various inconsistencies in spelling of "openstackDemo", as well as the password under the "Creating Tenants" and "Creating Users" sections. Updated service names to adhere to the OpenStack service naming conventions. Fixed capitalization of "Client" to "client". Change-Id: Ib20782f5b05f7097158f606c6562f92126650b89 Closes-Bug: #1458015 2015-05-27 16:44:26 +00:00			`This example will create a tenant named openstackDemo::`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`>>> from keystoneclient.v2_0 import client`
			`>>> keystone = client.Client(...)`
			`>>> keystone.tenants.create(tenant_name="openstackDemo",`
			`... description="Default Tenant", enabled=True)`
remove unicode from code Change-Id: I2d2d025b0d8bda2ffc7be4d30489728c05f53c8e 2021-01-04 17:16:58 +08:00			`<Tenant {'id': '9b7962da6eb04745b477ae920ad55939', 'enabled': True, 'description': 'Default Tenant', 'name': 'openstackDemo'}>`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`Creating users`
			`==============`

			`This example will create a user named adminUser with a password secretword`
Fixed grammatical errors in the V2 Client API doc In the using-api-v2.rst document, various inconsistencies in spelling of "openstackDemo", as well as the password under the "Creating Tenants" and "Creating Users" sections. Updated service names to adhere to the OpenStack service naming conventions. Fixed capitalization of "Client" to "client". Change-Id: Ib20782f5b05f7097158f606c6562f92126650b89 Closes-Bug: #1458015 2015-05-27 16:44:26 +00:00			`in the openstackDemo tenant. We first need to retrieve the tenant::`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`>>> from keystoneclient.v2_0 import client`
			`>>> keystone = client.Client(...)`
			`>>> tenants = keystone.tenants.list()`
			`>>> my_tenant = [x for x in tenants if x.name=='openstackDemo'][0]`
updating base keystoneclient documentation * updated changelog * described CLI authentication for admin and user * tweaked API usage docs a bit with formatting and typos Change-Id: I61c3aab99bb0ecbad1de6d32a767558ca1a2ab5b 2012-09-28 15:57:25 +00:00			`>>> my_user = keystone.users.create(name="adminUser",`
			`... password="secretword",`
			`... tenant_id=my_tenant.id)`
Updated Sphinx documentation - Added examples using the API - Added API reference pages - Added docstrings to classes so they would be picked up by sphinx - Removed warning about CLI coming soon Change-Id: I6e187efe508c5ae310ec97efe4650495f958306d 2012-05-04 09:33:29 -04:00
			`Creating roles and adding users`
			`===============================`

			`This example will create an admin role and add the my_user user to that`
			`role, but only for the my_tenant tenant:`

			`>>> from keystoneclient.v2_0 import client`
			`>>> keystone = client.Client(...)`
			`>>> role = keystone.roles.create('admin')`
			`>>> my_tenant = ...`
			`>>> my_user = ...`
			`>>> keystone.roles.add_user_role(my_user, role, my_tenant)`

			`Creating services and endpoints`
			`===============================`

			`This example will create the service and corresponding endpoint for the`
			`Compute service::`

			`>>> from keystoneclient.v2_0 import client`
			`>>> keystone = client.Client(...)`
			`>>> service = keystone.services.create(name="nova", service_type="compute",`
			`... description="Nova Compute Service")`
updating base keystoneclient documentation * updated changelog * described CLI authentication for admin and user * tweaked API usage docs a bit with formatting and typos Change-Id: I61c3aab99bb0ecbad1de6d32a767558ca1a2ab5b 2012-09-28 15:57:25 +00:00			`>>> keystone.endpoints.create(`
			`... region="RegionOne", service_id=service.id,`
			`... publicurl="http://192.168.206.130:8774/v2/%(tenant_id)s",`
			`... adminurl="http://192.168.206.130:8774/v2/%(tenant_id)s",`
			`... internalurl="http://192.168.206.130:8774/v2/%(tenant_id)s")`