openstack/python-keystoneclient
Code Issues Proposed changes
Files
e39351ec65bb00b33d3d57785976daefe9d27c2c
python-keystoneclient/README.rst
Joe Heck f1cc3cfc42 removing repeat attempt at authorization in client 
blueprint solidify-python-api

* extended and updated documentation strings
* updated README.rst with latest options
* made debug a pass-through value, optionally set on client (instead of
  just being pulled from environment variable)
* adding AccessInfo object and associated tests
  (access.AccessInfo meant to be a cacheable object external to client
  and ultimately to replace service_catalog and it's existing functionality)
* extending authtoken to support lists of endpoints
* maintaining a single entity for client.management_url with first from
  list of possible endpoints
* create project_name and project_id synonyms to match tenant_name and
  tenant_id
* replacing authenticate call to a pure method, not overloading the
  resource/manager path that confuses base URL concepts.
* throw AuthorizationFailure if client attempts to access keystone
  resources before it has a management url
* special case listing tenant using auth_url for unscoped tokens authorized
  through client
* special case listing tokens.authenticate for Dashboard to allow unscoped
  tokens to hand back parity information to dashboard

Change-Id: I4bb3a1b6a5ce2c4b3fbcebeb59116286cac8b2e3
2012-11-09 00:02:41 +00:00

7.5 KiB
Raw Blame History

Python bindings to the OpenStack Identity API (Keystone)

This is a client for the OpenStack Identity API, implemented by Keystone. There's a Python API (the keystoneclient module), and a command-line script (keystone).

Development takes place via the usual OpenStack processes as outlined in the OpenStack wiki. The master repository is on GitHub.

This code a fork of Rackspace's python-novaclient which is in turn a fork of Jacobian's python-cloudservers. The python-keystoneclient is licensed under the Apache License like the rest of OpenStack.

Contents:

Python API

By way of a quick-start:

# use v2.0 auth with http://example.com:5000/v2.0
>>> from keystoneclient.v2_0 import client
>>> keystone = client.Client(username=USERNAME, password=PASSWORD, tenant_name=TENANT, auth_url=AUTH_URL)
>>> keystone.tenants.list()
>>> tenant = keystone.tenants.create(tenant_name="test", description="My new tenant!", enabled=True)
>>> tenant.delete()

Command-line API

Installing this package gets you a shell command, keystone, that you can use to interact with OpenStack's Identity API.

You'll need to provide your OpenStack tenant, username and password. You can do this with the --os-tenant-name, --os-username and --os-password params, but it's easier to just set them as environment variables:

export OS_TENANT_NAME=project
export OS_USERNAME=user
export OS_PASSWORD=pass

You will also need to define the authentication url with --os-auth-url and the version of the API with --os-identity-api-version. Or set them as an environment variables as well:

export OS_AUTH_URL=http://example.com:5000/v2.0
export OS_IDENTITY_API_VERSION=2.0

Alternatively, to authenticate to Keystone without a username/password, such as when there are no users in the database yet, use the service token and endpoint arguemnts. The service token is set in keystone.conf as admin_token; set it with service_token. Note: keep the service token secret as it allows total access to Keystone's database. The admin endpoint is set with --endpoint or SERVICE_ENDPOINT:

export SERVICE_TOKEN=thequickbrownfox-jumpsover-thelazydog
export SERVICE_ENDPOINT=http://example.com:35357/v2.0

Since Keystone can return multiple regions in the Service Catalog, you can specify the one you want with --region_name (or export OS_REGION_NAME). It defaults to the first in the list returned.

You'll find complete documentation on the shell by running keystone help:

usage: keystone [--os-username <auth-user-name>]
                [--os-password <auth-password>]
                [--os-tenant-name <auth-tenant-name>]
                [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
                [--os-region-name <region-name>]
                [--os-identity-api-version <identity-api-version>]
                [--os-token <service-token>]
                [--os-endpoint <service-endpoint>]
                [--os-cacert <ca-certificate>] [--os-cert <certificate>]
                [--os-key <key>] [--insecure] [--token <service-token>]
                [--endpoint <service-endpoint>]
                <subcommand> ...

Command-line interface to the OpenStack Identity API.

Positional arguments:
  <subcommand>
    catalog
    ec2-credentials-create
                        Create EC2-compatibile credentials for user per tenant
    ec2-credentials-delete
                        Delete EC2-compatibile credentials
    ec2-credentials-get
                        Display EC2-compatibile credentials
    ec2-credentials-list
                        List EC2-compatibile credentials for a user
    endpoint-create     Create a new endpoint associated with a service
    endpoint-delete     Delete a service endpoint
    endpoint-get
    endpoint-list       List configured service endpoints
    role-create         Create new role
    role-delete         Delete role
    role-get            Display role details
    role-list           List all roles
    service-create      Add service to Service Catalog
    service-delete      Delete service from Service Catalog
    service-get         Display service from Service Catalog
    service-list        List all services in Service Catalog
    tenant-create       Create new tenant
    tenant-delete       Delete tenant
    tenant-get          Display tenant details
    tenant-list         List all tenants
    tenant-update       Update tenant name, description, enabled status
    token-get
    user-create         Create new user
    user-delete         Delete user
    user-get            Display user details.
    user-list           List users
    user-password-update
                        Update user password
    user-role-add       Add role to user
    user-role-list      List roles granted to a user
    user-role-remove    Remove role from user
    user-update         Update user's name, email, and enabled status
    discover            Discover Keystone servers and show authentication
                        protocols and
    bootstrap           Grants a new role to a new user on a new tenant, after
                        creating each.
    bash-completion     Prints all of the commands and options to stdout.
    help                Display help about this program or one of its
                        subcommands.

Optional arguments:
  --os-username <auth-user-name>
                        Defaults to env[OS_USERNAME]
  --os-password <auth-password>
                        Defaults to env[OS_PASSWORD]
  --os-tenant-name <auth-tenant-name>
                        Defaults to env[OS_TENANT_NAME]
  --os-tenant-id <tenant-id>
                        Defaults to env[OS_TENANT_ID]
  --os-auth-url <auth-url>
                        Defaults to env[OS_AUTH_URL]
  --os-region-name <region-name>
                        Defaults to env[OS_REGION_NAME]
  --os-identity-api-version <identity-api-version>
                        Defaults to env[OS_IDENTITY_API_VERSION] or 2.0
  --os-token <service-token>
                        Defaults to env[OS_SERVICE_TOKEN]
  --os-endpoint <service-endpoint>
                        Defaults to env[OS_SERVICE_ENDPOINT]
  --os-cacert <ca-certificate>
                        Defaults to env[OS_CACERT]
  --os-cert <certificate>
                        Defaults to env[OS_CERT]
  --os-key <key>        Defaults to env[OS_KEY]
  --insecure            Explicitly allow keystoneclient to perform "insecure"
                        SSL (https) requests. The server's certificate will
                        not be verified against any certificate authorities.
                        This option should be used with caution.
  --token <service-token>
                        Deprecated. use --os-token
  --endpoint <service-endpoint>
                        Deprecated. use --os-endpoint

See "keystone help COMMAND" for help on a specific command.