You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The traditional way of authenticating with the openstack client is to use a username and password which are set as an environment variable. Some of us are not too keen of having clear-text passwords lying around, and this article are thus presenting a way to authenticate to openstack without having the password as clear-text.

The simple approach

The simplest approach to using the command-line clients without having the password stored on your client in clear-text is to use the following modified openrc file:

Modified openrc
projectID=        #Your openstack project ID
username=         #Your NTNU username
keystoneURL=https://api.skyhigh.iik.ntnu.no:5000/v3

unset OS_TOKEN
unset OS_AUTH_TYPE

export OS_AUTH_URL=$keystoneURL
export OS_IDENTITY_API_VERSION=3
export OS_TENANT_ID=$projectID
export OS_INTERFACE="public"
export OS_ENDPOINT_TYPE=publicURL

export OS_USERDOMAIN_NAME="NTNU"
export OS_USERNAME="eigilo"
export OS_DOMAIN_NAME=NTNU

tcommand="openstack token issue -f value -c id"

echo "Please supply the password to the $OS_DOMAIN_NAME user $username:"
token=$($tcommand)
status=$?
while [[ $status -ne 0 ]]; do
  echo "Could not get a token. Please try again:"
  token=$($tcommand)
  status=$?
done

export OS_TOKEN="$token"
export OS_AUTH_TYPE="token"

unset OS_DOMAIN_NAME
unset OS_USERDOMAIN_NAME
unset OS_USERNAME

echo "You are now authenticated to use the openstack CLI client."

Add your username and the ID of your project to the first to variables in this file, and you are good to go. This openrc-file is used the same way as the ordinary one which you can download from horizon:

Using the new openrc file
eigil@breve:~$ source tokenopenrc.sh 
Please supply the password to the NTNU user eigilo:
Password: 
You are now authenticated to use the openstack CLI client.
eigil@breve:~$ openstack server list
+--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+
| ID                                   | Name       | Status | Networks                                      | Image                               | Flavor  |
+--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+
| a3b399b3-f00b-40c0-1337-d4fee729f9dc | debiantest | ACTIVE | ObreNetwork-NTNU=192.168.0.113, 10.212.136.98 | Debian 9.4.2 (Stretch) stable amd64 | m1.tiny |
+--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+

Token lifetime

One downside using tokens instead of a password is that the tokens have limited lifetime. The lifetime of your session can be seen by running the command "openstack token issue:

Token lifetime
eigil@breve:~$ openstack token issue -f value -c expires
2018-08-21T09:31:14+0000

The timestamp appearing is the UTC time of when your token expires. If the commandline client are used after the expiry the following message will appear:

 
  • No labels