The traditional way of authenticating with the openstack client is to use a username and password which are set as an environment variable. Some of us are not too keen of having clear-text passwords lying around, and this article are thus presenting a way to authenticate to openstack without having the password as clear-text.
Openstack-command only
This authentication approach only works with the new "openstack" client. The old project-specific clients (the "nova", "neutron", "glance" etc .) does not support token-based auth.
The simple approach
The simplest approach to using the command-line clients without having the password stored on your client in clear-text is to use the following modified openrc file:
projectID= #Your openstack project ID username= #Your NTNU username keystoneURL=https://api.skyhigh.iik.ntnu.no:5000/v3 unset OS_TOKEN unset OS_AUTH_TYPE export OS_AUTH_URL=$keystoneURL export OS_IDENTITY_API_VERSION=3 export OS_TENANT_ID=$projectID export OS_INTERFACE="public" export OS_ENDPOINT_TYPE=publicURL export OS_USERDOMAIN_NAME="NTNU" export OS_USERNAME=$username export OS_DOMAIN_NAME=NTNU tcommand="openstack token issue -f value -c id" echo "Please supply the password to the $OS_DOMAIN_NAME user $username:" token=$($tcommand) status=$? while [[ $status -ne 0 ]]; do echo "Could not get a token. Please try again:" token=$($tcommand) status=$? done export OS_TOKEN="$token" export OS_AUTH_TYPE="token" unset OS_DOMAIN_NAME unset OS_USERDOMAIN_NAME unset OS_USERNAME echo "You are now authenticated to use the openstack CLI client."
Add your username and the ID of your project to the first to variables in this file, and you are good to go. This openrc-file is used the same way as the ordinary one which you can download from horizon:
eigil@breve:~$ source tokenopenrc.sh Please supply the password to the NTNU user eigilo: Password: You are now authenticated to use the openstack CLI client. eigil@breve:~$ openstack server list +--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+ | ID | Name | Status | Networks | Image | Flavor | +--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+ | a3b399b3-f00b-40c0-1337-d4fee729f9dc | debiantest | ACTIVE | ObreNetwork-NTNU=192.168.0.113, 10.212.136.98 | Debian 9.4.2 (Stretch) stable amd64 | m1.tiny | +--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+
Token lifetime
One downside using tokens instead of a password is that the tokens have limited lifetime. The lifetime of your session can be seen by running the command "openstack token issue:
eigil@breve:~$ openstack token issue -f value -c expires 2018-08-21T09:31:14+0000
The timestamp appearing is the UTC time of when your token expires. If the commandline client are used after the expiry the following message will appear:
eigil@breve:~$ openstack server list Failed to validate token (HTTP 404) (Request-ID: req-6575a9f2-4ca4-beef-ba22-6285ad05896e)
When the token expires you can get a new one by simply sourcing the openrc file again.
The complex approach
Some openstack users are having multiple projects, maybe even over multiple openstack clouds. For these users a more elaborate openrc file might be wanted so that the user can use the same openrc file for all projects and clouds. An example of such a file will be added soon.