You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

The traditional way of authenticating with the openstack client is to use a username and password which are set as an environment variable. Some of us are not too keen of having clear-text passwords lying around, and this article are thus presenting a way to authenticate to openstack without having the password as clear-text.

The simple approach

The simplest approach to using the command-line clients without having the password stored on your client in clear-text is to use the following modified openrc file:

Modified openrc
projectID=        #Your openstack project ID
username=         #Your NTNU username
keystoneURL=https://api.skyhigh.iik.ntnu.no:5000/v3

unset OS_TOKEN
unset OS_AUTH_TYPE

export OS_AUTH_URL=$keystoneURL
export OS_IDENTITY_API_VERSION=3
export OS_TENANT_ID=$projectID
export OS_INTERFACE="public"
export OS_ENDPOINT_TYPE=publicURL

export OS_USERDOMAIN_NAME="NTNU"
export OS_USERNAME="eigilo"
export OS_DOMAIN_NAME=NTNU

tcommand="openstack token issue -f value -c id"

echo "Please supply the password to the $OS_DOMAIN_NAME user $username:"
token=$($tcommand)
status=$?
while [[ $status -ne 0 ]]; do
  echo "Could not get a token. Please try again:"
  token=$($tcommand)
  status=$?
done

export OS_TOKEN="$token"
export OS_AUTH_TYPE="token"

unset OS_DOMAIN_NAME
unset OS_USERDOMAIN_NAME
unset OS_USERNAME

echo "You are now authenticated to use the openstack CLI client."

Add your username and the ID of your project to the first to variables in this file, and you are good to go. This openrc-file is used the same way as the ordinary one which you can download from horizon:

Using the new openrc file
eigil@breve:~$ source tokenopenrc.sh 
Please supply the password to the NTNU user eigilo:
Password: 
You are now authenticated to use the openstack CLI client.
eigil@breve:~$ openstack server list
+--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+
| ID                                   | Name       | Status | Networks                                      | Image                               | Flavor  |
+--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+
| a3b399b3-f00b-40c0-1337-d4fee729f9dc | debiantest | ACTIVE | ObreNetwork-NTNU=192.168.0.113, 10.212.136.98 | Debian 9.4.2 (Stretch) stable amd64 | m1.tiny |
+--------------------------------------+------------+--------+-----------------------------------------------+-------------------------------------+---------+

Token lifetime

One downside using tokens instead of a password is that the tokens have limited lifetime. The lifetime of your session can be seen by running the command "openstack token issue:

Token lifetime
eigil@breve:~$ openstack token issue -f value -c expires
2018-08-21T09:31:14+0000

The timestamp appearing is the UTC time of when your token expires. If the commandline client are used after the expiry the following message will appear:

Failing token
eigil@breve:~$ openstack server list
Failed to validate token (HTTP 404) (Request-ID: req-6575a9f2-4ca4-beef-ba22-6285ad05896e)

When the token expires you can get a new one by simply sourcing the openrc file again.

The complex approach

Some openstack users are having multiple projects, maybe even over multiple openstack clouds. For these users a more elaborate openrc file might be wanted so that the user can use the same openrc file for all projects and clouds. An example of such a file will be added soon.

  • No labels