Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Openstack Identity v3 support #679

Closed
stenstad opened this Issue Mar 2, 2015 · 10 comments

Comments

Projects
None yet
3 participants
@stenstad
Copy link

stenstad commented Mar 2, 2015

Gophercloud supports the Openstack Identity v3 API, wich brings in a lot of new features. It has been the preferred API since Openstack Havana (2013), and the v2 API is somewhat deprecated.

http://gophercloud.io/docs/identity/v3/

Could you look into supporting the new auth mechanisms?

If you need access to an Openstack cloud with V3 API for testing I can arrange that.

We only support the v3 API since we are using domains and other related features.

For the Docker Machine use case, the v3 API is mostly used for acquiring a project scoped authtoken to talk to the nova, neutron etc. APIs.

@ggiamarchi

This comment has been minimized.

Copy link
Contributor

ggiamarchi commented Mar 2, 2015

+1

I can work on this one. I'll do a PR in a few days.

@stenstad

This comment has been minimized.

Copy link
Author

stenstad commented Mar 6, 2015

@ggiamarchi That's awesome, it's hard for us that use V3 domains. :-)

@ggiamarchi

This comment has been minimized.

Copy link
Contributor

ggiamarchi commented Mar 31, 2015

In order to implement it correctly, there were some work to do in gophercloud to fix things in keystone v3 implementation. I have just submit this pull request rackspace/gophercloud#408

Then, the work in docker-machine is pretty easy, i'm on it.

ggiamarchi added a commit to ggiamarchi/machine that referenced this issue Apr 3, 2015

Support Keystone v3 domains
Fix docker#679

Signed-off-by: Guillaume Giamarchi <guillaume.giamarchi@gmail.com>

ggiamarchi added a commit to ggiamarchi/machine that referenced this issue Apr 9, 2015

Support Keystone v3 domains
Fix docker#679

Signed-off-by: Guillaume Giamarchi <guillaume.giamarchi@gmail.com>
@ggiamarchi

This comment has been minimized.

Copy link
Contributor

ggiamarchi commented Apr 9, 2015

@stenstad Can you test the PR #955 against your OpenStack domains ? It would be great in order to validate this work. From my part, i have tested it against a devstack installation.

@stenstad

This comment has been minimized.

Copy link
Author

stenstad commented Apr 16, 2015

@ggiamarchi Hi, sorry for answering so late. Identity seems to work now! I am still not able to actually launch a working VM yet, but I assume that is not related to the identity part.

A few things I have noticed:

There should be a check for more environment variables. Some of them are new and/or have changed names.

OS_TENANT_ID is now OS_PROJECT_ID.
OS_TENANT_NAME is now OS_PROJECT_NAME
OS_DOMAIN_NAME is not necesarily set, OS_PROJECT_DOMAIN_NAME and/or OS_USER_DOMAIN_NAME might be set instead.

@stenstad

This comment has been minimized.

Copy link
Author

stenstad commented Apr 16, 2015

@ggiamarchi It works now! Awesome.

@stenstad

This comment has been minimized.

Copy link
Author

stenstad commented Apr 16, 2015

@ggiamarchi Actually, OS_DOMAIN_NAME is used for scoping to a domain and not a project/tenant. If it is defined python-openstackclient complains.

@stenstad

This comment has been minimized.

Copy link
Author

stenstad commented Apr 17, 2015

@ggiamarchi Seems like Openstack Client has upgraded their docs regarding auth, explaining what is needed and used for v3 auth with regards to scoping:

https://github.com/openstack/python-openstackclient/blob/master/doc/source/authentication.rst

ravolt added a commit to ravolt/docker-machine that referenced this issue May 10, 2015

Support Keystone v3 domains
Fix docker#679

Signed-off-by: Guillaume Giamarchi <guillaume.giamarchi@gmail.com>
@zhoutiekui

This comment has been minimized.

Copy link

zhoutiekui commented Apr 28, 2017

@stenstad the current authentication method only supports domain scope authentication rather than project scope authentication. Is there a workaround about this, cause our platform only supports project scope authentication. thanks

@stenstad

This comment has been minimized.

Copy link
Author

stenstad commented May 3, 2017

@zhoutiekui Hi, I don't understand your problem. You scope to a project, not a domain. If you have not implemented domains in your Keystone setup, i.e. you basically use a Keystone v2 setup, just use the domain "default". Read the original blueprint here: https://blueprints.launchpad.net/keystone/+spec/default-domain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.