-
Notifications
You must be signed in to change notification settings - Fork 55
Documentation about Openstack Keystone v2/v3 usage #214
Documentation about Openstack Keystone v2/v3 usage #214
Conversation
Go to http://44ce6b87f08c84c4a336-587a4214cfc62e403204a0b0eced474e.r98.cf5.rackcdn.com/ to review your changes. |
Go to http://e8a2320cb8ee7328bc9a-98112aaa434232edc359e0c94cafc2fa.r90.cf5.rackcdn.com/ to review your changes. |
Go to http://4c17ddefb1e1845a6081-9bb6552a57750bbb30de030b38a1ebcc.r36.cf5.rackcdn.com/ to review your changes. |
Go to http://d6762342ecf65bd47950-3e336ecb7f68d8dda5e5d435de17b0ef.r3.cf5.rackcdn.com/ to review your changes. |
Some tries about code & list typo, the last looks fine: Openstack Keystone v2-v3 authentication |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @axel3rd it is super useful!
I've left some comments mainly on the snippets: please address them and edit the document accordingly, i.e. if you replace Some.class
with NovaApi.class
make sure you do it all over the places.
Thanks
guides/openstack.md
Outdated
* On v2: *tenant*, *user*, *password*. | ||
* On v3: a *project* (new name for *tenant*), an authentication *domain* for this *project*, a *user*, an authentication *domain* for this *user* (the two domains can be different). | ||
|
||
JClouds provide backward compatibility between keystone v2-v3 ... but you should have following section in mind to fully understand the authentication on your Openstack platform (in addition of blog: [OpenStack Keystone V3 Support](https://jclouds.apache.org/blog/2018/01/16/keystone-v3/)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use jclouds
or Apache jclouds
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provides
instead of provide
This snippet: | ||
{% highlight java %} | ||
final Properties overrides = new Properties(); | ||
overrides.put(KeystoneProperties.KEYSTONE_VERSION, "2"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
isn't KEYSTONE_VERSION=2
the default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
According the Javadoc the default is 3 ; but I have not verified or really measured the impact to not provide this property ...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks @axel3rd for the quick update
I think from nova code https://github.com/jclouds/jclouds/blob/master/apis/openstack-nova/src/main/java/org/jclouds/openstack/nova/v2_0/NovaApiMetadata.java#L74 the default keystone version is 3 but the extra property would probably not hurt
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd leave it here for clarity. Also as we move forward version 2 will be eventually deprecated and removed, so better encourage users to be explicit about the version being used.
guides/openstack.md
Outdated
final Properties overrides = new Properties(); | ||
overrides.put(KeystoneProperties.KEYSTONE_VERSION, "2"); | ||
|
||
ContextBuilder.newBuilder(new SomeApiMetadata()) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why new SomeApiMetadata()
? wouldn't be clear with something as generic as openstack-nova
guides/openstack.md
Outdated
.endpoint("https://host:5000/v2.0") | ||
.credentials("myTenant:foo", "bar") | ||
.overrides(overrides) | ||
.buildApi(Some.class); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
why Some.class
here? I think NovaApi.class
is a bit better, as it is now in http://jclouds.apache.org/guides/openstack/#nova, wdyt?
Go to http://393f4caa8037a748294f-756fd4e7d22e69a6f0ff4346cb78ae2b.r35.cf5.rackcdn.com/ to review your changes. |
@andreaturli : Thanks for grammar fix & suggestions. Fixed in Keystone v2-v3 authentication. Except about |
Actually @axel3rd I think we should somehow edit
wdyt? |
I have hesitate to do that ... but the current snippet explicits how to retrieve an API (nova, swift, ...) even if v2 is deprecated (v3 needs more code). Perhaps a consensus could be to add a comment before
|
One minor comment, but it would help readability if you format the generated json auth example. |
Go to http://ae4404efef77109c76ca-bf5e3651b7ed971bf54720901bab17d5.r49.cf5.rackcdn.com/ to review your changes. |
Go to http://eb3572d47d95412306ae-9ba5d3580b14e830c75c09652bfd2f59.r53.cf5.rackcdn.com/ to review your changes. |
Done (without new-line-comma for json, to reduce lines number). Last proposal: Keystone v2-v3 authentication (and following) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! LGTM.
Since you reference a new keystone property I'd hold this and merge once the changes in Keystone are merged and the new property exists.
Yes ... and perhaps some minor change on properties name in progress ... |
thanks @axel3rd |
Go to http://ad99be29f1570e3a80bb-ec8c9f9fa769d9cd6f2ad277a7469fe8.r48.cf5.rackcdn.com/ to review your changes. |
Done, 1 line changed:
Linked with jclouds#1204. |
Changes merged and published to the website. Thanks @axel3rd! |
@nacx : As a "new feature", I didn't thought it was could be integrated in v2.1.x, I will be attentive to the roadmap because this PR doc is perhaps not true: : Keystone v2-v3 authentication (v3: Project-scoped)
|
We can change that. As long as the feature does not break backward compat, I see no problem in adding it in the next bugfix release. It will help adoption and facilitate early testing. |
So very valuable 2 characters PR ^^ : #215 |
Often these tiny PRs get more review comments and change requests than thousand lines ones! :) |
@@ -92,6 +93,220 @@ There are some differences in terminology between jclouds and OpenStack that sho | |||
</div> | |||
</div> | |||
|
|||
## <a id="keystone"></a>Keystone v2-v3 authentication | |||
|
|||
Openstack Keystone (aka: [OpenStack Identity Service](https://docs.openstack.org/keystone/latest/)) has major changes between v2 and v3 (detail. [Identity API v2.0 and v3 History](https://docs.openstack.org/keystone/latest/contributor/http-api.html)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[minor] Quite a few instances of "Openstack" (lowercase s
) rather than "OpenStack" here - is that worth cleaning up?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In official documentation, "S" is in uppercase. I can do the cleanup in a way or the other, but we should choose :)
|
||
Openstack Keystone (aka: [OpenStack Identity Service](https://docs.openstack.org/keystone/latest/)) has major changes between v2 and v3 (detail. [Identity API v2.0 and v3 History](https://docs.openstack.org/keystone/latest/contributor/http-api.html)). | ||
|
||
Basically to login, you should provide: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[minor] Drop "basically"; just "To login, provide:"?
* On v2: *tenant*, *user*, *password*. | ||
* On v3: a *project* (new name for *tenant*), an authentication *domain* for this *project*, a *user*, an authentication *domain* for this *user* (the two domains can be different). | ||
|
||
jclouds provides backward compatibility between keystone v2-v3 ... but you should have following section in mind to fully understand the authentication on your Openstack platform (in addition of blog: [OpenStack Keystone V3 Support](https://jclouds.apache.org/blog/2018/01/16/keystone-v3/)). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[minor] "...compatibility between Keystone v2 and v3, but you should keep the following in mind to fully understand authentication against your OpenStack platform:
lots of examples
See also the recent "OpenStack Keystone v3 Support" blog post.
Will produce when authentication needed: | ||
|
||
POST https://host:5000/v2.0/tokens HTTP/1.1 | ||
{ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is there any particular benefit to trying to list the request so exactly here? In my experience, these are the parts of documentation that go stale very quickly.
Can we instead either give the code samples to the user and explain how they can configure logging to see what exactly is being sent (if that is necessary), or describe this a bit more abstractly, e.g. in form of a table?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Configure logging to see what exactly is sent is simple (jclouds write the property to set to true
and SLF4J in debug).
The (little) difficulty in jclouds authentication usage is the option to configure. It depends mainly of OpenStack platform configuration (v2, v3, domains, ...) ... and some manual REST tries on token endpoint could be required to see what is supported by the platform.
So these snippet are to help the user on jclouds usage when it has found its way of auhentication on OpenStack.
@@ -146,6 +361,7 @@ public class JCloudsNova implements Closeable { | |||
String identity = "demo:demo"; // tenantName:userName | |||
String credential = "devstack"; | |||
|
|||
// Please refer to 'Keystone v2-v3 authentication' chapter for complete authentication use case |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
[minor] "section" rather than "chapter"? Also, should this comment perhaps come before the declaration of String identity
?
@demobox : Thanks for the review. I will do it in a // PR (this one merged) after feedback on my remarks. |
Thanks for taking a look! I should add that I think most of my comments are minor, and it's also fine to leave things as they are unless we feel there's really a good reason for a follow-up PR. And thanks for helping improve the jclouds documentation, of course! |
See JCLOUDS-1414, documentation about Openstack keystone v2/v3 usage