Using Identity Features

The Metacloud Identity service provides a single point of integration for managing authentication, authorization, and services. Other Metacloud services use the Identity service as a common unified API. Additionally, services that provide information about users but that are not included in Metacloud (such as LDAP services) can be integrated into a pre-existing infrastructure.

When a Metacloud service receives a request from a user, it checks with the Identity service whether the user is authorized to make the request.

Note
A user can be assigned as an admin in one project and a member in a different project.

Using the Identity Service

The Identity service provides identity, token, catalog, and policy services. It consists of:

  • Keystone Web Server Gateway Interface (WSGI) service—Can be run in a WSGI-capable web server such as Apache httpd to provide the Identity service. The service and administrative APIs are run as separate instances of the WSGI service.

  • Identity service functions—Each has a pluggable back end that allow different ways to use the particular service. Most support standard back ends like LDAP or SQL.

  • keystone-all—Starts both the service and administrative APIs in a single process. Using federation with keystone-all is not supported. keystone-all is deprecated in favor of the WSGI service. Also, this will be removed in Newton.

The Identity service also maintains a user that corresponds to each service, such as, a user named nova for the Compute service, and a special service project called service.

Using the Identity Service from the Command Line

Prerequisites—You must prepare your environment to access the command-line interface:

The Identity API v3.0 is available with Metacloud 4.0 and later. To use the Identity v2.0 API with Metacloud 4.0 or later, you may have to override environment variables that were previously set. You must configure the following:

  • Must be a member of the default domain. Only those users can make v2.0 calls to the Identity API.
  • Must not have OS_IDENTITY_API_VERSION=3 in the environment variables when using CLI commands. If you sourced a downloaded RC file, use unset OS_IDENTITY_API_VERSION to clear this variable in your current environment.
  • Must confirm the domain name with the OS_PROJECT_DOMAIN_ID environment variable setting.
  • Must have OS_PROJECT_NAME set to default in the environment variable setting.

Note
When using the openstack client with Identity v2.0, each command returns the message: Ignoring domain related config user_domain_id because identity API version is 2.0.

Using Tokens

The following examples use tokens for specifying an environment variable or including in a command-line argument. See Using Tokens for more information.

To specify a token in your environment variables:

$ export OS_SERVICE_ENDPOINT=http://api-az.client.metacloud.net:5000/v2.0/
$ export OS_SERVICE_TOKEN=secret_token
$ openstack user list --domain <DOMAIN_NAME>
$ openstack project create demo

To override authentication using a token and an endpoint in command-line arguments:

$ openstack --os-token secret_token --os-endpoint http://api-az.client.metacloud.net:5000/v2.0/ user list
$ openstack --os-token secret_token --os-endpoint http://api-az.client.metacloud.net:5000/v2.0/ project create demo

Using a User Name, Password, and Project Combination

The following examples use a user name, password, and project combination when specifying environment variables and including them in command-line arguments.

Note
If you get an HTTP 401 error (The request you have made requires authentication) for CLI commands, make sure you are using admin credentials and that you have indicated the domain context for command using either the --domain or --user-domain parameters. When using the Identity v3 API on Metacloud 4.0 and later versions, you must indicate the domain context for the user.

To specify your user name combination in your environment variables:

$ export OS_USERNAME=admin
$ export OS_PASSWORD=secretPass
$ export OS_PROJECT_NAME=admin
$ openstack user list --domain <DOMAIN_NAME>
$ openstack project create demo

To override the user name combination in command-line arguments:

$ openstack --os-username admin --os-password secretPass --os-project-name admin user list
$ openstack --os-username admin --os-password secretPass --os-project-name admin project create demo

Working with User Self-management Capabilities

Metacloud provides multiple ways for users to change their passwords. See Understanding Metacloud Identity in the User Guide.