The Metacloud Identity service provides a single point of integration for managing authentication, authorization, and services. Other Metacloud services use the Identity service as a common unified API. Additionally, services that provide information about users but that are not included in Metacloud (such as LDAP services) can be integrated into a pre-existing infrastructure.
When a Metacloud service receives a request from a user, it checks with the Identity service whether the user is authorized to make the request.
Note A user can be assigned as an admin in one project and a member in a different project.
Using the Identity Service
The Identity service provides identity, token, catalog, and policy services. It consists of:
Keystone Web Server Gateway Interface (WSGI) service—Can be run in a WSGI-capable web server such as Apache httpd to provide the Identity service. The service and administrative APIs are run as separate instances of the WSGI service.
Identity service functions—Each has a pluggable back end that allow different ways to use the particular service. Most support standard back ends like LDAP or SQL.
keystone-all—Starts both the service and administrative APIs in a single process. Using federation with keystone-all is not supported. keystone-all is deprecated in favor of the WSGI service. Also, this will be removed in Newton.
The Identity service also maintains a user that corresponds to each service, such as, a user named
nova for the Compute service, and a special service project called
Using the Identity Service from the Command Line
Prerequisites—You must prepare your environment to access the command-line interface:
The Identity API v3.0 is available with Metacloud 4.0 and later. To use the Identity v2.0 API with Metacloud 4.0 or later, you may have to override environment variables that were previously set. You must configure the following:
- Must be a member of the default domain. Only those users can make v2.0 calls to the Identity API.
- Must not have
OS_IDENTITY_API_VERSION=3in the environment variables when using CLI commands. If you sourced a downloaded RC file, use
unset OS_IDENTITY_API_VERSIONto clear this variable in your current environment.
- Must confirm the domain name with the
OS_PROJECT_DOMAIN_IDenvironment variable setting.
- Must have
OS_PROJECT_NAMEset to default in the environment variable setting.
When using the
openstackclient with Identity v2.0, each command returns the message:
Ignoring domain related config user_domain_id because identity API version is 2.0.
The following examples use tokens for specifying an environment variable or including in a command-line argument. See Using Tokens for more information.
To specify a token in your environment variables:
$ export OS_SERVICE_ENDPOINT=http://api-az.client.metacloud.net:5000/v2.0/ $ export OS_SERVICE_TOKEN=secret_token $ openstack user list --domain <DOMAIN_NAME> $ openstack project create demo
To override authentication using a token and an endpoint in command-line arguments:
$ openstack --os-token secret_token --os-endpoint http://api-az.client.metacloud.net:5000/v2.0/ user list $ openstack --os-token secret_token --os-endpoint http://api-az.client.metacloud.net:5000/v2.0/ project create demo
Using a User Name, Password, and Project Combination
The following examples use a user name, password, and project combination when specifying environment variables and including them in command-line arguments.
If you get an HTTP 401 error (The request you have made requires authentication) for CLI commands, make sure you are using admin credentials and that you have indicated the domain context for command using either the
--user-domainparameters. When using the Identity v3 API on Metacloud 4.0 and later versions, you must indicate the domain context for the user.
To specify your user name combination in your environment variables:
$ export OS_USERNAME=admin $ export OS_PASSWORD=secretPass $ export OS_PROJECT_NAME=admin $ openstack user list --domain <DOMAIN_NAME> $ openstack project create demo
To override the user name combination in command-line arguments:
$ openstack --os-username admin --os-password secretPass --os-project-name admin user list $ openstack --os-username admin --os-password secretPass --os-project-name admin project create demo
Working with User Self-management Capabilities
Metacloud provides multiple ways for users to change their passwords. See Understanding Metacloud Identity in the User Guide.