Skip to content

Instantly share code, notes, and snippets.

@alistairncoles

alistairncoles/Example CLI usage

Last active January 6, 2019 01:16
Show Gist options
  • Star 3 You must be signed in to star a gist
  • Fork 1 You must be signed in to fork a gist
  • Save alistairncoles/ae9d5f92063b58afeb88 to your computer and use it in GitHub Desktop.
Save alistairncoles/ae9d5f92063b58afeb88 to your computer and use it in GitHub Desktop.
Download ZIP
keystone v3 setup
Raw
Example CLI usage
EXAMPLE:
(keystone-v3-setup.sh script will perform first few steps using role 'admin')
# Create a domain named d1 (note use of --os-url and --os-token to manage keystone)
anc@u128:~$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN domain create d1
+---------+----------------------------------------------------------------------------------------+
| Field | Value |
+---------+----------------------------------------------------------------------------------------+
| enabled | True |
| id | b91b1a2be2784448a44f82ed1feafef8 |
| links | {u'self': u'http://u132.localdomain:5000/v3/domains/b91b1a2be2784448a44f82ed1feafef8'} |
| name | d1 |
+---------+----------------------------------------------------------------------------------------+
# Create a project named p1 in domain d1
anc@u128:~$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN project create p1 --domain d1
+-------------+-----------------------------------------------------------------------------------------+
| Field | Value |
+-------------+-----------------------------------------------------------------------------------------+
| description | |
| domain_id | b91b1a2be2784448a44f82ed1feafef8 |
| enabled | True |
| id | 3a64e71a64a84c4796b93b109cd2b5ba |
| links | {u'self': u'http://u132.localdomain:5000/v3/projects/3a64e71a64a84c4796b93b109cd2b5ba'} |
| name | p1 |
+-------------+-----------------------------------------------------------------------------------------+
# Create a user named u1 in domain d1
anc@u128:~$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN user create u1 --domain d1 --password testing
+-----------+--------------------------------------------------------------------------------------+
| Field | Value |
+-----------+--------------------------------------------------------------------------------------+
| domain_id | b91b1a2be2784448a44f82ed1feafef8 |
| enabled | True |
| id | f227284da36849a39b29db3798d00979 |
| links | {u'self': u'http://u132.localdomain:5000/v3/users/f227284da36849a39b29db3798d00979'} |
| name | u1 |
+-----------+--------------------------------------------------------------------------------------+
# Create a role named swiftoperator
anc@u128:~$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN role create swiftoperator
+-------+--------------------------------------------------------------------------------------+
| Field | Value |
+-------+--------------------------------------------------------------------------------------+
| id | 587f0885f6174436bd1cd5b0862324b2 |
| links | {u'self': u'http://u132.localdomain:5000/v3/roles/587f0885f6174436bd1cd5b0862324b2'} |
| name | swiftoperator |
+-------+--------------------------------------------------------------------------------------+
# Assign user u1 the role swiftoperator on project p1
anc@u128:~$ openstack --os-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-token=ADMIN role add --user u1 --project p1 swiftoperator
# Use swiftclient (from https://review.openstack.org/#/c/91788/) to stat the account (note -V 3 option and /v3 at end of auth url)
anc@u128:~$ swift --os-auth-url http://u132.localdomain:5000/v3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing -V 3 stat
No handlers could be found for logger "keystoneclient.httpclient"
Account: AUTH_3a64e71a64a84c4796b93b109cd2b5ba
Containers: 0
Objects: 0
Bytes: 0
Content-Type: text/plain; charset=utf-8
X-Timestamp: 1406021227.61343
X-Trans-Id: tx405d56d8da1a454492a58-0053ce2e6b
X-Put-Timestamp: 1406021227.61343
# Create a container
anc@u128:~$ swift --os-auth-url http://u132.localdomain:5000/v3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing -V 3 post c1
No handlers could be found for logger "keystoneclient.httpclient"
# List the account containers using swift
anc@u128:~$ swift --os-auth-url http://u132.localdomain:5000/v3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing -V 3 list
No handlers could be found for logger "keystoneclient.httpclient"
c1
# List the account containers using openstackclient (note now using --os-auth-url and user credentials)
anc@u128:~$ openstack --os-auth-url http://u132.localdomain:5000/v3 --os-identity-api-version 3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing container list
WARNING: keystoneclient.httpclient Failed to retrieve management_url from token
+------+
| Name |
+------+
| c1 |
+------+
Raw
keystone-v3-setup.sh
#!/bin/bash
# usage: <prog> <identity endpoint> [os-token]
# e.g. <prog> http://hostname:5000/v3 ADMIN
# hostname could be standalone keystone service or devstack keystone service
# sets up a project p1 and user u1 with admin role in domain d1
OS_TOKEN="ADMIN"
OS_URL=$1
shift
OS_TOKEN=$1
if [ -z $1 ]; then
OS_TOKEN="ADMIN"
fi
echo $OS_TOKEN
# Create a domain named d1 (note use of --os-url and --os-token to manage keystone)
openstack --os-url $OS_URL --os-identity-api-version 3 --os-token=$OS_TOKEN domain create d1
# Create a project named p1 in domain d1
openstack --os-url $OS_URL --os-identity-api-version 3 --os-token=$OS_TOKEN project create p1 --domain d1
# Create a user named u1 in domain d1
openstack --os-url $OS_URL --os-identity-api-version 3 --os-token=$OS_TOKEN user create u1 --domain d1 --password testing
# Create a role named admin
openstack --os-url $OS_URL --os-identity-api-version 3 --os-token=$OS_TOKEN role create admin
# Assign user u1 the role admin on project p1
openstack --os-url $OS_URL --os-identity-api-version 3 --os-token=$OS_TOKEN role add --user u1 --project p1 admin
Raw
Setup steps
IF you *don't* want to use devstack, then you need to set up keystone:
# keystone setup: http://docs.openstack.org/developer/keystone/setup.html
# Following assumes the default admin token auth is enabled in keystone, see:
# http://docs.openstack.org/developer/keystone/configuringservices.html#admin-token
# http://docs.openstack.org/developer/keystone/configuration.html#authenticating-with-a-token
# (True by default iirc)
* Copy keystone/etc/keystone.conf to $HOME
* To use UUID token rather than pki set this option in keystone.conf:
provider=keystone.token.providers.uuid.Provider
* Before running keystone, do prep steps:
http://docs.openstack.org/developer/keystone/configuration.html#preparing-your-deployment
* To run in debug mode:
cd $HOME
./keystone/bin/keystone-all --debug
(should see keystone.db in $HOME)
# Setup swift service in keystone
http://docs.openstack.org/developer/keystone/configuringservices.html#creating-service-users
(keystoneclient is fine for this)
# Install openstackclient for keystone v3 support
# openstack client command help here: https://wiki.openstack.org/wiki/OpenStackClient/Commands
anc@u128:~$ git clone https://github.com/openstack/python-openstackclient.git openstackclient
anc@u128:~$ cd openstackclient
anc@u128:~/openstackclient$ sudo python setup.py install
anc@u128:~/openstackclient$ cd ..
# Swift config: NOTE set auth_version = v3.0 in authtoken filter
in proxy-server.conf:
[filter:authtoken]
log_level = DEBUG
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
delay_auth_decision = true
auth_version = v3.0
auth_port = 35357
auth_host = u132.localdomain
auth_protocol = http
auth_uri = http://u132.localdomain:5000/v2.0
admin_tenant_name = service
admin_user = swift
admin_password = swiftpass
#admin_token = ADMIN
cache = swift.cache
include_service_catalog = False
[filter:keystoneauth]
use = egg:swift#keystoneauth
operator_roles = admin, swiftoperator
@alistairncoles
Copy link
Author

Devstack setup: (see http://devstack.org/guides/single-machine.html)

Three changes required to devstack installation to run swift with v3 domain user/project:

  1. Edit existing variable in devstack/lib/keystone to use UUID token (not required but avoids any header length issues with huge pki tokens):
    KEYSTONE_TOKEN_FORMAT=${KEYSTONE_TOKEN_FORMAT:-UUID}
  2. Enable swift in devstack
    (see http://devstack.org/configuration.html)
    By default devstack does not run swift, so add line starting 'enable_service...' to devstack/local.conf Swift section:

enable_service s-proxy s-object s-container s-account

  1. Add line to devstack/lib/swift (line 369 in configure_swift(), section commented # Configure Keystone):
    iniset ${SWIFT_CONFIG_PROXY_SERVER} filter:authtoken auth_version v3.0

% cd devstack
% ./stack.sh

With devstack running, check /etc/swift/proxy-server.conf [filter:authtoken] to verify that auth_version = v3.0 is set.

Run script from this gist to setup a domain, user, project and role in keystone (ADMIN_TOKEN is whatever token/password you gave to devstack when running stack.sh)
% keystone-v3-setup.sh http://devstack-host:5000/v3 <ADMIN_TOKEN>

Now v3 patched swiftclient should be able to create an account:
% swift --os-auth-url http://devstack-host:5000/v3 --os-username u1 --os-user-domain-name d1 --os-project-name p1 --os-project-domain-name d1 --os-password testing -V 3 stat

@alistairncoles
Copy link
Author

I changed keystone-v3-setup.sh to use role 'admin' because devstack does not configure the 'swiftoperator' role in swift proxy-server.conf

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment