"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "doc/source/user/application_credentials.rst" between
keystone-16.0.1.tar.gz and keystone-17.0.0.tar.gz

About: OpenStack Keystone (Core Service: Identity) provides an authentication and authorization service for other OpenStack services. Provides a catalog of endpoints for all OpenStack services.
The "Ussuri" series (latest release).

application_credentials.rst  (keystone-16.0.1):application_credentials.rst  (keystone-17.0.0)
skipping to change at line 41 skipping to change at line 41
single-signon system. single-signon system.
See the `Identity API reference`_ for more information on authenticating with See the `Identity API reference`_ for more information on authenticating with
and managing application credentials. and managing application credentials.
.. _`Identity API reference`: https://docs.openstack.org/api-ref/identity/v3/ind ex.html#application-credentials .. _`Identity API reference`: https://docs.openstack.org/api-ref/identity/v3/ind ex.html#application-credentials
Managing Application Credentials Managing Application Credentials
================================ ================================
Create an application credential using python-keystoneclient: Create an application credential using python-openstackclient:
.. code-block:: console .. code-block:: console
$ openstack application credential create monitoring $ openstack application credential create monitoring
+--------------+------------------------------------------------------------- ---------------------------+ +--------------+------------------------------------------------------------- ---------------------------+
| Field | Value | | Field | Value |
+--------------+------------------------------------------------------------- ---------------------------+ +--------------+------------------------------------------------------------- ---------------------------+
| description | None | | description | None |
| expires_at | None | | expires_at | None |
| id | 26bb287fd56a41f8a577c47f79221187 | | id | 26bb287fd56a41f8a577c47f79221187 |
skipping to change at line 123 skipping to change at line 123
| description | None | | description | None |
| expires_at | None | | expires_at | None |
| id | 5d04e42491a54e83b313aa2625709411 | | id | 5d04e42491a54e83b313aa2625709411 |
| name | monitoring | | name | monitoring |
| project_id | e99b6f4b9bf84a9da27e20c9cbfe887a | | project_id | e99b6f4b9bf84a9da27e20c9cbfe887a |
| roles | Member | | roles | Member |
| secret | vALEOMENxB_QaKFZOA2XOd7stwrhTlqPKrOdrXXM5BORss9u3O6GT-w_HYCP aZbtg96sDPCdtzVARZLpgUOY_g | | secret | vALEOMENxB_QaKFZOA2XOd7stwrhTlqPKrOdrXXM5BORss9u3O6GT-w_HYCP aZbtg96sDPCdtzVARZLpgUOY_g |
| unrestricted | False | | unrestricted | False |
+--------------+------------------------------------------------------------- ---------------------------+ +--------------+------------------------------------------------------------- ---------------------------+
An alternative way to limit the application credential's privileges is to use
:ref:`access_rules`.
You can provide an expiration date for application credentials: You can provide an expiration date for application credentials:
.. code-block:: console .. code-block:: console
$ openstack application credential create monitoring --expiration '2019-02-12 T20:52:43' $ openstack application credential create monitoring --expiration '2019-02-12 T20:52:43'
+--------------+------------------------------------------------------------- ---------------------------+ +--------------+------------------------------------------------------------- ---------------------------+
| Field | Value | | Field | Value |
+--------------+------------------------------------------------------------- ---------------------------+ +--------------+------------------------------------------------------------- ---------------------------+
| description | None | | description | None |
| expires_at | 2019-02-12T20:52:43.000000 | | expires_at | 2019-02-12T20:52:43.000000 |
skipping to change at line 168 skipping to change at line 171
| description | None | | description | None |
| expires_at | None | | expires_at | None |
| id | 0a0372dbedfb4e82ab66449c3316ef1e | | id | 0a0372dbedfb4e82ab66449c3316ef1e |
| name | monitoring | | name | monitoring |
| project_id | e99b6f4b9bf84a9da27e20c9cbfe887a | | project_id | e99b6f4b9bf84a9da27e20c9cbfe887a |
| roles | Member anotherrole | | roles | Member anotherrole |
| secret | ArOy6DYcLeLTRlTmfvF1TH1QmRzYbmD91cbVPOHL3ckyRaLXlaq5pTGJqvCv qg6leEvTI1SQeX3QK-3iwmdPxg | | secret | ArOy6DYcLeLTRlTmfvF1TH1QmRzYbmD91cbVPOHL3ckyRaLXlaq5pTGJqvCv qg6leEvTI1SQeX3QK-3iwmdPxg |
| unrestricted | True | | unrestricted | True |
+--------------+------------------------------------------------------------- ---------------------------+ +--------------+------------------------------------------------------------- ---------------------------+
.. _access_rules:
Access Rules
============
In addition to delegating a subset of roles to an application credential, you
may also delegate more fine-grained access control by using access rules. For
example, to create an application credential that is constricted to creating
servers in nova, the user can add the following access rules:
.. code-block:: console
openstack application credential create scaler-upper --access-rules '[
{
"path": "/v2.1/servers",
"method": "POST",
"service": "compute"
}
]'
The ``"path"`` attribute of application credential access rules uses a wildcard
syntax to make it more flexible. For example, to create an application
credential that is constricted to listing server IP addresses, you could use
either of the following access rules:
::
[
{
"path": "/v2.1/servers/*/ips",
"method": "GET",
"service": "compute"
}
]
or equivalently:
::
[
{
"path": "/v2.1/servers/{server_id}/ips",
"method": "GET",
"service": "compute"
}
]
In both cases, a request path containing any server ID will match the access
rule. For even more flexibility, the recursive wildcard ``**`` indicates that
request paths containing any number of ``/`` will be matched. For example:
::
[
{
"path": "/v2.1/**",
"method": "GET",
"service": "compute"
}
]
will match any nova API for version 2.1.
An access rule created for one application credential can be re-used by
providing its ID to another application credential. You can list existing access
rules:
.. code-block:: console
$ openstack access rule list
+--------+---------+--------+---------------+
| ID | Service | Method | Path |
+--------+---------+--------+---------------+
| abcdef | compute | POST | /v2.1/servers |
+--------+---------+--------+---------------+
and create an application credential using that rule:
.. code-block:: console
$ openstack application credential create scaler-upper-02 \
--access-rules '[{"id": "abcdef"}]'
Using Application Credentials Using Application Credentials
============================= =============================
Applications can authenticate using the application_credential auth method. For Applications can authenticate using the application_credential auth method. For
a service using keystonemiddleware to authenticate with keystone, the a service using keystonemiddleware to authenticate with keystone, the
auth section would look like this: auth section would look like this:
.. code-block:: ini .. code-block:: ini
[keystone_authtoken] [keystone_authtoken]
 End of changes. 3 change blocks. 
1 lines changed or deleted 87 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)