Skip to content

Commit d688cb5

Browse files
committed
Add documentation about login with federation
The documentation presents the parameters necessary to authenticate via federation (using password) and do a brief description of each parameter used in the process. Change-Id: Iae3b6d0b56ebd2bbbb94f9f3637b5086e75559a7
1 parent ea35805 commit d688cb5

3 files changed

Lines changed: 183 additions & 19 deletions

File tree

README.rst

Lines changed: 57 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -76,25 +76,63 @@ Configuration
7676
The CLI is configured via environment variables and command-line
7777
options as listed in https://docs.openstack.org/python-openstackclient/latest/cli/authentication.html.
7878

79-
Authentication using username/password is most commonly used::
80-
81-
export OS_AUTH_URL=<url-to-openstack-identity>
82-
export OS_IDENTITY_API_VERSION=3
83-
export OS_PROJECT_NAME=<project-name>
84-
export OS_PROJECT_DOMAIN_NAME=<project-domain-name>
85-
export OS_USERNAME=<username>
86-
export OS_USER_DOMAIN_NAME=<user-domain-name>
87-
export OS_PASSWORD=<password> # (optional)
88-
89-
The corresponding command-line options look very similar::
90-
91-
--os-auth-url <url>
92-
--os-identity-api-version 3
93-
--os-project-name <project-name>
94-
--os-project-domain-name <project-domain-name>
95-
--os-username <username>
96-
--os-user-domain-name <user-domain-name>
97-
[--os-password <password>]
79+
Authentication using username/password is most commonly used:
80+
81+
- For a local user, your configuration will look like the one below::
82+
83+
export OS_AUTH_URL=<url-to-openstack-identity>
84+
export OS_IDENTITY_API_VERSION=3
85+
export OS_PROJECT_NAME=<project-name>
86+
export OS_PROJECT_DOMAIN_NAME=<project-domain-name>
87+
export OS_USERNAME=<username>
88+
export OS_USER_DOMAIN_NAME=<user-domain-name>
89+
export OS_PASSWORD=<password> # (optional)
90+
91+
The corresponding command-line options look very similar::
92+
93+
--os-auth-url <url>
94+
--os-identity-api-version 3
95+
--os-project-name <project-name>
96+
--os-project-domain-name <project-domain-name>
97+
--os-username <username>
98+
--os-user-domain-name <user-domain-name>
99+
[--os-password <password>]
100+
101+
- For a federated user, your configuration will look the so::
102+
103+
export OS_PROJECT_NAME=<project-name>
104+
export OS_PROJECT_DOMAIN_NAME=<project-domain-name>
105+
export OS_AUTH_URL=<url-to-openstack-identity>
106+
export OS_IDENTITY_API_VERSION=3
107+
export OS_AUTH_PLUGIN=openid
108+
export OS_AUTH_TYPE=v3oidcpassword
109+
export OS_USERNAME=<username-in-idp>
110+
export OS_PASSWORD=<password-in-idp>
111+
export OS_IDENTITY_PROVIDER=<the-desired-idp-in-keystone>
112+
export OS_CLIENT_ID=<the-client-id-configured-in-the-idp>
113+
export OS_CLIENT_SECRET=<the-client-secred-configured-in-the-idp>
114+
export OS_OPENID_SCOPE=<the-scopes-of-desired-attributes-to-claim-from-idp>
115+
export OS_PROTOCOL=<the-protocol-used-in-the-apache2-oidc-proxy>
116+
export OS_ACCESS_TOKEN_TYPE=<the-access-token-type-used-by-your-idp>
117+
export OS_DISCOVERY_ENDPOINT=<the-well-known-endpoint-of-the-idp>
118+
119+
The corresponding command-line options look very similar::
120+
121+
--os-project-name <project-name>
122+
--os-project-domain-name <project-domain-name>
123+
--os-auth-url <url-to-openstack-identity>
124+
--os-identity-api-version 3
125+
--os-auth-plugin openid
126+
--os-auth-type v3oidcpassword
127+
--os-username <username-in-idp>
128+
--os-password <password-in-idp>
129+
--os-identity-provider <the-desired-idp-in-keystone>
130+
--os-client-id <the-client-id-configured-in-the-idp>
131+
--os-client-secret <the-client-secred-configured-in-the-idp>
132+
--os-openid-scope <the-scopes-of-desired-attributes-to-claim-from-idp>
133+
--os-protocol <the-protocol-used-in-the-apache2-oidc-proxy>
134+
--os-access-token-type <the-access-token-type-used-by-your-idp>
135+
--os-discovery-endpoint <the-well-known-endpoint-of-the-idp>
98136

99137
If a password is not provided above (in plaintext), you will be interactively
100138
prompted to provide one securely.

doc/source/cli/authentication.rst

Lines changed: 14 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -133,3 +133,17 @@ Thus, a minimal set of environment variables would be:
133133
$ export OS_USERNAME=admin
134134
$ export OS_PASSWORD=secret
135135
$ export OS_PROJECT_NAME=admin
136+
137+
Federated users support
138+
-----------------------
139+
140+
The OpenStackClient also allows the use of Federated users to log in.
141+
It enables one to use the identity providers credentials such as Google or
142+
Facebook to log in the OpenStackClient instead of using the Keystone
143+
credentials.
144+
145+
This is useful in a Federated environment where one credential give access
146+
to many applications/services that the Federation supports. To check how to
147+
configure the OpenStackClient to allow Federated users to log in, please check
148+
the
149+
:ref:`Authentication using federation. <manpage>`

doc/source/cli/man/openstack.rst

Lines changed: 112 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -44,6 +44,7 @@ command line. The primary difference is the use of 'project' in the name of the
4444

4545
* ``token``: Authentication with a token
4646
* ``password``: Authentication with a username and a password
47+
* ``openid`` : Authentication using the protocol OpenID Connect
4748

4849
Refer to the keystoneclient library documentation for more details about these plugins and their options, and for a complete list of available plugins.
4950
Please bear in mind that some plugins might not support all of the functionalities of :program:`openstack`; for example the v3unscopedsaml plugin can deliver only unscoped tokens, some commands might not be available through this authentication method.
@@ -53,6 +54,31 @@ Additionally, it is possible to use Keystone's service token to authenticate, by
5354
.. NOTE::
5455
To use the ``v3unscopedsaml`` method, the lxml package will need to be installed.
5556

57+
AUTHENTICATION USING FEDERATION
58+
-------------------------------
59+
60+
To use federated authentication, your configuration file needs the following:
61+
62+
::
63+
64+
export OS_PROJECT_NAME=<project-name>
65+
export OS_PROJECT_DOMAIN_NAME=<project-domain-name>
66+
export OS_AUTH_URL=<url-to-openstack-identity>
67+
export OS_IDENTITY_API_VERSION=3
68+
export OS_AUTH_PLUGIN=openid
69+
export OS_AUTH_TYPE=v3oidcpassword
70+
export OS_USERNAME=<username-in-idp>
71+
export OS_PASSWORD=<password-in-idp>
72+
export OS_IDENTITY_PROVIDER=<the-desired-idp>
73+
export OS_CLIENT_ID=<the-client-id-configured-in-the-idp>
74+
export OS_CLIENT_SECRET=<the-client-secred-configured-in-the-idp>
75+
export OS_OPENID_SCOPE=<the-scopes-of-desired-attributes-to-claim-from-idp>
76+
export OS_PROTOCOL=<the-protocol-used-in-the-apache2-oidc-proxy>
77+
export OS_ACCESS_TOKEN_TYPE=<the-access-token-type-used-by-your-idp>
78+
export OS_DISCOVERY_ENDPOINT=<the-well-known-endpoint-of-the-idp>
79+
export OS_ACCESS_TOKEN_ENDPOINT=<the-idp-access-token-url>
80+
81+
5682
OPTIONS
5783
=======
5884

@@ -356,6 +382,24 @@ Show the detailed information for server ``appweb01``::
356382
--os-auth-url http://localhost:5000:/v2.0 \
357383
server show appweb01
358384

385+
The same but using openid to authenticate in keystone::
386+
387+
openstack \
388+
--os-project-name ExampleCo \
389+
--os-auth-url http://localhost:5000:/v2.0 \
390+
--os-auth-plugin openid \
391+
--os-auth-type v3oidcpassword \
392+
--os-username demo-idp \
393+
--os-password secret-idp \
394+
--os-identity-provider google \
395+
--os-client-id the-id-assigned-to-keystone-in-google \
396+
--os-client-secret 3315162f-2b28-4809-9369-cb54730ac837 \
397+
--os-openid-scope 'openid email profile'\
398+
--os-protocol openid \
399+
--os-access-token-type access_token \
400+
--os-discovery-endpoint https://accounts.google.com/.well-known/openid-configuration \
401+
server show appweb01
402+
359403
The same command if the auth environment variables (:envvar:`OS_AUTH_URL`, :envvar:`OS_PROJECT_NAME`,
360404
:envvar:`OS_USERNAME`, :envvar:`OS_PASSWORD`) are set::
361405

@@ -404,6 +448,24 @@ The following environment variables can be set to alter the behaviour of :progra
404448

405449
Authentication URL
406450

451+
.. envvar:: OS_AUTH_TYPE
452+
453+
Define the authentication plugin that will be used to handle the
454+
authentication process. One of the following:
455+
456+
- ``v2password``
457+
- ``v2token``
458+
- ``v3password``
459+
- ``v3token``
460+
- ``v3oidcclientcredentials``
461+
- ``v3oidcpassword``
462+
- ``v3oidcauthorizationcode``
463+
- ``v3oidcaccesstoken``
464+
- ``v3totp``
465+
- ``v3tokenlessauth``
466+
- ``v3applicationcredential``
467+
- ``v3multifactor``
468+
407469
.. envvar:: OS_URL
408470

409471
Service URL (when using the service token)
@@ -473,6 +535,56 @@ The following environment variables can be set to alter the behaviour of :progra
473535

474536
Interface type. Valid options are `public`, `admin` and `internal`.
475537

538+
.. envvar:: OS_PROTOCOL
539+
540+
Define the protocol that is used to execute the federated authentication
541+
process. It is used in the Keystone authentication URL generation process.
542+
543+
.. envvar:: OS_IDENTITY_PROVIDER
544+
545+
Define the identity provider of your federation that will be used. It is
546+
used by the Keystone authentication URL generation process. The available
547+
Identity Providers can be listed using the
548+
:program:`openstack identity provider list` command
549+
550+
.. envvar:: OS_CLIENT_ID
551+
552+
Configure the ``CLIENT_ID`` that the CLI will use to authenticate the
553+
application (OpenStack) in the Identity Provider. This value is defined on
554+
the identity provider side. Do not confuse with the user ID.
555+
556+
.. envvar:: OS_CLIENT_SECRET
557+
558+
Configure the OS_CLIENT_SECRET that the CLI will use to authenticate the
559+
CLI (OpenStack secret in the identity provider).
560+
561+
.. envvar:: OS_OPENID_SCOPE
562+
563+
Configure the attribute scopes that will be claimed by the Service Provider
564+
(SP), in this case OpenStack, from the identity provider. These scopes and
565+
which attributes each scope contains are defined in the identity provider
566+
side. This parameter can receive multiple values separated by space.
567+
568+
.. envvar:: OS_ACCESS_TOKEN_TYPE
569+
570+
Define the type of access token that is used in the token introspection
571+
process.
572+
This variable can assume only one of the states ("access_token" or
573+
"id_token").
574+
575+
.. envvar:: OS_DISCOVERY_ENDPOINT
576+
577+
Configure the identity provider's discovery URL. This URL will provide a
578+
discover document that contains metadata describing the identity provider
579+
endpoints. This variable is optional if the variable
580+
``OS_ACCESS_TOKEN_ENDPOINT`` is defined.
581+
582+
.. envvar:: OS_ACCESS_TOKEN_ENDPOINT
583+
584+
Overrides the value presented in the discovery document retrieved from
585+
``OS_DISCOVERY_ENDPOINT`` URL request. This variable is optional if the
586+
``OS_DISCOVERY_ENDPOINT`` is configured.
587+
476588
.. NOTE::
477589
If you switch to openstackclient from project specified clients, like:
478590
novaclient, neutronclient and so on, please use `OS_INTERFACE` instead of

0 commit comments

Comments
 (0)