Nectar Identity service now upgraded to Queens

We're please to announce that the Nectar Identity service (Keystone) has now been upgraded to the Queens release.
Normally an upgrade like this wouldn't require a blog post, but there's a couple of significant changes that users should be aware of.

Keystone API v2.0 deprecation

The Keystone v2.0 API has actually been removed from the Queens release, but we're aware that many users are still using it. We are now actively requesting that any users still using the v2.0 API to move over to the v3 API that has been available since 2016.
We plan to keep the v2.0 API running until April 2019, at which time, it will no longer be available.
See our Keystone v2.0 to v3 migration guide on how you can switch over.

Application Credentials

The long awaited application credentials are finally available in the Queens release. Application credentials allow users to generate their own OpenStack credentials suitable for applications to authenticate to the Identity service, without having to expose their main credentials.
Application credentials can be easily revoked or rotated with little or no application downtime, or can even have an automatic expiry time.
To manage application credentials on the command line, you'll need recent versions of the python-openstackclient and python-keystoneclient packages and your main credentials loaded.
The simplest example for creating an application credential is to just pass a name:
$ openstack application credential create mydemo
+--------------+-----------------------------------------+
| Field        | Value                                   |
+--------------+-----------------------------------------+
| description  | None                                    |
| expires_at   | None                                    |
| id           | 0cfa2baa33f546b7bec27f1b7461a1c5        |
| name         | mydemo                                  |
| project_id   | 6d23beae28fc41958a2ba5d5d68eb87f        |
| roles        | Member                                  |
| secret       | ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ |
| unrestricted | False                                   |
+--------------+-----------------------------------------+
If you wanted to use this new application credential to run OpenStack CLI commands, your environment would require:
OS_AUTH_URL=https://keystone.rc.nectar.org.au:5000/v3/
OS_AUTH_TYPE=v3applicationcredential
OS_APPLICATION_CREDENTIAL_ID=0cfa2baa33f546b7bec27f1b7461a1c5
OS_APPLICATION_CREDENTIAL_SECRET=ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ
For more details about application credentials, or for information about how to use application credentials in the python-keystoneclient API, see OpenStack's Application Credentials user guide.

Comments

Popular posts from this blog

Getting capacity and usage information out of Openstack Placement

Understanding telemetry services in Nectar cloud

Kubernetes now available on Nectar!