Nectar Identity service now upgraded to Queens
We're please to announce that the Nectar Identity service (Keystone) has now been upgraded to the Queens release.
Normally an upgrade like this wouldn't require a blog post, but there's a couple of significant changes that users should be aware of.
We plan to keep the v2.0 API running until April 2019, at which time, it will no longer be available.
See our Keystone v2.0 to v3 migration guide on how you can switch over.
Application credentials can be easily revoked or rotated with little or no application downtime, or can even have an automatic expiry time.
To manage application credentials on the command line, you'll need recent versions of the python-openstackclient and python-keystoneclient packages and your main credentials loaded.
The simplest example for creating an application credential is to just pass a name:
Normally an upgrade like this wouldn't require a blog post, but there's a couple of significant changes that users should be aware of.
Keystone API v2.0 deprecation
The Keystone v2.0 API has actually been removed from the Queens release, but we're aware that many users are still using it. We are now actively requesting that any users still using the v2.0 API to move over to the v3 API that has been available since 2016.We plan to keep the v2.0 API running until April 2019, at which time, it will no longer be available.
See our Keystone v2.0 to v3 migration guide on how you can switch over.
Application Credentials
The long awaited application credentials are finally available in the Queens release. Application credentials allow users to generate their own OpenStack credentials suitable for applications to authenticate to the Identity service, without having to expose their main credentials.Application credentials can be easily revoked or rotated with little or no application downtime, or can even have an automatic expiry time.
To manage application credentials on the command line, you'll need recent versions of the python-openstackclient and python-keystoneclient packages and your main credentials loaded.
The simplest example for creating an application credential is to just pass a name:
$ openstack application credential create mydemo +--------------+-----------------------------------------+ | Field | Value | +--------------+-----------------------------------------+ | description | None | | expires_at | None | | id | 0cfa2baa33f546b7bec27f1b7461a1c5 | | name | mydemo | | project_id | 6d23beae28fc41958a2ba5d5d68eb87f | | roles | Member | | secret | ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJ | | unrestricted | False | +--------------+-----------------------------------------+If you wanted to use this new application credential to run OpenStack CLI commands, your environment would require:
OS_AUTH_URL=https://keystone.rc.nectar.org.au:5000/v3/ OS_AUTH_TYPE=v3applicationcredential OS_APPLICATION_CREDENTIAL_ID=0cfa2baa33f546b7bec27f1b7461a1c5 OS_APPLICATION_CREDENTIAL_SECRET=ErqiQo4wvf0CxajMkPd66cKmVVoZ93KogQDwBYJFor more details about application credentials, or for information about how to use application credentials in the python-keystoneclient API, see OpenStack's Application Credentials user guide.
Comments
Post a Comment