When you run OpenStack command-line clients, you must authenticate to Keystone so that you can be authorized to perform an action. You can submit the required credentials using the command-line arguments for the OpenStack clients, or you can store the credentials as environment variables which can then be used by the OpenStack clients. Using environment variables is often easier.
The following are the minimum required OpenStack environment variables:
Environment Variable | Purpose |
---|---|
| Keystone authentication URL. |
| Keystone tenant name. |
| Keystone user name. |
| Keystone password. |
| Keystone project name. |
| Keystone domain ID containing the project. |
| Keystone domain name containing the project. |
| Keystone user's domain ID. |
| Keystone user's domain name. |
|
Keystone identity API version. This should be set to
The docker-ostk utility automatically sets this variable for you. |
|
Cinder volume API version. This should be set to
The docker-ostk utility automatically sets this variable for you. |
If you do not set the OS_PASSWORD
environment
variable, the OpenStack CLI clients prompt you to enter the
password.
For a complete list of the environment variables you can use, see http://docs.openstack.org/developer/python-openstackclient/man/openstack.html#environment-variables
To manually set the environment variables:
$ exportvariable_name
=value
For example:
$ export OS_AUTH_URL=http://10.0.0.10:5000/v3
$ export OS_TENANT_NAME=admin
$ export OS_PROJECT_NAME=admin
$ export OS_USERNAME=admin
$ export OS_PASSWORD=password
$ export OS_PROJECT_DOMAIN_ID=default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_USER_DOMAIN_ID=default
$ export OS_USER_DOMAIN_NAME=Default
You can create an environment file that exports the variables (as shown above), and use the source command to set the variables before you run OpenStack CLI commands. You can download a preconfigured environment file from the OpenStack Horizon dashboard, as follows:
Log in to the OpenStack Horizon dashboard.
Select
, then , and then select . Select the subtab.Click
and save this file to the host.Use the source command to load the environment variables.
$ source admin-openrc.sh Please enter your OpenStack Password:
You are prompted to enter the OpenStack admin password. Enter the password and the environment variables are set up.
CautionThe password is stored in plain text, and is not encrypted.
If you use the docker-ostk utility to run
OpenStack CLI clients, you can pass the environment variables to
the Docker container by storing the environment variables as
key-value pairs in a file. To use the file, you specify the
location of the file by setting the ENV_FILE
environment variable before you run the
docker-ostk command. The following is an
example environment file with key-value pairs.
OS_AUTH_URL=http://10.0.0.10:5000/v3
OS_TENANT_NAME=admin
OS_PROJECT_NAME=admin
OS_USERNAME=admin
OS_PASSWORD=password
OS_PROJECT_DOMAIN_ID=default
OS_PROJECT_DOMAIN_NAME=Default
OS_USER_DOMAIN_ID=default
OS_USER_DOMAIN_NAME=Default
If you use the openstack CLI client, you can
store credentials in YAML format in a file named
clouds.yaml
. The following is an example
clouds.yaml
file containing the credentials
for two projects, admin and dev:
clouds: admin: auth: auth_url: http://10.0.0.20:5000/v3 project_name: admin tenant_name: admin username: admin password: password project_domain_id: default project_domain_name: Default user_domain_id: default user_domain_name: Default identity_api_version: 3 volume_api_version: 2 dev: auth: auth_url: http://10.0.0.20:5000/v3 project_name: DevProject username: jdoe password: password project_domain_id: default project_domain_name: Default user_domain_id: default user_domain_name: Default identity_api_version: 3 volume_api_version: 2
You select the credentials you want to use with the
--os-cloud
option when you run a command, for
example:
$ openstack --os-cloud=dev server list
The openstack CLI client searches for the
clouds.yaml
file in order in the following
locations:
Current working directory
$HOME/.config/openstack
/etc/openstack
The first file found is used. If you use the
docker-ostk utility, the
clouds.yaml
file must be in the current
working directory as this directory is bind-mounted into the
container.
For more information see http://docs.openstack.org/developer/python-openstackclient/configuration.html
For security reasons, it is recommended that you do not store
your OpenStack project passwords in a file or in an environment
variable. To avoid storing passwords in plain text, you can
either let the OpenStack CLI client prompt you for the password
interactively, or you can specify the password with the
--os-password
option when you run a command.