A federated user can authenticate with the v3unscopedsaml plugin and list the domains and projects she is allowed to scope to. This patch introduces the new commands 'federation domain list' and 'federation project list'. Note that for these commands -and plugin- to be available, the lxml library must be installed. Change-Id: I2707b624befcfb0a01b40a094e12fd68a3ee7773 Co-Authored-By: Florent Flament <florent.flament-ext@cloudwatt.com>
9.3 KiB
openstack
OpenStack Command Line
SYNOPSIS
openstack
[<global-options>] <command> [<command-arguments>]
openstack help
<command>
openstack
--help
DESCRIPTION
openstack
provides a common command-line interface to OpenStack APIs. It is
generally equivalent to the CLIs provided by the OpenStack project
client libraries, but with a distinct and consistent command
structure.
AUTHENTICATION METHODS
openstack
uses a
similar authentication scheme as the OpenStack project CLIs, with the
credential information supplied either as environment variables or as
options on the command line. The primary difference is the use of
'project' in the name of the options
OS_PROJECT_NAME
/OS_PROJECT_ID
over the old
tenant-based names.
export OS_AUTH_URL=<url-to-openstack-identity>
export OS_PROJECT_NAME=<project-name>
export OS_USERNAME=<user-name>
export OS_PASSWORD=<password> # (optional)
openstack
can
use different types of authentication plugins provided by the
keystoneclient library. The following default plugins are available:
token
: Authentication with a tokenpassword
: Authentication with a username and a password
Refer to the keystoneclient library documentation for more details
about these plugins and their options, and for a complete list of
available plugins. Please bear in mind that some plugins might not
support all of the functionalities of openstack
; for example the v3unscopedsaml plugin
can deliver only unscoped tokens, some commands might not be available
through this authentication method.
Additionally, it is possible to use Keystone's service token to
authenticate, by setting the options --os-token
and --os-url
(or the environment variables OS_TOKEN
and OS_URL
respectively). This
method takes precedence over authentication plugins.
Note
To use the v3unscopedsaml
method, the lxml package will
need to be installed.
OPTIONS
openstack
takes
global options that control overall behaviour and command-specific
options that control the command operation. Most global options have a
corresponding environment variable that may also be used to set the
value. If both are present, the command-line option takes priority. The
environment variable names are derived from the option name by dropping
the leading dashes ('--'), converting each embedded dash ('-') to an
underscore ('_'), and converting to upper case.
openstack
recognizes the following global topions:
--os-auth-plugin
<auth-plugin>-
The authentication plugin to use when connecting to the Identity service. If this option is not set,
openstack
will attempt to guess the authentication method to use based on the other options. If this option is set, its version must match--os-identity-api-version
--os-auth-url
<auth-url>-
Authentication URL
--os-url
<service-url>-
Service URL, when using a service token for authentication
--os-domain-name
<auth-domain-name> |--os-domain-id
<auth-domain-id>-
Domain-level authorization scope (name or ID)
--os-project-name
<auth-project-name> |--os-project-id
<auth-project-id>-
Project-level authentication scope (name or ID)
--os-project-domain-name
<auth-project-domain-name> |--os-project-domain-id
<auth-project-domain-id>-
Domain name or id containing project
--os-username
<auth-username>-
Authentication username
--os-password
<auth-password>-
Authentication password
--os-token
<token>-
Authenticated token or service token
--os-user-domain-name
<auth-user-domain-name> |--os-user-domain-id
<auth-user-domain-id>-
Domain name or id containing user
--os-user-domain-name
<auth-user-domain-name> |--os-user-domain-id
<auth-user-domain-id>-
Domain name or ID containing user
--os-trust-id
<trust-id>-
id of the trust to use as a trustee user
--os-default-domain
<auth-domain>-
Default domain ID (Default: 'default')
--os-region-name
<auth-region-name>-
Authentication region name
--os-cacert
<ca-bundle-file>-
CA certificate bundle file
--verify
|--insecure
-
Verify or ignore server certificate (default: verify)
--os-identity-api-version
<identity-api-version>-
Identity API version (Default: 2.0)
--os-XXXX-api-version
<XXXX-api-version>-
Additional API version options will be available depending on the installed API libraries.
COMMANDS
To get a list of the available commands:
openstack --help
To get a description of a specific command:
openstack help <command>
Note that the set of commands shown will vary depending on the API versions that are in effect at that time. For example, to force the display of the Identity v3 commands:
openstack --os-identity-api-version 3 --help
complete
-
Print the bash completion functions for the current command set.
help <command>
-
Print help for an individual command
Additional information on the OpenStackClient command structure and arguments is available in the OpenStackClient Commands wiki page.
Command Objects
The list of command objects is growing longer with the addition of
OpenStack project support. The object names may consist of multiple
words to compose a unique name. Occasionally when multiple APIs have a
common name with common overlapping purposes there will be options to
select which object to use, or the API resources will be merged, as in
the quota
object that has options referring to both Compute
and Volume quotas.
Command Actions
The actions used by OpenStackClient are defined with specific meaning to provide a consistent behavior for each object. Some actions have logical opposite actions, and those pairs will always match for any object that uses them.
NOTES
The command list displayed in help output reflects the API versions
selected. For example, to see Identity v3 commands
OS_IDENTITY_API_VERSION
must be set to 3
.
EXAMPLES
Show the detailed information for server appweb01
:
openstack \
--os-project-name ExampleCo \
--os-username demo --os-password secrete \
--os-auth-url http://localhost:5000:/v2.0 \
server show appweb01
The same command if the auth environment variables (OS_AUTH_URL
, OS_PROJECT_NAME
, OS_USERNAME
, OS_PASSWORD
) are set:
openstack server show appweb01
Create a new image:
openstack image create \
--disk-format=qcow2 \
--container-format=bare \
--public \
--copy-from http://somewhere.net/foo.img \
foo
FILES
~/.openstack
-
Placeholder for future local state directory. This directory is intended to be shared among multiple OpenStack-related applications; contents are namespaced with an identifier for the app that owns it. Shared contents (such as
~/.openstack/cache
) have no prefix and the contents must be portable.
ENVIRONMENT VARIABLES
The following environment variables can be set to alter the behaviour
of openstack
. Most
of them have corresponding command-line options that take precedence if
set.
OS_AUTH_PLUGIN
-
The authentication plugin to use when connecting to the Identity service, its version must match the Identity API version
OS_AUTH_URL
-
Authentication URL
OS_URL
-
Service URL (when using the service token)
OS_DOMAIN_NAME
-
Domain-level authorization scope (name or ID)
OS_PROJECT_NAME
-
Project-level authentication scope (name or ID)
OS_PROJECT_DOMAIN_NAME
-
Domain name or id containing project
OS_USERNAME
-
Authentication username
OS_TOKEN
-
Authenticated or service token
OS_PASSWORD
-
Authentication password
OS_USER_DOMAIN_NAME
-
Domain name or id containing user
OS_TRUST_ID
-
id of the trust to use as a trustee user
OS_DEFAULT_DOMAIN
-
Default domain ID (Default: 'default')
OS_REGION_NAME
-
Authentication region name
OS_CACERT
-
CA certificate bundle file
OS_IDENTITY_API_VERSION
-
Identity API version (Default: 2.0)
OS_XXXX_API_VERSION
-
Additional API version options will be available depending on the installed API libraries.
BUGS
Bug reports are accepted at the python-openstackclient LaunchPad project "https://bugs.launchpad.net/python-openstackclient/+bugs".
AUTHORS
Please refer to the AUTHORS file distributed with OpenStackClient.
COPYRIGHT
Copyright 2011-2014 OpenStack Foundation and the authors listed in the AUTHORS file.
LICENSE
http://www.apache.org/licenses/LICENSE-2.0
SEE ALSO
The OpenStackClient page in the OpenStack Wiki contains further documentation.
The individual OpenStack project CLIs, the OpenStack API references.