Plugin Options¶
Usage¶
Using plugins via CLI¶
Plugins can be configured via CLI options, using argparse’s ArgumentParser
.
This is commonly used to produce client tooling that communicates with
OpenStack APIs and therefore needs to allow authentication. For example,
openstackclient
allows configuration using CLI options.
When using auth plugins via CLI you can specify parameters via CLI options or
via environment configuration, with CLI options superseding environment
configuration. CLI options are specified with the pattern --os-
and the
parameter name. For example, to use the password plugin via CLI options you
can specify:
openstack --os-auth-type password \
--os-auth-url http://keystone.example.com:5000/ \
--os-username myuser \
--os-password mypassword \
--os-project-name myproject \
--os-default-domain-name mydomain \
operation
Environment variables are specified using the pattern OS_
followed by the
uppercase parameter name replacing -
with _
. Using the password
example again:
export OS_AUTH_TYPE=password
export OS_AUTH_URL=http://keystone.example.com:5000/
export OS_USERNAME=myuser
export OS_PASSWORD=mypassword
export OS_PROJECT_NAME=myproject
export OS_DEFAULT_DOMAIN_NAME=mydomain
Using plugins via clouds.yaml
¶
Plugins can be configured via clouds.yaml
files, which are supported by
openstacksdk
. When using a clouds.yaml
, you specify the plugin name as
auth_type
within the cloud entry and then specify all plugin options within
the auth
key of the cloud entry. For example, to use the password plugin
for a cloud entry mycloud
in a clouds.yaml
file you can specify:
clouds:
mycloud:
auth_type: password
auth:
auth_url: http://keystone.example.com:5000/
username: myuser
password: mypassword
project_name: myproject
default_domain_name: mydomain
Using plugins via config file¶
Plugins can be configured using INI-style configuration file, using oslo.config. This is commonly used to allow OpenStack service to talk to each other though it can be used for any service that wishes to authenticate against Keystone and uses oslo.config. For example, this configuration style is used to allow the Compute service (Nova) to talk to the Networking service (Neutron), Block Storage service (Cinder), and others.
When using the plugins via config file you define the plugin name as
auth_type
. The options of the plugin are then specified while replacing
-
with _
to be valid in configuration.
For example to use the password plugin in a config file you would specify:
[section]
auth_type = password
auth_url = http://keystone.example.com:5000/
username = myuser
password = mypassword
project_name = myproject
default_domain_name = mydomain
Using plugins via other mechanisms¶
Beyond the three configuration mechanisms described here, different services may implement loaders in their own way and you should consult their relevant documentation. However, the same auth options will always be available.
Built-in Plugins¶
This is a listing of all included plugins and the options that they accept. Plugins are listed alphabetically and not in any order of priority.
admin_token¶
Authenticate with an existing token and a known endpoint.
This plugin is primarily useful for development or for use with identity service ADMIN tokens. Because this token is used directly there is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect use this scope information.
Because there is no service catalog the endpoint that is supplied with initialization is used for all operations performed with this plugin so must be the full base URL to an actual service.
- endpoint
The endpoint that will always be used
- CLI options
--os-endpoint
,--os-url
- Environment variables
OS_ENDPOINT
,OS_URL
- token
The token that will always be used
- CLI options
--os-token
- Environment variables
OS_TOKEN
http_basic¶
Use HTTP Basic authentication to perform requests.
This can be used to instantiate clients for services deployed in standalone mode.
There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.
- endpoint
The endpoint that will always be used
- CLI options
--os-endpoint
- Environment variables
OS_ENDPOINT
- password
User’s password
- CLI options
--os-password
- Environment variables
OS_PASSWORD
- username
Username
- CLI options
--os-username
,--os-user-name
- Environment variables
OS_USERNAME
,OS_USER_NAME
none¶
Use no tokens to perform requests.
This can be used to instantiate clients for services deployed in noauth/standalone mode.
There is no fetching a service catalog or determining scope information and so it cannot be used by clients that expect to use this scope information.
- endpoint
The endpoint that will always be used
- CLI options
--os-endpoint
- Environment variables
OS_ENDPOINT
password¶
Authenticate with a username and password.
Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.
As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be provided an unversioned URL to operate against.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- default-domain-id
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options
--os-default-domain-id
- Environment variables
OS_DEFAULT_DOMAIN_ID
- default-domain-name
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options
--os-default-domain-name
- Environment variables
OS_DEFAULT_DOMAIN_NAME
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- password
User’s password
- CLI options
--os-password
- Environment variables
OS_PASSWORD
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
,--os-tenant-id
- Environment variables
OS_PROJECT_ID
,OS_TENANT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
,--os-tenant-name
- Environment variables
OS_PROJECT_NAME
,OS_TENANT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- user-domain-id
User’s domain id
- CLI options
--os-user-domain-id
- Environment variables
OS_USER_DOMAIN_ID
- user-domain-name
User’s domain name
- CLI options
--os-user-domain-name
- Environment variables
OS_USER_DOMAIN_NAME
- user-id
User id
- CLI options
--os-user-id
- Environment variables
OS_USER_ID
- username
Username
- CLI options
--os-username
,--os-user-name
- Environment variables
OS_USERNAME
,OS_USER_NAME
token¶
Given an existing token rescope it to another target.
Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.
As a generic plugin this plugin is identity version independent and will discover available versions before use. This means it expects to be provided an unversioned URL to operate against.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- default-domain-id
Optional domain ID to use with v3 and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options
--os-default-domain-id
- Environment variables
OS_DEFAULT_DOMAIN_ID
- default-domain-name
Optional domain name to use with v3 API and v2 parameters. It will be used for both the user and project domain in v3 and ignored in v2 authentication.
- CLI options
--os-default-domain-name
- Environment variables
OS_DEFAULT_DOMAIN_NAME
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
,--os-tenant-id
- Environment variables
OS_PROJECT_ID
,OS_TENANT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
,--os-tenant-name
- Environment variables
OS_PROJECT_NAME
,OS_TENANT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- token
Token to authenticate with
- CLI options
--os-token
- Environment variables
OS_TOKEN
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v2password¶
Authenticate with a username and password.
Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- password
Password to use
- CLI options
--os-password
- Environment variables
OS_PASSWORD
- tenant-id
Tenant ID
- CLI options
--os-tenant-id
- Environment variables
OS_TENANT_ID
- tenant-name
Tenant Name
- CLI options
--os-tenant-name
- Environment variables
OS_TENANT_NAME
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- user-id
User ID to login with
- CLI options
--os-user-id
- Environment variables
OS_USER_ID
- username
Username to login with
- CLI options
--os-username
,--os-user-name
- Environment variables
OS_USERNAME
,OS_USER_NAME
v2token¶
Given an existing token rescope it to another target.
Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- tenant-id
Tenant ID
- CLI options
--os-tenant-id
- Environment variables
OS_TENANT_ID
- tenant-name
Tenant Name
- CLI options
--os-tenant-name
- Environment variables
OS_TENANT_NAME
- token
Token
- CLI options
--os-token
- Environment variables
OS_TOKEN
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3adfspassword¶
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- identity-provider-url
An Identity Provider URL, where the SAML authentication request will be sent. (mandatory)
- CLI options
--os-identity-provider-url
- Environment variables
OS_IDENTITY_PROVIDER_URL
- password
Password (mandatory)
- CLI options
--os-password
- Environment variables
OS_PASSWORD
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- service-provider-endpoint
Service Provider’s Endpoint (mandatory)
- CLI options
--os-service-provider-endpoint
- Environment variables
OS_SERVICE_PROVIDER_ENDPOINT
- service-provider-entity-id
Service Provider’s SAML Entity ID (mandatory)
- CLI options
--os-service-provider-entity-id
- Environment variables
OS_SERVICE_PROVIDER_ENTITY_ID
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- username
Username (mandatory)
- CLI options
--os-username
- Environment variables
OS_USERNAME
v3applicationcredential¶
Authenticate with an application credential.
Authenticate to the identity service using the provided application credential secret and ID or name. If a name is used, you must also provide a username and user domain to assist in lookup.
- application_credential_id
Application credential ID
- CLI options
--os-application_credential_id
- Environment variables
OS_APPLICATION_CREDENTIAL_ID
- application_credential_name
Application credential name
- CLI options
--os-application_credential_name
- Environment variables
OS_APPLICATION_CREDENTIAL_NAME
- application_credential_secret
Application credential auth secret (mandatory)
- CLI options
--os-application_credential_secret
- Environment variables
OS_APPLICATION_CREDENTIAL_SECRET
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- user-domain-id
User’s domain ID
- CLI options
--os-user-domain-id
- Environment variables
OS_USER_DOMAIN_ID
- user-domain-name
User’s domain name
- CLI options
--os-user-domain-name
- Environment variables
OS_USER_DOMAIN_NAME
- user-id
User’s user ID
- CLI options
--os-user-id
- Environment variables
OS_USER_ID
- username
User’s username
- CLI options
--os-username
,--os-user-name
- Environment variables
OS_USERNAME
,OS_USER_NAME
v3fedkerb¶
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- mutual-auth
Configures Kerberos Mutual Authentication
- CLI options
--os-mutual-auth
- Environment variables
OS_MUTUAL_AUTH
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3kerberos¶
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- mutual-auth
Configures Kerberos Mutual Authentication
- CLI options
--os-mutual-auth
- Environment variables
OS_MUTUAL_AUTH
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3multifactor¶
Authenticate using multiple factors.
Authenticate to the identity service using a combination of factors, such as username/password and a TOTP code.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- auth_methods
Methods to authenticate with. (mandatory)
- CLI options
--os-auth_methods
- Environment variables
OS_AUTH_METHODS
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3oauth1¶
- access-key
OAuth Access Key (mandatory)
- CLI options
--os-access-key
- Environment variables
OS_ACCESS_KEY
- access-secret
OAuth Access Secret (mandatory)
- CLI options
--os-access-secret
- Environment variables
OS_ACCESS_SECRET
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- consumer-key
OAuth Consumer ID/Key (mandatory)
- CLI options
--os-consumer-key
- Environment variables
OS_CONSUMER_KEY
- consumer-secret
OAuth Consumer Secret (mandatory)
- CLI options
--os-consumer-secret
- Environment variables
OS_CONSUMER_SECRET
v3oauth2clientcredential¶
Authenticate with an OAuth2.0 client credential.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- oauth2_client_id
Client id for OAuth2.0 (mandatory)
- CLI options
--os-oauth2_client_id
- Environment variables
OS_OAUTH2_CLIENT_ID
- oauth2_client_secret
Client secret for OAuth2.0 (mandatory)
- CLI options
--os-oauth2_client_secret
- Environment variables
OS_OAUTH2_CLIENT_SECRET
- oauth2_endpoint
Endpoint for OAuth2.0 (mandatory)
- CLI options
--os-oauth2_endpoint
- Environment variables
OS_OAUTH2_ENDPOINT
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3oauth2mtlsclientcredential¶
Authenticate with an OAuth2.0 mTLS client credential.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- oauth2-client-id
Client credential ID for OAuth2.0 Mutual-TLS Authorization (mandatory)
- CLI options
--os-oauth2-client-id
- Environment variables
OS_OAUTH2_CLIENT_ID
- oauth2-endpoint
Endpoint for OAuth2.0 Mutual-TLS Authorization (mandatory)
- CLI options
--os-oauth2-endpoint
- Environment variables
OS_OAUTH2_ENDPOINT
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3oidcaccesstoken¶
Authenticate with the OIDC Access Token flow.
- access-token
OAuth 2.0 Access Token (mandatory)
- CLI options
--os-access-token
- Environment variables
OS_ACCESS_TOKEN
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3oidcauthcode¶
Authenticate with the OIDC Authorization Code flow.
- access-token-endpoint
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options
--os-access-token-endpoint
- Environment variables
OS_ACCESS_TOKEN_ENDPOINT
- access-token-type
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- CLI options
--os-access-token-type
- Environment variables
OS_ACCESS_TOKEN_TYPE
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- client-id
OAuth 2.0 Client ID
- CLI options
--os-client-id
- Environment variables
OS_CLIENT_ID
- client-secret
OAuth 2.0 Client Secret
- CLI options
--os-client-secret
- Environment variables
OS_CLIENT_SECRET
- code
OAuth 2.0 Authorization Code (mandatory)
- CLI options
--os-code
,--os-authorization-code
- Environment variables
OS_CODE
,OS_AUTHORIZATION_CODE
- discovery-endpoint
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options
--os-discovery-endpoint
- Environment variables
OS_DISCOVERY_ENDPOINT
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- openid-scope
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options
--os-openid-scope
- Environment variables
OS_OPENID_SCOPE
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- redirect-uri
OpenID Connect Redirect URL
- CLI options
--os-redirect-uri
- Environment variables
OS_REDIRECT_URI
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3oidcclientcredentials¶
Authenticate with the OIDC Client Credentials flow.
- access-token-endpoint
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options
--os-access-token-endpoint
- Environment variables
OS_ACCESS_TOKEN_ENDPOINT
- access-token-type
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- CLI options
--os-access-token-type
- Environment variables
OS_ACCESS_TOKEN_TYPE
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- client-id
OAuth 2.0 Client ID
- CLI options
--os-client-id
- Environment variables
OS_CLIENT_ID
- client-secret
OAuth 2.0 Client Secret
- CLI options
--os-client-secret
- Environment variables
OS_CLIENT_SECRET
- discovery-endpoint
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options
--os-discovery-endpoint
- Environment variables
OS_DISCOVERY_ENDPOINT
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- openid-scope
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options
--os-openid-scope
- Environment variables
OS_OPENID_SCOPE
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3oidcdeviceauthz¶
Authenticate with the OAuth 2.0 Device Authorization flow.
- access-token-endpoint
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options
--os-access-token-endpoint
- Environment variables
OS_ACCESS_TOKEN_ENDPOINT
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- client-id
OAuth 2.0 Client ID
- CLI options
--os-client-id
- Environment variables
OS_CLIENT_ID
- client-secret
OAuth 2.0 Client Secret
- CLI options
--os-client-secret
- Environment variables
OS_CLIENT_SECRET
- code-challenge-method
PKCE Challenge Method (RFC 7636)
- CLI options
--os-code-challenge-method
- Environment variables
OS_CODE_CHALLENGE_METHOD
- device-authorization-endpoint
OAuth 2.0 Device Authorization Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options
--os-device-authorization-endpoint
- Environment variables
OS_DEVICE_AUTHORIZATION_ENDPOINT
- discovery-endpoint
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options
--os-discovery-endpoint
- Environment variables
OS_DISCOVERY_ENDPOINT
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- openid-scope
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options
--os-openid-scope
- Environment variables
OS_OPENID_SCOPE
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3oidcpassword¶
Authenticate with the OIDC Resource Owner Password Credentials flow.
- access-token-endpoint
OpenID Connect Provider Token Endpoint. Note that if a discovery document is being passed this option will override the endpoint provided by the server in the discovery document.
- CLI options
--os-access-token-endpoint
- Environment variables
OS_ACCESS_TOKEN_ENDPOINT
- access-token-type
OAuth 2.0 Authorization Server Introspection token type, it is used to decide which type of token will be used when processing token introspection. Valid values are: “access_token” or “id_token”
- CLI options
--os-access-token-type
- Environment variables
OS_ACCESS_TOKEN_TYPE
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- client-id
OAuth 2.0 Client ID
- CLI options
--os-client-id
- Environment variables
OS_CLIENT_ID
- client-secret
OAuth 2.0 Client Secret
- CLI options
--os-client-secret
- Environment variables
OS_CLIENT_SECRET
- discovery-endpoint
OpenID Connect Discovery Document URL. The discovery document will be used to obtain the values of the access token endpoint and the authentication endpoint. This URL should look like https://idp.example.org/.well-known/openid-configuration
- CLI options
--os-discovery-endpoint
- Environment variables
OS_DISCOVERY_ENDPOINT
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- idp_otp_key
A key to be used in the Identity Provider access token endpoint to pass the OTP value. E.g. totp
- CLI options
--os-idp_otp_key
- Environment variables
OS_IDP_OTP_KEY
- openid-scope
OpenID Connect scope that is requested from authorization server. Note that the OpenID Connect specification states that “openid” must be always specified.
- CLI options
--os-openid-scope
- Environment variables
OS_OPENID_SCOPE
- password
Password (mandatory)
- CLI options
--os-password
- Environment variables
OS_PASSWORD
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- username
Username (mandatory)
- CLI options
--os-username
- Environment variables
OS_USERNAME
v3password¶
Authenticate with a username and password.
Authenticate to the identity service using the provided username and password. This is the standard and most common form of authentication.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- password
User’s password
- CLI options
--os-password
- Environment variables
OS_PASSWORD
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- user-domain-id
User’s domain ID
- CLI options
--os-user-domain-id
- Environment variables
OS_USER_DOMAIN_ID
- user-domain-name
User’s domain name
- CLI options
--os-user-domain-name
- Environment variables
OS_USER_DOMAIN_NAME
- user-id
User’s user ID
- CLI options
--os-user-id
- Environment variables
OS_USER_ID
- username
User’s username
- CLI options
--os-username
,--os-user-name
- Environment variables
OS_USERNAME
,OS_USER_NAME
v3samlpassword¶
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- identity-provider
Identity Provider’s name (mandatory)
- CLI options
--os-identity-provider
- Environment variables
OS_IDENTITY_PROVIDER
- identity-provider-url
An Identity Provider URL, where the SAML2 authentication request will be sent. (mandatory)
- CLI options
--os-identity-provider-url
- Environment variables
OS_IDENTITY_PROVIDER_URL
- password
Password (mandatory)
- CLI options
--os-password
- Environment variables
OS_PASSWORD
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- protocol
Protocol for federated plugin (mandatory)
- CLI options
--os-protocol
- Environment variables
OS_PROTOCOL
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- username
Username (mandatory)
- CLI options
--os-username
- Environment variables
OS_USERNAME
v3token¶
Given an existing token rescope it to another target.
Use the Identity service’s rescope mechanism to get a new token based upon an existing token. Because an auth plugin requires a service catalog and scope information it is often easier to fetch a new token based on an existing one than validate and reuse the one you already have.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- token
Token to authenticate with
- CLI options
--os-token
- Environment variables
OS_TOKEN
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
v3tokenlessauth¶
Authenticate without a token, using an X.509 certificate.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
v3totp¶
Authenticate with a Time-based One-Time Password.
Authenticate to the identity service using a time-based one-time password. This is typically used in combination with another plugin as part of a multi-factor configuration.
- auth-url
Authentication URL (mandatory)
- CLI options
--os-auth-url
- Environment variables
OS_AUTH_URL
- domain-id
Domain ID to scope to
- CLI options
--os-domain-id
- Environment variables
OS_DOMAIN_ID
- domain-name
Domain name to scope to
- CLI options
--os-domain-name
- Environment variables
OS_DOMAIN_NAME
- passcode
User’s TOTP passcode
- CLI options
--os-passcode
- Environment variables
OS_PASSCODE
- project-domain-id
Domain ID containing project
- CLI options
--os-project-domain-id
- Environment variables
OS_PROJECT_DOMAIN_ID
- project-domain-name
Domain name containing project
- CLI options
--os-project-domain-name
- Environment variables
OS_PROJECT_DOMAIN_NAME
- project-id
Project ID to scope to
- CLI options
--os-project-id
- Environment variables
OS_PROJECT_ID
- project-name
Project name to scope to
- CLI options
--os-project-name
- Environment variables
OS_PROJECT_NAME
- system-scope
Scope for system operations
- CLI options
--os-system-scope
- Environment variables
OS_SYSTEM_SCOPE
- trust-id
ID of the trust to use as a trustee use
- CLI options
--os-trust-id
- Environment variables
OS_TRUST_ID
- user-domain-id
User’s domain ID
- CLI options
--os-user-domain-id
- Environment variables
OS_USER_DOMAIN_ID
- user-domain-name
User’s domain name
- CLI options
--os-user-domain-name
- Environment variables
OS_USER_DOMAIN_NAME
- user-id
User’s user ID
- CLI options
--os-user-id
- Environment variables
OS_USER_ID
- username
User’s username
- CLI options
--os-username
,--os-user-name
- Environment variables
OS_USERNAME
,OS_USER_NAME
Additional Plugins¶
keystoneauth is designed to be pluggable and Python packages exist that provide additional plugins.