Create an Application Credential in OpenStack - caprivm/thesis_msc GitHub Wiki

This section is intended to show how to create an OpenStack Application Credential for giving access to external users to all OpenStack services. Consider all the steps outlined. The test was done on an MicroStack deployment with the following hardware requirements:

Feature Value
CPU 4
RAM 8 GiB
Disk 100 GB
OS Used Ubuntu 20.04 LTS
OpenStack Distro MicroStack

The VM where the test is done must have MicroStack installed like show the section Install MicroStack with Snap. Also, you must create the openstack alias variables in ~/.bashrc file. The content of this page are:

Create an Application Credential

To generate an application credential we use the user interface (UI). In UI go to the application credential tab in the Identity page and click there. In screen you must be show the next form.

application_credential_form

You can assign an application credential role. In this case, for the external application that want authenticate with OpenStack, we choose the admin role. Please consider several additional definition for the external application configuration:

  • application_credential_secret: As shown in the last image, a secret will be generated for you if you don't provide your own secret. Once application credential is created, the secret will be revealed once. Remember that if you lose the secret, you will have to generate a new application credential. In our case, the application credential secret is: application_credential_secret: "sJbZXO0c3lxCvRwm8Udjq96vgUC0jATceyPQrA-1r_9K_Dtovgu4ueU-XZ4_aywCr8OGx2BPSK3kwwslwkIaNg"
  • application_credential_id: When you create an application credential, OpenStack assign an ID that can be shown in the UI or typing openstack application credential list in CLI. The result is shown below. In this example, the ID corresponds to terraform_prov.
openstack application credential list
# +----------------------------------+----------------+----------------------------------+
# | ID                               | Name           | Project ID                       |
# +----------------------------------+----------------+----------------------------------+
# | 880a9c2fa37d4164b36da41bec63b1da | prometheus_sd  | 86bc6ac1721143f4919d221d39079696 |
# | 0c87aac399244f52800f2ffab484d3d4 | terraform_prov | 86bc6ac1721143f4919d221d39079696 |
# +----------------------------------+----------------+----------------------------------+
  • user_name: By default, in MicroStack installation the username is admin. If you created another user, be sure which user you are going to use in external application configuration.
  • user_id: In the same way that application credential ID, OpenStack assign an ID for each user in platform. You can consult both user_name and user_id in the UI or typing openstack user list in CLI. The result is shown below.
openstack user list
# +----------------------------------+-----------+
# | ID                               | Name      |
# +----------------------------------+-----------+
# | 4dfe6f20436047159e21fc8ae0efbb9a | admin     |
# | 7b796b466a584806b935a5e7f9ca55c7 | placement |
# | f2074b6245024a818031490e63498b5a | nova      |
# | e46d986420c34955947ddd1269a795c6 | neutron   |
# | 9bf81ea77a904742a4fd11f0a6b0f5ed | glance    |
# | 685d6e3dd7684dd39c4c3b7cde495f12 | cinder    |
# +----------------------------------+-----------+
  • tenant_id: You can consult the tenant ID in the OpenRC file that OpenStack provides or typing openstack project list in CLI. In the OpenRC file the tenant ID is the same project ID. The result is shown below. In this case, the tenant ID that corresponds to admin user is if interest to us.
openstack project list
# +----------------------------------+---------+
# | ID                               | Name    |
# +----------------------------------+---------+
# | 08d668ff3bd74909a69e0d2246ac831e | service |
# | 86bc6ac1721143f4919d221d39079696 | admin   |
# +----------------------------------+---------+
  • region: By default in MicroStack installation the region is microstack. You can consult it typing openstack region list or in the OpenRC file. The result is shown below.
openstack region list
# +------------+---------------+-------------+
# | Region     | Parent Region | Description |
# +------------+---------------+-------------+
# | microstack | None          |             |
# +------------+---------------+-------------+
  • auth_url: The identity service in Keystone OpenStack, provide an endpoint for authentication and authorization. This endpoint can be consulted in OpenRC file. By default in MicroStack installation (Stein version) is http://localhost:5000/v3/. In our OpenRC file is: auth_url: "http://10.20.20.1:5000/v3/"

An example for our OpenRC file is:

#!/usr/bin/env bash
# To use an OpenStack cloud you need to authenticate against the Identity
# service named keystone, which returns a **Token** and **Service Catalog**.
# The catalog contains the endpoints for all services the user/tenant has
# access to - such as Compute, Image Service, Identity, Object Storage, Block
# Storage, and Networking (code-named nova, glance, keystone, swift,
# cinder, and neutron).
#
# *NOTE*: Using the 3 *Identity API* does not necessarily mean any other
# OpenStack API is version 3. For example, your cloud provider may implement
# Image API v1.1, Block Storage API v2, and Compute API v2.0. OS_AUTH_URL is
# only for the Identity API served through keystone.
export OS_AUTH_URL=http://10.20.20.1:5000/v3/
# With the addition of Keystone we have standardized on the term **project**
# as the entity that owns the resources.
export OS_PROJECT_ID=86bc6ac1721143f4919d221d39079696
export OS_PROJECT_NAME="admin"
export OS_USER_DOMAIN_NAME="Default"
if [ -z "$OS_USER_DOMAIN_NAME" ]; then unset OS_USER_DOMAIN_NAME; fi
export OS_PROJECT_DOMAIN_ID="default"
if [ -z "$OS_PROJECT_DOMAIN_ID" ]; then unset OS_PROJECT_DOMAIN_ID; fi
# unset v2.0 items in case set
unset OS_TENANT_ID
unset OS_TENANT_NAME
# In addition to the owning entity (tenant), OpenStack stores the entity
# performing the action as the **user**.
export OS_USERNAME="admin"
# With Keystone you pass the keystone password.
echo "Please enter your OpenStack Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
# If your configuration has multiple regions, we set that information here.
# OS_REGION_NAME is optional and only valid in certain environments.
export OS_REGION_NAME="microstack"
# Don't leave a blank variable, unset it if it was empty
if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3

Reference: https://yetiops.net/posts/prometheus-service-discovery-openstack/

⚠️ **GitHub.com Fallback** ⚠️