I’ve been pushing a lot on the authentication plugins aspect of keystoneclient recently. They allow us to generalize the process of getting a token from OpenStack such that we can enable new mechanisms like Kerberos or client certificate authentication - without having to modify all the clients.
For most people hardcoding credentials into scripts is not an option, both for security and for reusability reasons. By having a standard loading mechanism for this selection of new plugins we can ensure that applications we write can be used with future plugins. I am currently working on getting this method into the existing services to allow for more extensible service authentication, so this pattern should become more common in future.
There are two loading mechanisms for authentication plugins provided by keystoneclient:
- Loading from an oslo.config CONF object.
- Loading from an argparse command line
Loading from CONF
We can define a plugin from CONF like:
1 2 3 4 5 6 7 8 |
|
The initially required field here is auth_plugin
which specifies the name of the plugin to load.
All other parameters in that section are dependant on the information that plugin (in this case v3password) requires.
To load that plugin from an application we do: