OpenStack Identity API and domain access
I was perusing the instructions to setup Heat, the OpenStack orchestration service, and found myself unable to use the openstack domain
command.
[root]# openstack domain list
openstack: 'domain' is not an openstack command. See 'openstack --help'.
Since adding a new domain is a required step in installing Heat, I needed to get around this roadblock.
Normal environment
The OpenStack command-line utilities can grab several key strings from environment variables, making it easier to work interactively. For example:
OS_REGION_NAME="RegionOne"
OS_PASSWORD="SuperSecretPassword"
OS_AUTH_URL="http://192.168.100.20:5000/v2.0"
OS_USERNAME="admin"
OS_TENANT_NAME="admin"
Identity API 2 vs. 3
As you might guess from the OS_AUTH_URL
variable, the environment setup with those variables uses v2.0 of the OpenStack Identity API, and that’s at the heart of the problem. The trick is to reset the environment so it uses version 3 of the Identity API.
[root]# . admin_credentials
[root]# openstack domain list
openstack: 'domain' is not an openstack command. See 'openstack --help'.
[root]# env | grep ^OS
OS_REGION_NAME=RegionOne
OS_PASSWORD=SuperSecretPassword
OS_AUTH_URL=http://192.168.100.20:5000/v2.0
OS_USERNAME=admin
OS_TENANT_NAME=admin
[root]# export OS_AUTH_URL=http://192.168.100.20:5000
[root]# export OS_IDENTITY_API_VERSION=3
[root]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
In short, the ‘domain’ subcommand isn’t available unless you use v3 identity API:
# source the standard credentials
. admin_credentials
# drop "/v2.0" from auth url; assumes bash parameter expansion
export OS_AUTH_URL=${OS_AUTH_URL%/v2.0}
# specify identity API v3
export OS_IDENTITY_API_VERSION=3
# now you're good to go.
After the change, the default output from some of the openstack
commands changes, e.g., openstack endpoint list
. Otherwise, things operate about the same.