[openstack-dev] [keystone]how to get service_catalog

Jamie Lennox jamielennox at redhat.com
Mon Sep 7 04:54:26 UTC 2015



----- Original Message -----
> From: "王华" <wanghua.humble at gmail.com>
> To: "OpenStack Development Mailing List (not for usage questions)" <openstack-dev at lists.openstack.org>
> Sent: Monday, 7 September, 2015 12:00:43 PM
> Subject: [openstack-dev] [keystone]how to get service_catalog
> 
> Hi all,
> 
> When I use a token to init a keystoneclient and try to get service_catalog by
> it, error occurs. I find that keystone doesn't return service_catalog when
> we use a token. Is there a way to get service_catalog by token? In magnum,
> we now make a trick. We init a keystoneclient with service_catalog which is
> contained in the token_info returned by keystonemiddleware in auth_ref
> parameter.
> 
> I want a way to get service_catalog by token. Or can we init a keystoneclient
> by the token_info return by keystonemiddleware directly?
> 
> Regards,
> Wanghua

Sort of. 

The problem you are hitting is that a token is just a string, an identifier for some information stored in keystone. Given a token at __init__ time the client doesn't try to validate this in anyway it just assumes you know what you are doing. You can do a variation of this though in which you use an existing token to fetch a new token with the same rights (the expiry etc will be the same) and then you will get a fresh service catalog. Using auth plugins that's the Token family of plugins.

However i don't _think_ that's exactly what you're looking for in magnum. What token are you trying to reuse? 

If it's the users token then auth_token passes down an auth plugin in the ENV['keystone.token_auth'] variable[1] and you can pass that to a client to reuse the token and service catalog. If you are loading up magnum specific auth then again have a look at using keystoneclient's auth plugins and reusing it across multiple requests.

Trying to pass around a bundle of token id and service catalog is pretty much exactly what an auth plugin does and you should be able to do something there. 


Jamie

[1] https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L164
> __________________________________________________________________________
> OpenStack Development Mailing List (not for usage questions)
> Unsubscribe: OpenStack-dev-request at lists.openstack.org?subject:unsubscribe
> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
> 



More information about the OpenStack-dev mailing list