[sdk][openstacksdk][keystone] Does openstacksdk support v3tokenlessauth?

hai wu haiwu.us at gmail.com
Sat Jun 4 13:37:24 UTC 2022 

I did add the above debug line in the openstacksdk script before, but
I did not get any more information..

With the current keystone setting, the regular 'openstack' command
line is working with x509 tokenless (v3tokenlessauth) authentication
for this simple test case (with test command: openstack project list),
but I could not get openstacksdk script to work the same way..

~ → cat /tmp/test.py
import openstack
from openstack import (  # type: ignore # pylint: disable=import-self
     connection,
     exceptions,
)

openstack.enable_logging(debug=True)
conn = connection.from_config(cloud_name='TEST')

for project in sorted(conn.identity.projects(), key=lambda p: p.name):
    print(project)

~ → python /tmp/test.py
Traceback (most recent call last):
  File "/tmp/test.py", line 10, in <module>
    for project in sorted(conn.identity.projects(), key=lambda p: p.name):
  File "/home/hai/venv/openstack/lib/python3.10/site-packages/openstack/service_description.py",
line 87, in __get__
    proxy = self._make_proxy(instance)
  File "/home/hai/venv/openstack/lib/python3.10/site-packages/openstack/service_description.py",
line 266, in _make_proxy
    raise exceptions.NotSupported(
openstack.exceptions.NotSupported: The identity service for TEST:
exists but does not have any supported versions.

So the 'found_version' ends up as 'None' from this line in
'service_description.py' file:
found_version = temp_adapter.get_api_major_version()

Here is my clouds.yaml for 'TEST':
  TEST:
    auth_type: "v3tokenlessauth"
    auth:
      project_name: testme
      auth_url: https://keystonetest:5050/v3
      project_domain_name: Default
    key: /home/hai/hai.key
    cert: /home/hai/hai.pem
    cacert: /home/hai/myca.crt
    region: RegionOne
    identity_api_version: 3

On Sat, Jun 4, 2022 at 1:25 AM Artem Goncharov
<artem.goncharov at gmail.com> wrote:
>
> The error you posted suggests you reached keystone, got some answer, but it is not sufficient for SDK to continue. It can be caused by misconfiguration on keystone.
>
> But in any way you should provide logs (add `openstack.enable_logging(debug=True)`) and provide it here. Without this it is not possible to give you any other information.
>
> Artem
>
> ----
> typed from mobile, auto-correct typos assumed
> ----
>
> On Fri, Jun 3, 2022, 22:40 hai wu <haiwu.us at gmail.com> wrote:
>>
>> Does openstacksdk support keystone auth type "v3tokenlessauth"?
>>
>> I got this error message when trying to enable openstacksdk with
>> auth_type="v3tokenlessauth"
>>
>> openstack.exceptions.NotSupported: The identity service for TEST:
>> exists but does not have any supported versions.
>>
>> The following are the possible relevant documents I could find, and
>> there is no place mentioning the support for tokenless auth using
>> openstacksdk:
>> https://docs.openstack.org/openstacksdk/latest/user/config/configuration.html
>> https://docs.openstack.org/keystone/train/admin/configure_tokenless_x509.html
>>

More information about the openstack-discuss mailing list