Token(令牌):通常是一串比特值或者字符串,用来作为访问资源的记号。Token中含有可访问资源的范围和有效时间。openstack服务通过token来调用资源。
openstack获取token值的两种方法:
方法一:
使用openstack命令获取
(id的值就是token)
[root@controller ~]# openstack token issue
+------------+----------------------------------------------------------------------------------------+
| Field | Value |
+------------+----------------------------------------------------------------------------------------+
| expires | 2019-05-16T09:20:34.284984Z |
| id | gAAAAABc3R1SjOCqsvEg3eem30gGaW3ogfR- |
| | nu0sISozNnPoCZJ8a61yeNvrdtVnHzMLxD4R2bz1lhFk0ErnBMGp-k_FfRpU-v3Lwy- |
| | J4htqFoTrpAdfqpYFivjrhjuHE3z3AyxZGjCi5EySJUJchVKwroxjyiekBL2uQQ6iIxvD_F8Ew4pMQN8 |
| project_id | fda820529c814812a7ab5fdcb878b291 |
| user_id | 840931be05dc4e36945bc8d1a6d0fe1c |
+------------+----------------------------------------------------------------------------------------+
此token值可直接使用
方法二:
通过api的方式
(X-Subject-Token的值是token)
[root@controller ~]# curl -i -X POST http://localhost:5000/v3/auth/tokens -H 'Content-Type: application/json' -d '{"auth": {"identity": {"methods": ["password"],"password": {"user": {"name": "admin","domain": {"name": "demo"},"password":"000000"}}}}}' (使用admin用户获取)
HTTP/1.1 201 Created
Date: Thu, 16 May 2019 08:27:10 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
X-Subject-Token: gAAAAABc3R7emnAW3JsEjzhDTSjtpmbS30z4gT2GJujxmwsTJgXY1eOaYO2KttzBSaLAMGkP_cfbThRXBCYnOfyvxZcFUT3lSSBdtcuZHZEvjGNEqMIyoi5Vl3sT3M5QnBxIpx5rgS4xOUvoV28sQB64RJDJhI_V7Q(token值)
Vary: X-Auth-Token
x-openstack-request-id: req-f1ca5e83-e9cd-418e-8dd5-cd1b4c801583
Content-Length: 305
Content-Type: application/json
{"token": {"issued_at": "2019-05-16T08:27:10.000000Z", "audit_ids": ["sCjTyAopSWCqb-WxNhzF9w"], "methods": ["password"], "expires_at": "2019-05-16T09:27:10.731149Z", "user": {"domain": {"id": "a379733146e442eeb0dbecc390922ed0", "name": "demo"}, "id": "840931be05dc4e36945bc8d1a6d0fe1c", "name": "admin"}}}
使用这个token查看用户列表:
提示没有权限。(意料之中)
[root@controller ~]# curl -g -i -X GET http://localhost:35357/v3/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: gAAAAABc3R7emnAW3JsEjzhDTSjtpmbS30z4gT2GJujxmwsTJgXY1eOaYO2KttzBSaLAMGkP_cfbThRXBCYnOfyvxZcFUT3lSSBdtcuZHZEvjGNEqMIyoi5Vl3sT3M5QnBxIpx5rgS4xOUvoV28sQB64RJDJhI_V7Q"
HTTP/1.1 403 Forbidden
Date: Thu, 16 May 2019 08:29:08 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
Vary: X-Auth-Token
x-openstack-request-id: req-c449131c-a819-45e5-b3a2-74cc01574102
Content-Length: 136
Content-Type: application/json
{"error": {"message": "You are not authorized to perform the requested action: identity:list_users", "code": 403, "title": "Forbidden"}}
查看admin用户:
[root@controller ~]# openstack user show admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | a379733146e442eeb0dbecc390922ed0 |
| enabled | True |
| id | 840931be05dc4e36945bc8d1a6d0fe1c |
| name | admin |
+-----------+----------------------------------+
(可能是admin用户的权限和角色不是太明确)
##重新设置admin用户的项目和角色##
[root@controller ~]# openstack user set --project admin admin
[root@controller ~]# openstack role add --project admin --user admin admin
[root@controller ~]# openstack user show admin
+--------------------+----------------------------------+
| Field | Value |
+--------------------+----------------------------------+
| default_project_id | fda820529c814812a7ab5fdcb878b291 |
| domain_id | a379733146e442eeb0dbecc390922ed0 |
| enabled | True |
| id | 840931be05dc4e36945bc8d1a6d0fe1c |
| name | admin |
+--------------------+----------------------------------+
重新获取一个token(多了好多东西):
[root@controller ~]# curl -i -X POST http://localhost:5000/v3/auth/tokens -H 'Content-Type: application/json' -d '{"auth": {"identity": {"methods": ["password"],"password": {"user": {"name": "admin","domain": {"name": "demo"},"password":"000000"}}}}}'
HTTP/1.1 201 Created
Date: Thu, 16 May 2019 08:34:22 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
X-Subject-Token: gAAAAABc3SCOl4Jx_1U1oj5swJ7HKdpmPBWP_UKY5_PBgo9mE3vptNzl_kawRNq5x1SgBreXGgKpOfHemxMOVSf3QHbnFJ_XTRsb_6qp3imiSTGTHlEgt81-9vrV4FSqTRtxJWHKVyWoEX-ov26iU6HYtn7XPAaJBIyDLwFEFJR6ATkMTNm91Zc
Vary: X-Auth-Token
x-openstack-request-id: req-fa896849-f9bf-436a-a0ba-5b694308803d
Content-Length: 7739
Content-Type: application/json
{"token": {"methods": ["password"], "roles": [{"id": "8417091d9a3b4aca96834436521894ee", "name": "admin"}], "expires_at": "2019-05-16T09:34:22.345811Z", "project": {"domain": {"id": "a379733146e442eeb0dbecc390922ed0", "name": "demo"}, "id": "fda820529c814812a7ab5fdcb878b291", "name": "admin"}
验证一下(还是用户列表)(通过api方式获取的token值需要明确用户角色):
[root@controller ~]# curl -s GET http://localhost:35357/v3/users -H "User-Agent: python-keystoneclient" -H "Accept: application/json" -H "X-Auth-Token: gAAAAABc3SCOl4Jx_1U1oj5swJ7HKdpmPBWP_UKY5_PBgo9mE3vptNzl_kawRNq5x1SgBreXGgKpOfHemxMOVSf3QHbnFJ_XTRsb_6qp3imiSTGTHlEgt81-9vrV4FSqTRtxJWHKVyWoEX-ov26iU6HYtn7XPAaJBIyDLwFEFJR6ATkMTNm91Zc" | python -m json.tool
{
"links": {
"next": null,
"previous": null,
"self": "http://localhost:35357/v3/users"
},
"users": [
{
"domain_id": "a379733146e442eeb0dbecc390922ed0",
"enabled": true,
"id": "2a7892435aea41aabdf4fa1258c0e816",
"links": {
"self": "http://localhost:35357/v3/users/2a7892435aea41aabdf4fa1258c0e816"
},
"name": "aodh"
}
附:
①openstack任何命令加上参数”--debug“即可看到当前命令使用的api端点。。。
例如:
[root@controller ~]# openstack user list --debug
②json格式的-d参数:
[root@controller ~]# cat test | python -m json.tool
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"domain": {
"name": "demo"
},
"name": "admin",
"password": "000000"
}
}
}
}
}
