Hi Jamie, I find that when I use an existing token to fetch a new token with the same rights (the expiry etc will be the same) , but keystone doesn't return service_catalog in the response. I wonder why it is different from authentication with password.
Regards, Wanghua On Tue, Sep 8, 2015 at 9:36 AM, 王华 <[email protected]> wrote: > Hi Jamie, > > We want to reuse the user token in magnum. But there is no convenient way > to reuse it. It is better that we can use ENV['keystone.token_auth'] to > init keystoneclient directly. Now we need to construct a auth_ref which is > a parameter in keystoneclient init function according to > ENV['keystone.token_auth']. I think it is a common case which service wants > to reuse user token to do something like getting service_catalog. Can > keystoneclient provide this feature? > > Regards, > Wanghua > > On Mon, Sep 7, 2015 at 12:54 PM, Jamie Lennox <[email protected]> > wrote: > >> >> >> ----- Original Message ----- >> > From: "王华" <[email protected]> >> > To: "OpenStack Development Mailing List (not for usage questions)" < >> [email protected]> >> > Sent: Monday, 7 September, 2015 12:00:43 PM >> > Subject: [openstack-dev] [keystone]how to get service_catalog >> > >> > Hi all, >> > >> > When I use a token to init a keystoneclient and try to get >> service_catalog by >> > it, error occurs. I find that keystone doesn't return service_catalog >> when >> > we use a token. Is there a way to get service_catalog by token? In >> magnum, >> > we now make a trick. We init a keystoneclient with service_catalog >> which is >> > contained in the token_info returned by keystonemiddleware in auth_ref >> > parameter. >> > >> > I want a way to get service_catalog by token. Or can we init a >> keystoneclient >> > by the token_info return by keystonemiddleware directly? >> > >> > Regards, >> > Wanghua >> >> Sort of. >> >> The problem you are hitting is that a token is just a string, an >> identifier for some information stored in keystone. Given a token at >> __init__ time the client doesn't try to validate this in anyway it just >> assumes you know what you are doing. You can do a variation of this though >> in which you use an existing token to fetch a new token with the same >> rights (the expiry etc will be the same) and then you will get a fresh >> service catalog. Using auth plugins that's the Token family of plugins. >> >> However i don't _think_ that's exactly what you're looking for in magnum. >> What token are you trying to reuse? >> >> If it's the users token then auth_token passes down an auth plugin in the >> ENV['keystone.token_auth'] variable[1] and you can pass that to a client to >> reuse the token and service catalog. If you are loading up magnum specific >> auth then again have a look at using keystoneclient's auth plugins and >> reusing it across multiple requests. >> >> Trying to pass around a bundle of token id and service catalog is pretty >> much exactly what an auth plugin does and you should be able to do >> something there. >> >> >> Jamie >> >> [1] >> https://github.com/openstack/keystonemiddleware/blob/master/keystonemiddleware/auth_token/__init__.py#L164 >> > >> __________________________________________________________________________ >> > OpenStack Development Mailing List (not for usage questions) >> > Unsubscribe: >> [email protected]?subject:unsubscribe >> > http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >> >> __________________________________________________________________________ >> OpenStack Development Mailing List (not for usage questions) >> Unsubscribe: >> [email protected]?subject:unsubscribe >> http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev >> > >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: [email protected]?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev
