Command Line Interface (CLI) - OpenStack Application Credential

In alternative to the authentication to ADAcloud through the OpenStak Horizon Dashboard, a User can access via the OpenStack Command Line Interface (CLI). The CLI allows Users to perform the same operations that can be usually done via OpenStack dashboard, such as creating Instances, Volumes, Networks etc and many more. Access to the OpenStack CLI is granted thanks to a feature called Application Credentials (in the following AC) that is now available on CINECA OpenStack infrastructure. A complete guide on OpenStack Client is available at this page.

The AC allow User applications to authenticate to the cloud infrastructure to a specific tenant. The authentication is done through the "Application Credential ID" and a "secret string". These credentials are different from username and password of the User thus avoiding to explicit the User password in the configuration of the application, which is expecially important for users whose identities are managed by an external system. Moreover Users can delegate all or a subset of their role assignments to an AC and grant them the same or restricted authorization to a project.

Important: Each tenant has its own AC, so if you have more than one tenant you will have to generate ACs for each tenant you would like to make use of the OpenStack CLI service.

Prerequisites:

• In order to access the OpenStack CLI service you need to provide us a static IP address indentifying the machine from which you will launch the openstack commands. Please write to superc@cineca.it requesting to add the static IP to the ones allowed to use this service.

CLI configuration

Below are described all the steps to create and use the AC:

1. Login with your HPC account via the OpenStack Horizon dashboard, https://adacloud.hpc.cineca.it 
   
   
2. On the dashboard, select the account you want to use (on the top-left menu) then go to the panel "Identity -> Application Credentials".
   
   
3. Click on "Create Application Credential" and fill out the obligatory fields. We strongly encourage to select no more than 1 week as the expiration time for security reasons. If you want the AC to have all your available roles, please do not select anything in the field "Role". If, by accident you select an item in the "Role" you have to restart the creation of the AC from scratch.
   
   
4. After creation, it will be shown the AC secret. Note that it will not be available after closing the page, so you must capture it or download it. If not, you will have to generate a new application credential. Download the Application Credential script file clicking on the button "Download openrc file" or, in alternative, "Download cloud.yaml file".
   
   

5. If you don't have already done, install the OpenStackClient (OSC) command-line client. The best option is using pip command (also possible in a virtual environment) :

   On MAC or Linux:
       $$ pip install python-openstackclient
   or Windows:
       C:\> pip install python-openstackclient

   You can also install it from packages, but check that the version installed is 6.5 or 6.6 "openstack --version" command. Greater version can have some minor modification in the commands. 

   For RHEL, Fedora, CentOS:
   	$$ sudo yum install -y python3-openstackclient
   For Ubuntu:
   	$$ sudo apt-get install -y python3-openstackclient

6. Download the certificate chain available here "adacloud.ca.chain" and save it in your local workstation where you prefer
   
   

7. If you have downloaded the openrc file, source the Application Credential script and export the additional environment variable pointing to the adacloud certificate:
   

   $$ source app-cred-...-openrc.sh
   $$ export OS_CACERT=<path-to>/adacloud.ca.chain

   If, on the other hand, you did download the cloud.yaml, you don't have to source the file, but you have to edit the cloud.yaml file adding the "cacert" line with the correct identation as in the following:

   clouds:
     openstack:
       
       auth:  
    
         auth_url: <AUTH_URL>
         
         application_credential_id: "<AC_ID>"
         application_credential_secret: "<AC_secret>"
           
       region_name: "RegionOne"
         
       interface: "public"
       identity_api_version: 3
       auth_type: "v3applicationcredential"
       cacert: "<path-to>/adacloud.ca.chain"

   In this case there may be more than one AC indicated by the name ("openstack" in this example).
   
   

8. Test the CLI access with the OpenStack command line, by executing, as an example, the following command that lists all the VMs present in the tenant the user belongs.
   If you have downloaded openrc file
   

   $$ openstack server list

   If you are using the cloud.yaml file add the flag to choose the

   $$ openstack --os-cloud=openstack server list

   Running "openstack --help" you can find all possible usages of openstack command.