In alternative to the authentication to ADAcloud through the OpenStak Horizon Dashboard, a User can access via the OpenStack Command Line Interface (CLI). The CLI allows Users to perform the same operations that can be usually done via OpenStack dashboard, such as creating Instances, Volumes, Networks etc and many more. Access to the OpenStack CLI is granted thanks to a feature called Application Credentials (in the following AC) that is now available on CINECA OpenStack infrastructure. A complete guide on OpenStack Client is available at this page.
The AC allow User applications to authenticate to the cloud infrastructure to a specific tenant. The authentication is done through the "Application Credential ID" and a "secret string". These credentials are different from username and password of the User thus avoiding to explicit the User password in the configuration of the application, which is expecially important for users whose identities are managed by an external system. Moreover Users can delegate all or a subset of their role assignments to an AC and grant them the same or restricted authorization to a project.
Important: Each tenant has its own AC, so if you have more than one tenant you will have to generate ACs for each tenant you would like to make use of the OpenStack CLI service.
Prerequisites:
CLI configuration
Below are described all the steps to create and use the AC:
If you don't have already done, install the OpenStackClient (OSC) command-line client. The best option is using pip command (also possible in a virtual environment) :
On MAC or Linux: $$ pip install python-openstackclient or Windows: C:\> pip install python-openstackclient |
You can also install it from packages, but check that the version installed is 6.5 or 6.6 "openstack --version" command. Greater version can have some minor modification in the commands.
For RHEL, Fedora, CentOS: $$ sudo yum install -y python3-openstackclient For Ubuntu: $$ sudo apt-get install -y python3-openstackclient |
If you have downloaded the openrc file, source the Application Credential script and export the additional environment variable pointing to the adacloud certificate:
$$ source app-cred-...-openrc.sh $$ export OS_CACERT=<path-to>/adacloud.ca.chain |
If, on the other hand, you did download the cloud.yaml, you don't have to source the file, but you have to edit the cloud.yaml file adding the "cacert" line with the correct identation as in the following:
clouds: openstack: auth: auth_url: <AUTH_URL> application_credential_id: "<AC_ID>" application_credential_secret: "<AC_secret>" region_name: "RegionOne" interface: "public" identity_api_version: 3 auth_type: "v3applicationcredential" cacert: "<path-to>/adacloud.ca.chain" |
In this case there may be more than one AC indicated by the name ("openstack" in this example).
Test the CLI access with the OpenStack command line, by executing, as an example, the following command that lists all the VMs present in the tenant the user belongs.
If you have downloaded openrc file
$$ openstack server list |
If you are using the cloud.yaml file add the flag to choose the
$$ openstack --os-cloud=openstack server list |
Running "openstack --help" you can find all possible usages of openstack command.