Keystone authentication to public/admin port and scoped/unscoped token
New to OpenStack, after setting up a simple environment(controller+compute node), I am trying to learn how those components work.
My attempt(using curl) was trying to get a token and then get a list of tenants with that token.
To get a token, I had tried the following ways:
curl -i -X POST http://controller:PORT/v2.0/tokens -H "Content-type: application/json" -d INFO
Replacing the PORT and INFO in the above command to:
- PORT 5000, INFO: username, password => token 1
- PORT 35357, INFO: username, password => token 2
- PORT 5000, INFO: username, password, tenant name => token 3
- PORT 35357, INFO: username, password, tenant name => token 4
Note: The username is the admin user
To get a list of tenants, I had tried the following:
curl -i -X GET http://controller:PORT/v2.0/tenants -H "X-Auth-Token: TOKEN"
Replacing the PORT and TOKEN in the above command to:
- token 1, port 5000: only to see the admin tenant
- token 1, port 35357: 401, requires authentication
- token 2, port 5000: only to see the admin tenant
- token 2, port 35357: 401, requires authentication
- token 3, port 5000: only to see the admin tenant
- token 3, port 35357: see admin, demo and service tenant
- token 4, port 5000: only to see the admin tenant
- token 4, port 35357: see admin, demo and service tenant
My questions are:
Are there any difference regarding to the tokens returned by talking to port 5000 and port 35357? If there is no difference, should I care which port to talk to when authentication is required?
With the unscoped tokens(token 1 and token 2), why authentication is required when I was trying to talk to port 35357? Remember I provided the admin user credentials to get those two tokens.
With the scoped tokens(token 3 and token 4), why I could only see the admin tenant when talking to port 5000 while I could see all the tenants when talking to port 35357?
Update:
Thanks @Haneef Ali for the response.
Q: 3) It should not be the case. Are you sure you are using same token and username,password, tenant are same in both the cases
A: Yes, I used the same token and username, password, tenant in both cases.
My guess is that providing scoped token to port 5000 and to port 35357 maps to different rules in keystone policy.json.
screenshot /etc/keystone/policy.json
Notice that there is a list_projects
rule as well as a list_user_projects
rule.
So when you talks to port 5000 providing whatever unscoped token or scoped token, keystone refers to the list_user_projects
rule which accepts operation from both admin and owner. That's explains the items in 1,3,5,7 in the above "To get a list of tenants" section.
However, when talks to port 35357, keystone will refer to the list_projects
rule which requires the admin privileges. That's why in item 2&4, we received 'requires authentication' message while it item 6&8 it ...