Frequently Asked Question

How to access the API when using SSO?
Last Updated 3 years ago

This guide describes how to make use of the OpenStack CLI, REST API, or python clients.

Prerequisites

The command line interface can be installed using

pip install python-openstackclient

Creating an Application Credential

  1. Go to https://onboarding.massopen.cloud and log in with your account.
  2. Select the project you would like to create an application credential for in the dropdown, similar to how you switch projects in the Kaizen dashboard.
  3. Navigate to Identity > Application Credentials in the sidebar.
  4. Click Create Application Credential
  5. Specify a name, everything else is optional.
  6. After creation, you will be prompted to download an RC file or a clouds.yaml file which looks something like the one below
clouds:
  kaizen:
    auth:
      auth_url: "https://kaizen.massopen.cloud:13000/v3"
      application_credential_id: ""
      application_credential_secret: ""
    region_name: "moc-kzn"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3applicationcredential"

Using the OpenStack Client

  1. The OpenStack client will look for the clouds.yaml file in the following directories so make sure it can find it. 
    • current directory
    • ~/.config/openstack
    • /etc/openstack
  2. To tell the OpenStack client which configuration to use, add the argument --os-cloud , where matches the name in the clouds.yaml file. Ex. above it would be kaizen.

So an example command would be

openstack --os-cloud kaizen server list

More information about the OpenStack Client, including commands and usage can be found here.

Using the Clients in Python

The following is Python code 

from keystoneauth1 import identity
from keystoneauth1 import session

auth = identity.v3.application_credential.ApplicationCredential(
    'https://kaizen.massopen.cloud:13000/v3',
    application_credential_id=,
    application_credential_secret=
)
s = session.Session(auth)

This session object can be used to instantiate the various clients, like python-novaclient or python-cinderclient. More documentation is available in the respective client documentations.

Legacy (Previous guide for historical reasons)

We strongly recommend using application credentials as described in the method above.

First, go to https://sso.massopen.cloud/auth/realms/moc/account and after logging in, go to the password tab and set a password. This will be used to bypass the University/GitHub login, and login directly from SSO.

Using the CLI

Create an .sh file with the following contents

#!/usr/bin/env bash
export OS_AUTH_URL="https://kaizen.massopen.cloud:13000/v3"
export OS_USERNAME=""
export OS_PROJECT_NAME=""
export OS_PROJECT_DOMAIN_NAME="Default"
echo "Please enter your SSO Password for project $OS_PROJECT_NAME as user $OS_USERNAME: "
read -sr OS_PASSWORD_INPUT
export OS_PASSWORD=$OS_PASSWORD_INPUT
export OS_REGION_NAME="moc-kzn"
export OS_AUTH_TYPE="v3oidcpassword"
export OS_IDENTITY_PROVIDER="moc"
export OS_PROTOCOL="openid"
export OS_CLIENT_ID="kaizen-client"
export OS_CLIENT_SECRET="fac377a9-f2ba-41e7-bb7f-4064dd9f4468"
export OS_ACCESS_TOKEN_ENDPOINT="https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token"
export OS_DISCOVERY_ENDPOINT="https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration"
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3

Replace with your username and project name to use.

from keystoneauth1 import identity
from keystoneauth1 import session

auth = identity.v3.oidc.OidcPassword(
    'https://kaizen.massopen.cloud:13000/v3',
    identity_provider='moc',
    protocol='openid',
    client_id='kaizen-client',
    client_secret='fac377a9-f2ba-41e7-bb7f-4064dd9f4468',
    access_token_endpoint='https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token',
    discovery_endpoint='https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration',
    username='',
    password='',
    project_name='',
    project_domain_name='Default'
)
s = session.Session(auth)

This session object can be used to instantiate the various clients, like python-novaclient or python-cinderclient.

Clouds.yaml

clouds:
  kaizen_oidc:
    auth:
      username: ""
      password: ""
      project_name: ""
      identity_provider: "moc"
      protocol: "openid"
      client_id: "kaizen-client"
      client_secret: "fac377a9-f2ba-41e7-bb7f-4064dd9f4468"
      access_token_endpoint: "https://sso.massopen.cloud/auth/realms/moc/protocol/openid-connect/token"
      discovery_endpoint: "https://sso.massopen.cloud/auth/realms/moc/.well-known/openid-configuration"
      auth_url: https://kaizen.massopen.cloud:13000/v3
      project_domain_name: "Default"
    region_name: "moc-kzn"
    interface: "public"
    identity_api_version: 3
    auth_type: "v3oidcpassword"

Please Wait!

Please wait... it will take a second!