Back to guides list

1.2. Authentication

Each request to compute API endpoints requires a token that you can obtain by performing password authentication with scoped authorization.

Send a POST request to https://<node_IP_addr>:5000/v3/auth/tokens, where <node_IP_addr> is the IP address of a compute cluster node.

If authorization is successful, the response header will contain the token in the X-Subject-Token header. Pass it in the X-Auth-Token header in all requests.

Note

You can secure traffic to compute API endpoints as described in Securing OpenStack API Traffic with SSL. You can also set a DNS name for the endpoints as explained in Setting a DNS Name for the Compute API.

To perform administrative actions, authorize in the project admin with the admin’s password.

Sample request:

# curl -ksD - -o /dev/null -H 'Content-Type: application/json' -d '
{
  "auth": {
    "identity": {
      "methods": [
        "password"
      ],
      "password": {
        "user": {
          "name": "admin",
          "domain": {
            "id": "default"
          },
          "password": "admin_password"
        }
      }
    },
    "scope": {
      "project": {
        "name": "admin",
        "domain": {
          "id": "default"
        }
      }
    }
  }
}' https://<node_IP_addr>:5000/v3/auth/tokens

Sample response:

HTTP/1.1 201 CREATED
Server: nginx
Date: Fri, 24 Jan 2020 12:42:01 GMT
Content-Type: application/json
Content-Length: 7947
Connection: keep-alive
X-Subject-Token: gAAAAA<...>
Vary: X-Auth-Token
x-openstack-request-id: req-f732464d-62b4-44fd-92fa-ea368efc9a36

Regular users added to a project can authorize in that project in a similar way. They will need to specify the ID of the domain that the project is in. An authorized admin can find out which projects are in which domains by sending a GET request to https://<node_IP_addr>:5000/v3/projects (see Listing projects for more details).

Sample request:

# curl -ksD - -o /dev/null -H 'Content-Type: application/json' -d '
{
  "auth": {
    "identity": {
      "methods": [
        "password"
      ],
      "password": {
        "user": {
          "name": "user1",
          "domain": {
            "id": "cdc759b962e34e67997f59f8b1c21027"
          },
          "password": "user1_password"
        }
      }
    },
    "scope": {
      "project": {
        "name": "project1",
        "domain": {
          "id": "cdc759b962e34e67997f59f8b1c21027"
        }
      }
    }
  }
}' https://<node_IP_addr>:5000/v3/auth/tokens

Sample response:

HTTP/1.1 201 CREATED
Server: nginx
Date: Fri, 24 Jan 2020 12:42:01 GMT
Content-Type: application/json
Content-Length: 7947
Connection: keep-alive
X-Subject-Token: gAAAAA<...>
Vary: X-Auth-Token
x-openstack-request-id: req-99df744f-4752-4b03-9695-ea6ec4447173
Version 5.0.0 — Feb 01, 2022
Print