Why don't we have nova subcommands for user and project creation.

Asked by Deepak Garg on 2012-03-20

Why don't we have nova subcommands for user and project creation. Right now, nova-manage is used with 'user create' and 'project create' subcommands. The problem is:
a. nova-manage doesn't accept tokens, probably because its meant only for the server side, not client side. Please correct me if wrong.
a. As a tenant admin I should be able to create users using my token-id and nova cli. Its possible with keystone but how about without it.

Question information

Language:
English Edit question
Status:
Solved
For:
OpenStack Compute (nova) Edit question
Assignee:
No assignee Edit question
Solved by:
Deepak Garg
Solved:
2012-03-20
Last query:
2012-03-20
Last reply:
2012-03-20
John Garbutt (johngarbutt) said : #1

Are these not now operations you should do using the keystone API (and keystone-manage)?

I think you only use nova-manage when you use the "legacy" non-keystone auth system, so no real point in implementing nova-api calls for all that stuff.

John Garbutt (johngarbutt) said : #2

Also, if you use horizon, that will let you do most of the user managmenet you will need. I assume those operations are backed by keystone.

Not sure I read your question correctly the first time. Why do you need a way to do the opearations that don't involve keystone?

Deepak Garg (deepak.garg) said : #3

Yes, Horizon is backed by Keystone.
There are two workflows people follow:
a. Get token from Keystone, Send the command to Keystone with the token, Keystone verifies and send it to the appropriate service.
b. Get token from Keystone, Get the catalog of endpoints, Use nova/swift/quantum cli with token, The service in turn verifies the token with the auth system, and execute the cmd

Its the second workflow that won't be fulfilled in this case.
Its probably because, user and tenants (projects) creation is now supposed to be only using Keystone.

John Garbutt (johngarbutt) said : #4

Yes, user and tenants should only be crated using Keystone. At least that is my understanding.

Only use the old method when you are using the legacy system (not tried using that one myself, can't remember what state it is in).

I think docs.openstack.org describes that correctly now, as far as I could tell. Worth a check though.

Deepak Garg (deepak.garg) said : #5

Thanks, John