Skip to content

Latest commit

 

History

History
117 lines (82 loc) · 6.95 KB

05.md

File metadata and controls

117 lines (82 loc) · 6.95 KB
Raw

+++ date = "2015-09-30" draft = false weight = 5 title = "Lab 05 - RESTful Messages" +++

Lab Duration: 20 minutes

Lab Objective

The objective of this lab is to take a look at what is going on under the hood when you authenticate to Keystone, in addition to studying the nature of RESTful messages. This task will be completed with assistance by the cURL command. Before we get started, remember that endpoints are URLs that point to OpenStack services. When you authenticate to Keystone you get back a token which has a service catalog in it. The service catalog is basically a list of the OpenStack services that you have access to and the URLs you can use to get to them; their endpoints.

NOTE: The OpenStack API documentation is available here: http://developer.openstack.org/api-ref.html

1. Endpoint field definitions (reference)

  1. The schema definition for an endpoint is in endpoints.xsd under keystone/content/common/xsd in the Keystone code repo. The fields are:

    • id - A unique ID for the endpoint.

    • type - The OpenStack-registered type (ex. 'compute', 'object-store', 'image service') This can also be extended using the OpenStack Extension mechanism to support non-core services. Extended services will be in the form extension:type (e.g. dnsextension:dns)

    • **name **- This can be anything that the operator of OpenStack chooses. It could be a brand or marketing name (ex. Rackspace Cloud Servers).

    • region - This is a string that identifies the region where this endpoint exists. Examples are 'North America', 'Europe', 'Asia'. Or 'North' and 'South'. Or 'Data Center 1', 'Data Center 2'. The list of regions and what a region means is decided by the operator. The spec treats them as opaque strings.

    • publicURL - This is the URL to use to access that endpoint over the internet.

    • internalURL- This is the URL to use to communicate between services. This is genenrally a way to communicate between services over a high bandwidth, low latency, unmetered (free, no bandwidth charges) network. An example would be if you want to access a swift cluster from inside your Nova VMs and want to make sure the communication stays local and does not go over a public network and rack up your bandwidth charges.

    • adminURL - This is the URL to use to administer the service. In Keystone, this URL is only shown to users with the appropriate rights.

    • tenantId - If an endpoint is specific to a tenant, the tenantId field identifies the tenant that URL applies to. Some operators include the tenant in the URLs for a service, while others may provide one endpoint and use some other mechanism to identify the tenant. This field is therefore optional. Having this field also means you do not have to parse the URL to identify a tenant if the operator includes it in the URL.

    • versionId - This identifies the version of the API contract that endpoint supports. While many APIs include the version in the URL (ex: https://compute.host/v1), this field allows you to identify the version without parsing the URL. It therefore also allows operators and service developers to publish endpoints that do not have versions embedded in the URL.

2. Issue a cURL command to the OpenStack Identity Service (Keystone)

  1. SSH to your controller as root, you might use:

  • Your browser (https://sshproxy.alta3.training/)

    Once logged into the browser, type screen -x <last initial><first initial> to return to your previous session

  • Alternative, you may use PuTTY (Windows), or Terminal (Apple)

  1. Cut and paste the following to cURL the keystone endpoint.

    curl -s -X POST http://192.168.0.10:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth":{"tenantName":"admin","passwordCredentials":{"username":"admin","password":"alta3"}}}' | python -m json.tool | less

    -s Silent or quiet mode (don't show error or progress messages)
    -X Forces the method that follows (this HTTP message must use a POST in this case)
    -H Include this header
    -d Send this data in the body of the POST
    python -m json.tool Formats the output in a 'pretty' manner
    less Launches the less utility so we can easily scroll up and down

    For students who do not have much experience using the less command:

    Press CTRL + F to go forward one window, and CTRL + B to go back one window Press CTRL + D to go forward one half window, and CTRL + U to go back one half window Press q to quit Less utility and return to the CLI If you have never used the less utility, you might find the following cheat sheet useful (http://sheet.shiar.nl/less)

  2. Here is a snippet of what will be returned, but we're going to take some time to see if we can understand it all.

    {
  "endpoints": [
      {
          "adminURL": "http://192.168.0.10:8774/v2/300b2cc45c3846939e589310ae714e46",
          "id": "5aed2a95d76c42728b89804900f4ab85",
          "internalURL": "http://192.168.0.10:8774/v2/300b2cc45c3846939e589310ae714e46",
          "publicURL": "http://192.168.0.10:8774/v2/300b2cc45c3846939e589310ae714e46",
          "region": "RegionOne"
      }
  ],
  "endpoints_links": [],
  "name": "nova",
  "type": "compute"
}

  3. Based on the output returned to you, answer the following questions:

    • What services are available to this user?
    • What user's service catalog was returned?
    • Was this user given a token?
    • How long is this token good for? (what amount of time?)
    • What is Nova's Admin URL?
    • To what region are these services associated?

  4. The information we just studied was in the body of an HTTP response. Let's tweak our cURL command, and take a look at the HTTP responses that come back.

    curl -v -X POST http://192.168.0.10:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth":{"tenantName":"admin","passwordCredentials":{"username":"admin","password":"alta3"}}}'

  • The json message body is no longer displayed in a pretty manner, but that's alright. What is the type of HTTP response that was returned?

    Hint: This HTTP response indicates success.

  1. Just for fun, let's issue another cURL command, but this time change the password we are passing so that it is incorrect.

    curl -v -X POST http://192.168.0.10:5000/v2.0/tokens -H "Content-Type: application/json" -d '{"auth":{"tenantName":"admin","passwordCredentials":{"username":"admin","password":"alta34567"}}}' | python -m json.tool | less
  • What is the type of HTTP response that was returned? Was any json returned in the message body? Why not?

  1. That's it for this lab! While other students are finishing up, feel free to play around with other permutations of the cURL command.

    Some content of this lab was inspired and adapted from https://github.com/mseknibilel/OpenStack-Install-and-Understand-Guide

    More on Git & GitHub later...