Quickstart for Identity#

The Identity service provides authentication and authorization functionality for other Rackspace Cloud services. The primary way to authenticate is through the generation of tokens: when credentials (such as your username and API key) are successfully validated, a “token” is returned. This token is then sent in the API operations for other Rackspace services, such as provisioning a server or creating a load balancer.

Based on the OpenStack Identity service (codenamed Keystone), Rackspace Cloud Identity also offers user management and basic RBAC functionality for fine-grained access control.

Setup#

In order to interact with the Identity API, various SDKs require some form of client setup:

import (
  "github.com/rackspace/gophercloud"
  osUsers "github.com/rackspace/gophercloud/openstack/identity/v2/users"
  osRoles "github.com/rackspace/gophercloud/openstack/identity/v2/roles"
  "github.com/rackspace/gophercloud/rackspace"
  "github.com/rackspace/gophercloud/rackspace/identity/v2/roles"
  "github.com/rackspace/gophercloud/rackspace/identity/v2/tokens"
  "github.com/rackspace/gophercloud/rackspace/identity/v2/users"
)

provider, err := rackspace.AuthenticatedClient(gophercloud.AuthOptions{
  Username: "{username}",
  APIKey: "{apiKey}",
})

client := rackspace.NewIdentityV2(provider)

// Not currently supported by this SDK

require 'vendor/autoload.php';

use OpenCloud\Rackspace;

$client = new Rackspace(Rackspace::US_IDENTITY_ENDPOINT, array(
    'username' => '{username}',
    'apiKey'   => '{apiKey}'
));

$service = $client->identityService();

// Not currently supported by this SDK

@client = Fog::Identity.new(
  :provider => "Rackspace",
  :rackspace_username => "{username}",
  :rackspace_api_key => "{apiKey}"
)

# For most API operations (ORD, IAD, DFW, SYD, HKG)
export BASE_URL=https://identity.api.rackspacecloud.com/v2.0/

# For LON API operations
export BASE_URL=https://lon.identity.api.rackspacecloud.com/v2.0/

Tokens#

As mentioned above, a token is the primary resource needed for authentication. To use other Rackspace services, you need to send a token in every API operation (as an X-Auth-Token HTTP header) - so authenticating will be your first operation.

A token is composed of a unique ID and an expiry date. Tokens are valid for 24 hours and may not be used after their expiry date.

Authenticate#

Rackspace allows you to authenticate with either your account password or your account API key. Your API key is retrievable in the Control Panel. To find your API key, use the instructions in View and reset your API key.

You can also, optionally, specify tenant details for the user you are authenticating. A “tenant” is a type of user categorization - similar to a group, project, or organization - that provides additional isolation. If a tenantId or tenantName is provided, the token generated will be scoped to that tenant only.

To generate a token with your API key:

opts := gophercloud.AuthOptions{
  Username: "{username}",
  APIKey: "{apiKey}",
}

token, err := tokens.Create(client, opts).ExtractToken()

// Not currently supported by this SDK

// Generating tokens from API keys is handled by default in the main
// OpenCloud\Rackspace client. See "Setup" section.

// Not currently supported by this SDK

// Generating tokens from API keys is handled by default in the main
// Fog::Identity::Rackspace class.

# {username}, {apiKey} below are placeholders, do not enclose '{}' when you
# replace them with actual credentials.

curl -s $BASE_URL"tokens" -X POST \
   -d '{
        "auth":{"RAX-KSKEY:apiKeyCredentials": {
          "username":"{username}",
          "apiKey":"{apiKey}"
        }}
      }' \
   -H "Content-Type: application/json" | python -m json.tool

# From the resulting JSON, set this environment variable:
export TOKEN="{tokenId}"

To generate a token with your account password:

opts := gophercloud.AuthOptions{
  Username: "{username}",
  Password: "{password}",
}

token, err := tokens.Create(client, opts).ExtractToken()

// Not currently supported by this SDK

// Password-based authentication is only available for OpenCloud\OpenStack
// clients

use OpenCloud\OpenStack;

$client = new OpenStack('http://my-openstack.com:35357/v2.0/', array(
    'username'   => '{username}',
    'password'   => '{password}',
    'tenantName' => '{tenantName}'
));

// Not currently supported by this SDK

// This operation is not currently supported.

# {username}, {password} below are placeholders, do not enclose '{}' when you
# replace them with actual credentials.

curl -s $BASE_URL"tokens" -X POST \
   -d '{
        "auth":{"passwordCredentials": {
          "username":"{username}",
          "password":"{password}"
        }}
      }' \
   -H "Content-Type: application/json" | python -m json.tool

# From the resulting JSON, set this environment variable:
export TOKEN="{tokenId}"

Users#

A user is a representation of a person or system that is allowed authenticate and consume other Rackspace API services. Users have their own set of credentials and can be assigned tokens. They can also be assigned to a tenant or region so that they inherit a set of access rights and privileges automatically, based on the tenant or region configuration.

Add user#

Admins may add up to 100 users to an account. The following values are required when creating a new user:

username - the name to assign to the user. It must start with an alphabetical character and have a length of at least 1 character. It may contain upper and lower case characters, and any of the following special characters: . - @ _.
email - the email address
enabled - indicates whether the user can authenticate after their account is created.

You can also specify a password for the user to use. If no password is supplied, the API will automatically generate one and return it in the response.

opts := users.CreateOpts{
  Username: "{username}",
  Email: "{email}",
  Enabled: osUsers.Enabled,
}

user, err := users.Create(client, opts).Extract()

// Not currently supported by this SDK

$user = $service->createUser(array(
  'username' => 'newUser',
  'email'    => 'foo@bar.com',
  'enabled'  => true,
));

echo $user->getPassword();

// Not currently supported by this SDK

user = @client.users.create(
  :username => "{username}",
  :email => "{email}",
  :enabled => true
)

curl -s $BASE_URL"users" -X POST -d \
'{
  "user": {
    "username": "jqsmith",
    "email": "john.smith@example.org",
    "enabled": true
    }
 }' -H "Content-Type: application/json" \
 -H "X-Auth-Token: $TOKEN" | python -m json.tool

Update user#

To update a user, you need the user’s unique ID. If you’re unsure what that ID is, one option is to list all your users and retrieve it by checking by username (see List users section).

opts := users.UpdateOpts{Username: "{newUsername}"}
user, err := users.Update(client, "{userId}", opts).Extract()

// Not currently supported by this SDK

$user->update(array(
  'username' => '{newUsername}'
));

// Not currently supported by this SDK

// Retrieve user by name
user = @client.users.get_by_name("{username}")

// ... or by ID
user = @client.users.get("{userId}")

user.username = "{newUsername}"
user.save

curl -s $BASE_URL"users/{userId}" -X POST -H "X-Auth-Token: $TOKEN" \
  -d '{"user": {"username": "{newUsername}" }}' \
  -H "Content-Type: application/json" | python -m json.tool

List users#

If an admin executes this operation (i.e. a user with the identity:user-admin role), it will return all users for the tenant. To refine this collection, you have the option of passing in a name or email.

If a normal user executes this operation (a user with the identity:default role), it will only return information about the user’s own account.

err := users.List(client).EachPage(func(page pagination.Page) (bool, error) {
  userList, err := users.ExtractUsers(page)

  for _, user := range userList {
    fmt.Printf("ID: %s, Name: %s", user.ID, user.Username)
  }

  return true, nil
})

// Not currently supported by this SDK

$users = $service->getUsers();

foreach ($users as $user) {
  printf("ID: %s, Name: %s", $user->getId(), $user->getName());
}

// Not currently supported by this SDK

@client.users.all

curl -s $BASE_URL"users" -X GET -H "X-Auth-Token: $TOKEN" | python -m json.tool

Delete user#

_, err := users.Delete(client, "{userId}").Extract()

// Not currently supported by this SDK

$user->delete();

// Not currently supported by this SDK

user.destroy

curl -s $BASE_URL"users/{userId}" -X DELETE -H "X-Auth-Token: $TOKEN"

Reset API key#

It is recommended that you routinely reset API keys and passwords. This operation will return a new API key for the user, but will not revoke existing tokens.

newKey, err := users.ResetAPIKey(client, "{userId}").Extract()

// Not currently supported by this SDK

$user->resetApiKey();

echo $user->getApiKey();

// Not currently supported by this SDK

// Not currently supported

curl -s $BASE_URL"users/{userId}/OS-KSADM/credentials/RAX-KSKEY:apiKeyCredentials/RAX-AUTH/reset" \
  -X POST -H "Content-Type: application/json" \
  -H "X-Auth-Token: $TOKEN" | python -m json.tool

Roles#

A role is a logical grouping of access rights that allow users to do things. There are two types of role for the Identity service: global roles and product roles. Global roles define access and permissions across all Rackspace systems; product roles are more granular: they define access and permissions for one service only (e.g. Cloud Servers).

List all roles#

err := roles.List(client).EachPage(func(page pagination.Page) (bool, error) {
  roleList, err := osRoles.ExtractRoles(page)

  for _, role := range roleList {
    fmt.Printf("ID: %s, Name: %s", role.ID, role.Name)
  }

  return true, nil
})

// Not currently supported by this SDK

$roles = $service->getRoles();

foreach ($roles as $role) {
  printf("ID: %s, Name: %s", $role->getId(), $role->getName());
}

// Not currently supported by this SDK

@client.roles.all

curl -s $BASE_URL"OS-KSADM/roles" -X GET -H "X-Auth-Token: $TOKEN" \
  | python -m json.tool

Add role to user#

err := roles.AddUserRole(client, "{userId}", "{roleId}").ExtractErr()

// Not currently supported by this SDK

$user->addRole('{roleId}');

// Not currently supported by this SDK

// This operation is not currently supported.

curl -s $BASE_URL"users/{userId}/roles/OS-KSADM/{roleId}" \
   -X PUT -H "X-Auth-Token: $TOKEN"

Delete role from user#

err := roles.DeleteUserRole(client, "{userId}", "{roleId}").ExtractErr()

// Not currently supported by this SDK

$user->removeRole('{roleId}');

// Not currently supported by this SDK

// Not currently supported

curl -s $BASE_URL"users/{userId}/roles/OS-KSADM/{roleId}" \
  -X DELETE -H "X-Auth-Token: $TOKEN"

More information#

This quickstart is intentionally brief, demonstrating only a few basic operations. To learn more about interacting with Rackspace cloud services, explore the following sites:

Developer documentation provides detailed explanations and extensive examples to help you use APIs supported by Rackspace.
Support documentation provides short tutorials, FAQ documents, and basic startup guidance. Its primary focus is the Cloud Control Panel.

I’m Coding in: