Python openstacksdk列表服务器身份验证错误

Question

我一直在尝试使用openstacksdk library从我的云中查询数据，特别是项目实例。但是，当我使用像这样列出实例时：

import openstack

conn = openstack.connection.Connection(session=sess)
servers = conn.compute.servers(all_projects=True)

我收到以下错误，它挂起了一段时间，我猜它是反复尝试身份验证：

...
REQ: curl -g -i -X GET https://booboo-booboo.com:443/v2.1 -H "Accept: application/json" -H "User-Agent: test.py keystoneauth1/4.2.1 python-requests/2.24.0 CPython/3.8.5"
RESP: [401] Content-Length: 114 Content-Type: application/json Date: Sat, 05 Sep 2020 00:32:26 GMT Www-Authenticate: Keystone uri='https://booboo-booboo.com:443/v2.0' X-Compute-Request-Id: req-a25d0bd5-6297-4d2b-80b9-4da1d5993c6d
RESP BODY: {"error": {"message": "The request you have made requires authentication.", "code": 401, "title": "Unauthorized"}}
...

所以我改用nova client API bindings来连接：

from novaclient import client

conn = client.Client('2', session=sess)
servers = conn.servers.list(detailed=True)  

并成功列出了所有实例：

...
REQ: curl -g -i -X GET https://booboo-booboo.com:443/v2.1/12ecf4ae6a374ca6b21e58a17fed92c3/servers/detail -H "Accept: application/json" -H "User-Agent: python-novaclient" -H "X-Auth-Token: {SHA256}4c803dc6ba5fb03e5cd69ce7c83cef9167e0570dcaa503baeb245fee7c538981"
RESP: [200] Content-Length: 15 Content-Type: application/json Date: Sat, 05 Sep 2020 00:50:49 GMT Openstack-Api-Version: compute 2.1 Vary: OpenStack-API-Version, X-OpenStack-Nova-API-Version X-Compute-Request-Id: req-401556a9-49e4-4e09-96ce-118536be6b46 X-Openstack-Nova-Api-Version: 2.1
RESP BODY: {"servers": []}
GET call to compute for https://booboo-booboo.com:443/v2.1/12ecf4ae6a374ca6b21e58a17fed92c3/servers/detail used request id req-401556a9-49e4-4e09-96ce-118536be6b46
...

我看过他们的openstackclient CLI tool

openstack server list --all-projects --timing --debug

当运行时，它也可以工作，并且使用debug标志，它会显示以下输出：

...
compute API version 2.1, cmd group openstack.compute.v2
identity API version 3, cmd group openstack.identity.v3
image API version 2, cmd group openstack.image.v2
network API version 2, cmd group openstack.network.v2
object_store API version 1, cmd group openstack.object_store.v1
volume API version 3, cmd group openstack.volume.v3
neutronclient API version 2, cmd group openstack.neutronclient.v2
command: server list -> openstackclient.compute.v2.server.ListServer (auth=True)
...

我猜它正在为每个服务初始化多个不同的必要客户端。所以我的问题是，有没有一种方法可以使用openstacksdk来做同样的事情，因为我需要从OpenStack查询多个服务，并且我真的不想跟踪不同服务的几个不同客户端。

以下是创建session对象的代码：

from keystoneauth1.identity import v3
from keystoneauth1 import session
from keystoneauth1 import loading

def create_loader():
    loader = loading.get_plugin_loader('password')
    auth = loader.load_from_options(
        auth_url=os.environ['OS_AUTH_URL'],
        username=os.environ['OS_USERNAME'],
        password=os.environ['OS_PASSWORD'],
        project_id=os.environ['OS_PROJECT_ID'],
        user_domain_name=os.environ['OS_USER_DOMAIN_NAME']
        )
    sess = session.Session(auth=auth)
    return sess

Answer 1

在我看来，问题可能出在OpenStack参数(文件: clouds.yaml)的规范中。如果执行以下代码：

import openstack

# Initialize and turn on debug logging
openstack.enable_logging(debug=True)

# Initialize cloud
conn = openstack.connect(cloud='yourcloud')

for server in conn.compute.servers(all_projects=True):
  print(server.to_dict())

配置文件应该是这样的：

clouds:
  yourcloud:
    region_name: <your region name>
    auth:
      username: '<username>'
      password: '<password>'
      project_name: '<project name>'
      auth_url: '<keystone auth. url>'
      domain_name: '<domain name>'

如果您没有多地域，则可以不使用该参数(region_name)。如果您在您的环境中定义了域名，则通常会请求域名。

鉴于此，请检查keystone url的配置数据，因为看起来您调用的是版本2，但openstacksdk给出了以下信息：

identity API version 3, cmd group openstack.identity.v3

尝试在auth_url的定义中使用版本3