{"id":2978,"library":"keystoneauth1","title":"KeystoneAuth1","description":"KeystoneAuth1 is the common authentication library for OpenStack clients, providing a standard way to handle authentication and service requests within the OpenStack ecosystem. It is designed to simplify writing new clients and works in conjunction with existing OpenStack clients. The current stable version is 5.13.1, with releases typically tied to the OpenStack development cycle, offering frequent updates and bug fixes.","status":"active","version":"5.13.1","language":"en","source_language":"en","source_url":"https://opendev.org/openstack/keystoneauth","tags":["openstack","authentication","identity","keystone","cloud"],"install":[{"cmd":"pip install keystoneauth1","lang":"bash","label":"Install stable version"}],"dependencies":[],"imports":[{"note":"Authentication plugins for different API versions (v2, v3) are found under `keystoneauth1.identity` and then the specific version submodule (e.g., `v3`).","wrong":"from keystoneauth1.identity.password import Password","symbol":"Password","correct":"from keystoneauth1.identity import v3; auth = v3.Password(...)"},{"note":"KeystoneAuth1 introduced its own `Session` class, replacing the one previously used from `python-keystoneclient`.","wrong":"from keystoneclient.session import Session","symbol":"Session","correct":"from keystoneauth1 import session; sess = session.Session(...)"},{"note":"The Adapter class provides a consistent way to interact with OpenStack services.","symbol":"Adapter","correct":"from keystoneauth1.adapter import Adapter"}],"quickstart":{"code":"import os\nfrom keystoneauth1 import session\nfrom keystoneauth1.identity import v3\n\n# Environment variables for authentication\nOS_AUTH_URL = os.environ.get('OS_AUTH_URL', 'http://localhost:5000/v3')\nOS_USERNAME = os.environ.get('OS_USERNAME', 'admin')\nOS_PASSWORD = os.environ.get('OS_PASSWORD', 'password')\nOS_PROJECT_NAME = os.environ.get('OS_PROJECT_NAME', 'admin')\nOS_USER_DOMAIN_NAME = os.environ.get('OS_USER_DOMAIN_NAME', 'Default')\nOS_PROJECT_DOMAIN_NAME = os.environ.get('OS_PROJECT_DOMAIN_NAME', 'Default')\n\n# Configure authentication plugin\nauth = v3.Password(\n    auth_url=OS_AUTH_URL,\n    username=OS_USERNAME,\n    password=OS_PASSWORD,\n    project_name=OS_PROJECT_NAME,\n    user_domain_name=OS_USER_DOMAIN_NAME,\n    project_domain_name=OS_PROJECT_DOMAIN_NAME\n)\n\n# Create a session\nsess = session.Session(auth=auth)\n\n# Example: Authenticate and get a token (actual API calls would use sess.get(), sess.post(), etc.)\ntry:\n    token = sess.get_token()\n    print(f\"Successfully authenticated. Token: {token[:10]}...\")\nexcept Exception as e:\n    print(f\"Authentication failed: {e}\")","lang":"python","description":"This quickstart demonstrates basic V3 password authentication using environment variables for credentials. It initializes a V3 password authentication plugin and creates a session, then attempts to retrieve an authentication token."},"warnings":[{"fix":"Update all `Session` imports to `from keystoneauth1 import session` and adapt code to the new `keystoneauth1.session.Session` API. Consult the official 'Migrating from keystoneclient' guide for detailed instructions.","message":"Migration from `python-keystoneclient` to `keystoneauth1` required significant import path changes and a different API for session management. The `Session` class moved from `keystoneclient.session` to `keystoneauth1.session`.","severity":"breaking","affected_versions":"< 1.0.0 (keystoneauth1) and python-keystoneclient usage"},{"fix":"Verify the `auth_url` is correct and accessible. Ensure the Keystone service is running and properly configured. If using HTTPS, confirm that SSL certificates are valid and correctly configured, and that any necessary CA certificates are trusted by the client environment. Check network connectivity to the Keystone endpoint.","message":"Encountering `keystoneauth1.exceptions.discovery.DiscoveryFailure` often indicates an incorrect `auth_url`, a misconfigured Keystone endpoint, or issues with SSL certificate verification. The error message 'Could not find versioned identity endpoints when attempting to authenticate' is common.","severity":"gotcha","affected_versions":"All versions"},{"fix":"Ensure the certificate chain for your Keystone endpoint is trusted. You can specify a CA bundle using the `cacert` parameter when creating a `Session`. For development/testing, `insecure=True` can temporarily disable SSL verification, but this is not recommended for production.","message":"When working with SSL/TLS, `keystoneauth1` might raise `SSLError` or `ConnectionError` if certificate verification fails or the connection times out. This can be due to self-signed certificates, missing CA certificates, or network issues.","severity":"gotcha","affected_versions":"All versions"}],"env_vars":null,"last_verified":"2026-04-11T00:00:00.000Z","next_check":"2026-07-10T00:00:00.000Z"}