openstack/openstack-manuals
Code Issues Proposed changes
44c29ece34
openstack-manuals/doc/install-guide/section_identity-verify-install.xml
Diane Fleming 64b6c9261e Folder rename, file rename, flattening of directories 
Current folder name	New folder name	        Book title
----------------------------------------------------------
basic-install 	        DELETE
cli-guide	        DELETE
common	                common
NEW	                admin-guide-cloud	Cloud Administrators Guide
docbkx-example	        DELETE
openstack-block-storage-admin 	DELETE
openstack-compute-admin 	DELETE
openstack-config 	config-reference	OpenStack Configuration Reference
openstack-ha 	        high-availability-guide	OpenStack High Availabilty Guide
openstack-image	        image-guide	OpenStack Virtual Machine Image Guide
openstack-install 	install-guide	OpenStack Installation Guide
openstack-network-connectivity-admin 	admin-guide-network 	OpenStack Networking Administration Guide
openstack-object-storage-admin 	DELETE
openstack-security 	security-guide	OpenStack Security Guide
openstack-training 	training-guide	OpenStack Training Guide
openstack-user 	        user-guide	OpenStack End User Guide
openstack-user-admin 	user-guide-admin	OpenStack Admin User Guide
glossary	        NEW        	OpenStack Glossary

bug: #1220407

Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7
author: diane fleming
2013-09-08 15:15:50 -07:00

114 lines
5.5 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="verifying-identity-install"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Verifying the Identity Service Installation</title>
<para>
Verify that authentication is behaving as expected by using your
established username and password to generate an authentication token:
</para>
<screen><prompt>$</prompt> <userinput>keystone --os-username=admin --os-password=secrete --os-auth-url=http://192.168.206.130:35357/v2.0 token-get</userinput>
<computeroutput>
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| expires | 2012-10-04T16:08:03Z |
| id | 960ad732a0eb4b2a88516f18384c1fba |
| user_id | a4c2d43f80a549a19864c89d759bb3fe |
+----------+----------------------------------+
</computeroutput></screen>
<para>
You should receive a token in response, paired with your user ID.
</para>
<para>
This verifies that keystone is running on the expected endpoint, and
that your user account is established with the expected credentials.
</para>
<para>
Next, verify that authorization is behaving as expected by requesting
authorization on a tenant:
</para>
<screen><prompt>$</prompt> <userinput>keystone --os-username=admin --os-password=secrete --os-tenant-name=demo --os-auth-url=http://192.168.206.130:35357/v2.0 token-get</userinput>
<computeroutput>
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2012-10-04T16:10:14Z |
| id | 8787f264d2a34607b37aa8d58d956afa |
| tenant_id | c1ac0f7f0e55448fa3940fa6b8b54911 |
| user_id | a4c2d43f80a549a19864c89d759bb3fe |
+-----------+----------------------------------+
</computeroutput></screen>
<para>You should receive a new token in response, this time including the ID
of the tenant you specified.</para>
<para>This verifies that your user account has an explicitly defined role on
the specified tenant, and that the tenant exists as expected.</para>
<para>You can also set your <literal>--os-*</literal> variables in your
environment to simplify CLI usage.</para>
<para>Best practice for bootstrapping the first administrative user is to
use the OS_SERVICE_ENDPOINT and OS_SERVICE_TOKEN together as environment
variables.</para>
<para>Once the admin user credentials are established, you can set up a
<literal>keystonerc</literal> file with the admin credentials and
admin endpoint (note the use of port 35357):</para>
<programlisting language="bash">export OS_USERNAME=admin
export OS_PASSWORD=secrete
export OS_TENANT_NAME=demo
export OS_AUTH_URL=http://192.168.206.130:35357/v2.0</programlisting>
<para>
Save and source the <filename>keystonerc</filename> file.
</para>
<screen><prompt>$</prompt> <userinput>source keystonerc</userinput></screen>
<para>
Verify that your <literal>keystonerc</literal> is configured correctly
by performing the same command as above, but without any
<literal>--os-*</literal> arguments.
</para>
<screen><prompt>$</prompt> <userinput>keystone token-get</userinput>
<computeroutput>
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2012-10-04T16:12:38Z |
| id | 03a13f424b56440fb39278b844a776ae |
| tenant_id | c1ac0f7f0e55448fa3940fa6b8b54911 |
| user_id | a4c2d43f80a549a19864c89d759bb3fe |
+-----------+----------------------------------+
</computeroutput></screen>
<para>The command returns a token and the ID of the specified tenant.</para>
<para>
This verifies that you have configured your environment variables
correctly.
</para>
<para>
Finally, verify that your admin account has authorization to perform
administrative commands.
</para>
<note>
<title>Reminder</title>
<para>Unlike basic authentication/authorization, which can be performed
against either port 5000 or 35357, administrative commands MUST be
performed against the admin API port: 35357). This means that you
MUST use port 35357 in your <literal>OS_AUTH_URL</literal> or
<literal>--os-auth-url</literal> setting when working with
keystone CLI.</para>
</note>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput>
<computeroutput>
+----------------------------------+---------+-------+--------+
| id | enabled | email | name |
+----------------------------------+---------+-------+--------+
| 318003c9a97342dbab6ff81675d68364 | True | None | swift |
| 3a316b32f44941c0b9ebc577feaa5b5c | True | None | nova |
| ac4dd12ebad84e55a1cd964b356ddf65 | True | None | glance |
| a4c2d43f80a549a19864c89d759bb3fe | True | None | admin |
| ec47114af7014afd9a8994cbb6057a8b | True | None | ec2 |
+----------------------------------+---------+-------+--------+
</computeroutput></screen>
<para>
This verifies that your user account has the <literal>admin</literal>
role, as defined in keystone's <literal>policy.json</literal> file.
</para>
</section>
View Git Blame Copy Permalink