openstack/openstack-manuals
Code Issues Proposed changes
64382db86e
openstack-manuals/doc/install-guide/section_identity-install-keystone.xml
Diane Fleming 64b6c9261e Folder rename, file rename, flattening of directories 
Current folder name	New folder name	        Book title
----------------------------------------------------------
basic-install 	        DELETE
cli-guide	        DELETE
common	                common
NEW	                admin-guide-cloud	Cloud Administrators Guide
docbkx-example	        DELETE
openstack-block-storage-admin 	DELETE
openstack-compute-admin 	DELETE
openstack-config 	config-reference	OpenStack Configuration Reference
openstack-ha 	        high-availability-guide	OpenStack High Availabilty Guide
openstack-image	        image-guide	OpenStack Virtual Machine Image Guide
openstack-install 	install-guide	OpenStack Installation Guide
openstack-network-connectivity-admin 	admin-guide-network 	OpenStack Networking Administration Guide
openstack-object-storage-admin 	DELETE
openstack-security 	security-guide	OpenStack Security Guide
openstack-training 	training-guide	OpenStack Training Guide
openstack-user 	        user-guide	OpenStack End User Guide
openstack-user-admin 	user-guide-admin	OpenStack Admin User Guide
glossary	        NEW        	OpenStack Glossary

bug: #1220407

Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7
author: diane fleming
2013-09-08 15:15:50 -07:00

654 lines
38 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="install-keystone"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Installing and Configuring the Identity Service</title>
<para>Install the Identity service on any server that is accessible
to the other servers you intend to use for OpenStack services, as
root:</para>
<screen os="ubuntu;deb"><prompt>#</prompt> <userinput>apt-get install keystone python-keystone python-keystoneclient</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>$</prompt> <userinput>yum install openstack-utils openstack-keystone python-keystoneclient</userinput></screen>
<screen os="opensuse"><prompt>$</prompt> <userinput>zypper install openstack-utils openstack-keystone python-keystoneclient</userinput></screen>
<para>After installing, you need to delete the sqlite database it
creates, then change the configuration to point to a MySQL
database. This configuration enables easier scaling scenarios
since you can bring up multiple Keystone front ends when needed,
and configure them all to point back to the same database. Plus a
database backend has built-in data replication features and
documentation surrounding high availability and data redundancy
configurations.</para>
<para os="ubuntu">Delete the <filename>keystone.db</filename> file created in
the <filename>/var/lib/keystone</filename>
directory.<screen><prompt>#</prompt> <userinput>rm /var/lib/keystone/keystone.db</userinput></screen></para>
<para os="rhel;centos;fedora;opensuse">Delete the <filename>keystone.db</filename> file created in
the <filename>/var/lib/keystone</filename>
directory.<screen><prompt>$</prompt> <userinput>sudo rm /var/lib/keystone/keystone.db</userinput></screen></para>
<para>Configure the production-ready backend data store rather than
using the catalog supplied by default for the ability to back up
the service and endpoint data. This example shows MySQL.</para>
<para>The following sequence of commands will create a MySQL
database named "keystone" and a MySQL user named "keystone" with
full access to the "keystone" MySQL database.</para>
<para>On Fedora, RHEL, CentOS, and openSUSE, you can configure the Keystone
database with the <command>openstack-db</command>
command.<screen os="rhel;centos;fedora;opensuse"><prompt>$</prompt> <userinput>sudo openstack-db --init --service keystone</userinput> </screen></para>
<para>To manually create the database, start the <command>mysql</command> command line client by
running:</para>
<screen><prompt>$</prompt> <userinput>mysql -u root -p</userinput></screen>
<para>Enter the mysql root user's password when prompted.</para>
<para>To configure the MySQL database, create the keystone
database.</para>
<screen><prompt>mysql&gt;</prompt> <userinput>CREATE DATABASE keystone;</userinput></screen>
<para>Create a MySQL user for the newly-created keystone database that has full control of the
keystone database.</para>
<note>
<title>Note</title>
<para>Choose a secure password for the keystone user and replace
all references to
<replaceable>[YOUR_KEYSTONEDB_PASSWORD]</replaceable> with
this password.</para>
</note>
<screen><prompt>mysql&gt;</prompt> <userinput>GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '<replaceable>[YOUR_KEYSTONEDB_PASSWORD]</replaceable>';</userinput>
<prompt>mysql&gt;</prompt> <userinput>GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '<replaceable>[YOUR_KEYSTONEDB_PASSWORD]</replaceable>';</userinput></screen>
<note>
<para>In the above commands, even though the <literal>'keystone'@'%'</literal> also matches
<literal>'keystone'@'localhost'</literal>, you must explicitly specify the
<literal>'keystone'@'localhost'</literal> entry.</para>
<para>By default, MySQL will create entries in the user table with <literal>User=''</literal>
and <literal>Host='localhost'</literal>. The <literal>User=''</literal> acts as a wildcard,
matching all users. If you do not have the <literal>'keystone'@'localhost'</literal> account,
and you try to log in as the keystone user, the precedence rules of MySQL will match against
the <literal>User='' Host='localhost'</literal> account before it matches against the
<literal>User='keystone' Host='%'</literal> account. This will result in an error message
that looks like:</para>
<para>
<screen><computeroutput>ERROR 1045 (28000): Access denied for user 'keystone'@'localhost' (using password: YES)</computeroutput></screen>
</para>
<para>Thus, we create a separate <literal>User='keystone' Host='localhost'</literal> entry
that will match with higher precedence.</para>
<para>See the <link xlink:href="http://dev.mysql.com/doc/refman/5.5/en/connection-access.html"
>MySQL documentation on connection verification</link> for more details on how MySQL
determines which row in the user table it uses when authenticating connections.</para>
</note>
<para>Enter quit at the <literal>mysql></literal> prompt to exit
MySQL.</para>
<screen><prompt>mysql&gt;</prompt> <userinput>quit</userinput></screen>
<note>
<title>Reminder</title>
<para>Recall that this document assumes the Cloud Controller node
has an IP address of <literal>192.168.206.130</literal>.</para>
</note>
<para>Once Keystone is installed, it is configured via a primary
configuration file
(<filename>/etc/keystone/keystone.conf</filename>), a PasteDeploy
configuration file
(<filename>/etc/keystone/keystone-paste.ini</filename>) and by
initializing data into keystone using the command line client. By
default, Keystone's data store is sqlite. To change the data store
to mysql, change the line defining <literal>connection</literal> in
<filename>/etc/keystone/keystone.conf</filename> like so:</para>
<programlisting>connection = mysql://keystone:<replaceable>[YOUR_KEYSTONEDB_PASSWORD]</replaceable>@192.168.206.130/keystone</programlisting>
<para>Also, ensure that the proper <emphasis role="italic">service token</emphasis> is used in the
<filename>keystone.conf</filename> file. An example is provided in the Appendix or you can
generate a random string. The sample token is:</para>
<programlisting>admin_token = 012345SECRET99TOKEN012345</programlisting>
<screen os="rhel;centos;fedora;opensuse"><prompt>$</prompt> <userinput>export ADMIN_TOKEN=$(openssl rand -hex 10)</userinput>
<prompt>$</prompt> <userinput>sudo openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN</userinput></screen>
<para>By default Keystone will use PKI tokens. To
create the signing keys and certificates run:</para>
<para>
<screen os="ubuntu"><prompt>$</prompt> sudo keystone-manage pki_setup
<prompt>$</prompt> sudo chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log</screen>
</para>
<screen os="rhel;fedora;centos"><prompt>#</prompt> <userinput>keystone-manage pki_setup</userinput>
<prompt>#</prompt> <userinput>chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log</userinput></screen>
<screen os="opensuse"><prompt>#</prompt> <userinput>keystone-manage pki_setup</userinput>
<prompt>#</prompt> <userinput>chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log</userinput></screen>
<para os="ubuntu">
<note>
<para>In Ubuntu, <filename>keystone.conf</filename> is shipped as
root:root 644, but /etc/keystone has permissions for keystone:keystone
700 so the files under it are protected from unauthorized users.</para>
</note>Next, restart the keystone service so that it picks up the new
database configuration.</para>
<screen os="ubuntu"><prompt>#</prompt> <userinput>sudo service keystone restart</userinput></screen>
<screen os="rhel;fedora;centos"><prompt>$</prompt> <userinput>sudo service openstack-keystone start &amp;&amp; sudo chkconfig openstack-keystone on</userinput></screen>
<screen os="opensuse"><prompt>#</prompt> <userinput>systemctl restart openstack-keystone.service</userinput>
<prompt>#</prompt> <userinput>systemctl enable openstack-keystone.service</userinput></screen>
<para>Lastly, initialize the new keystone database, as root:</para>
<screen><prompt>#</prompt> <userinput>keystone-manage db_sync</userinput></screen>
<section xml:id="configure-keystone">
<title>Configuring Services to work with Keystone</title>
<para>Once Keystone is installed and running, you set up users and
tenants and services to be configured to work with it. You can
either follow the <link
linkend="setting-up-tenants-users-and-roles-manually">manual
steps</link> or <link linkend="scripted-keystone-setup">use a
script</link>.</para>
<section xml:id="setting-up-tenants-users-and-roles-manually">
<title>Setting up tenants, users, and roles - manually</title>
<para>You need to minimally define a tenant, user, and role to
link the tenant and user as the most basic set of details to
get other services authenticating and authorizing with the
Identity service.</para>
<note>
<title>Scripted method available</title>
<para>These are the manual, unscripted steps using the
keystone client. A scripted method is available at <link
linkend="scripted-keystone-setup">Setting up tenants,
users, and roles - scripted</link>.</para>
</note>
<para>Typically, you would use a username and password to
authenticate with the Identity service. However, at this point
in the install, we have not yet created a user. Instead, we
use the service token to authenticate against the Identity
service. With the <command>keystone</command> command-line,
you can specify the token and the endpoint as arguments, as
follows:<screen><prompt>$</prompt> <userinput>keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 <replaceable>&lt;command parameters></replaceable></userinput></screen></para>
<para>You can also specify the token and endpoint as environment
variables, so they do not need to be explicitly specified each time. If
you are using the bash shell, the following commands will set these
variables in your current session so you don't have to pass them to the
client each time. Best practice for bootstrapping the first
administrative user is to use the OS_SERVICE_ENDPOINT and
OS_SERVICE_TOKEN together as environment
variables.<screen><prompt>$</prompt> <userinput>export OS_SERVICE_TOKEN=012345SECRET99TOKEN012345</userinput>
<prompt>$</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://192.168.206.130:35357/v2.0</userinput></screen></para>
<para>In the remaining examples, we will assume you have set the above environment
variables.</para>
<para>Because it is more secure to use a username and password to authenticate rather than the
service token, when you use the token the <command>keystone</command> client may output the
following warning, depending on the version of python-keystoneclient you are
running:<screen><computeroutput>WARNING: Bypassing authentication using a token &amp; endpoint (authentication credentials are being ignored).</computeroutput></screen></para>
<para>First, create a default tenant. We'll name it
<literal>demo</literal> in this example. There is an <parameter>--enabled</parameter>
parameter available for tenant-create and user-create that defaults to
true. Refer to the help in <literal>keystone help user-create</literal>
and <literal>keystone help user-update</literal> for more
details.</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name demo --description "Default Tenant"</userinput>
<computeroutput> +-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Default Tenant |
| enabled | True |
| id | b5815b046cfe47bb891a7b64119e7f80 |
| name | demo |
+-------------+----------------------------------+</computeroutput></screen>
<para>Create a default user named <literal>admin</literal>.</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --tenant-id b5815b046cfe47bb891a7b64119e7f80 --name admin --pass secrete</userinput>
<computeroutput> +----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | a4c2d43f80a549a19864c89d759bb3fe |
| name | admin |
| tenantId | b5815b046cfe47bb891a7b64119e7f80 |
+----------+----------------------------------+</computeroutput></screen>
<para>Create an administrative role based on keystone's default
<literal>policy.json</literal> file,
<literal>admin</literal>.</para>
<screen><prompt>$</prompt> <userinput>keystone role-create --name admin</userinput>
<computeroutput> +----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | e3d9d157cc95410ea45d23bbbc2e5c10 |
| name | admin |
+----------+----------------------------------+</computeroutput></screen>
<para>Grant the <literal>admin</literal> role to the
<literal>admin</literal> user in the
<literal>demo</literal> tenant with
"user-role-add".</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user-id a4c2d43f80a549a19864c89d759bb3fe --tenant-id b5815b046cfe47bb891a7b64119e7f80 --role-id e3d9d157cc95410ea45d23bbbc2e5c10</userinput>
<computeroutput/></screen>
<para>Create a service tenant named service. This tenant contains all the
services that we make known to the service catalog.</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name service --description "Service Tenant"</userinput>
<computeroutput> +-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | eb7e0c10a99446cfa14c244374549e9d |
| name | service |
+-------------+----------------------------------+</computeroutput></screen>
<para>Create a glance service user in the service tenant. You'll do this
for any service you add to be in the Identity service catalog.</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --tenant-id eb7e0c10a99446cfa14c244374549e9d --name glance --pass glance</userinput>
<computeroutput>WARNING: Bypassing authentication using a token &amp; endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 46b2667a7807483d983e0b4037a1623b |
| name | glance |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+----------------------------------+</computeroutput></screen>
<para>Grant the <literal>admin</literal> role to the
<literal>glance</literal> user in the
<literal>service</literal> tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user-id 46b2667a7807483d983e0b4037a1623b --tenant-id eb7e0c10a99446cfa14c244374549e9d --role-id e3d9d157cc95410ea45d23bbbc2e5c10</userinput>
<computeroutput/></screen>
<para>Create a nova service user in the service tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --tenant-id eb7e0c10a99446cfa14c244374549e9d --name nova --pass nova</userinput>
<computeroutput>WARNING: Bypassing authentication using a token &amp; endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 54b3776a8707834d983e0b4037b1345c |
| name | nova |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+----------------------------------+</computeroutput></screen>
<para>Grant the <literal>admin</literal> role to the
<literal>nova</literal> user in the
<literal>service</literal> tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user-id 54b3776a8707834d983e0b4037b1345c --tenant-id eb7e0c10a99446cfa14c244374549e9d --role-id e3d9d157cc95410ea45d23bbbc2e5c10</userinput>
<computeroutput/></screen>
<para>Create a cinder service user in the service tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --tenant-id eb7e0c10a99446cfa14c244374549e9d --name cinder --pass openstack</userinput>
<computeroutput>WARNING: Bypassing authentication using a token &amp; endpoint (authentication credentials are being ignored).
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | c95bf79153874ac69b4758ebf75498a6 |
| name | cinder |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+----------------------------------+</computeroutput></screen>
<para>Grant the <literal>admin</literal> role to the
<literal>cinder</literal> user in the <literal>service</literal>
tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user-id c95bf79153874ac69b4758ebf75498a6 --tenant-id eb7e0c10a99446cfa14c244374549e9d --role-id e3d9d157cc95410ea45d23bbbc2e5c10</userinput>
<computeroutput/></screen>
<para>Create an ec2 service user in the service tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --tenant-id eb7e0c10a99446cfa14c244374549e9d --name ec2 --pass ec2</userinput>
<computeroutput> +----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 32e7668b8707834d983e0b4037b1345c |
| name | ec2 |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+----------------------------------+</computeroutput></screen>
<para>Grant the <literal>admin</literal> role to the
<literal>ec2</literal> user in the
<literal>service</literal> tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user-id 32e7668b8707834d983e0b4037b1345c --tenant-id eb7e0c10a99446cfa14c244374549e9d --role-id e3d9d157cc95410ea45d23bbbc2e5c10</userinput>
<computeroutput/></screen>
<para>Create an Object Storage service user in the service tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --tenant-id eb7e0c10a99446cfa14c244374549e9d --name swift --pass swiftpass</userinput>
<computeroutput> +----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | |
| enabled | True |
| id | 4346677b8909823e389f0b4037b1246e |
| name | swift |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+----------------------------------+</computeroutput></screen>
<para>Grant the <literal>admin</literal> role to the
<literal>swift</literal> user in the
<literal>service</literal> tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user-id 4346677b8909823e389f0b4037b1246e --tenant-id eb7e0c10a99446cfa14c244374549e9d --role-id e3d9d157cc95410ea45d23bbbc2e5c10</userinput>
<computeroutput/></screen>
<para>Next you create definitions for the services.</para>
</section>
</section>
<section xml:id="defining-services">
<title>Defining Services</title>
<para>Keystone also acts as a service catalog to let other
OpenStack systems know where relevant API endpoints exist for
OpenStack Services. The OpenStack Dashboard, in particular, uses
the service catalog heavily. This <emphasis role="strong">must</emphasis>
be configured for the OpenStack Dashboard to
properly function.</para>
<para>There are two alternative ways of defining services with
keystone: <orderedlist>
<listitem>
<para>Using a template file</para>
</listitem>
<listitem>
<para>Using a database backend</para>
</listitem>
</orderedlist> While using a template file is simpler, it is not
recommended except for development environments such as <link
xlink:href="http://www.devstack.org">DevStack</link>. The
template file does not enable CRUD operations on the service
catalog through keystone commands, but you can use the
service-list command when using the template catalog. A database
backend can provide better reliability, availability, and data
redundancy. This section describes how to populate the Keystone
service catalog using the database backend. Your
<filename>/etc/keystone/keystone.conf</filename> file should
contain the following lines if it is properly configured to use
the database backend.</para>
<programlisting>[catalog]
driver = keystone.catalog.backends.sql.Catalog</programlisting>
<section xml:id="elements-of-keystone-service-catalog-entry">
<title>Elements of a Keystone service catalog entry</title>
<para>For each service in the catalog, you must perform two
keystone operations: <orderedlist>
<listitem>
<para>Use the <command>keystone service-create</command>
command to create a database entry for the service, with
the following attributes: <variablelist>
<varlistentry>
<term><literal>--name</literal></term>
<listitem>
<para>Name of the service (e.g.,
<literal>nova</literal>,
<literal>ec2</literal>,
<literal>glance</literal>,
<literal>keystone</literal>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>--type</literal></term>
<listitem>
<para>Type of service (e.g.,
<literal>compute</literal>,
<literal>ec2</literal>,
<literal>image</literal>,
<literal>identity</literal>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>--description</literal></term>
<listitem>
<para>A description of the service, (e.g.,
<literal>"Nova Compute
Service"</literal>)</para>
</listitem>
</varlistentry>
</variablelist>
</para>
</listitem>
<listitem>
<para>Use the <command>keystone endpoint-create</command>
command to create a database entry that describes how
different types of clients can connect to the service,
with the following attributes:</para>
<variablelist>
<varlistentry>
<term><literal>--region</literal></term>
<listitem>
<para>the region name you've given to the OpenStack
cloud you are deploying (e.g., RegionOne)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>--service-id</literal></term>
<listitem>
<para>The ID field returned by the <command>keystone
service-create</command> (e.g.,
<literal>935fd37b6fa74b2f9fba6d907fa95825</literal>)</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>--publicurl</literal></term>
<listitem>
<para>The URL of the public-facing endpoint for the
service (e.g.,
<literal>http://192.168.206.130:9292</literal>
or
<literal>http://192.168.206.130:8774/v2/%(tenant_id)s</literal>)
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>--internalurl</literal></term>
<listitem>
<para>The URL of an internal-facing endpoint for the
service.</para>
<para>This typically has the same value as
<literal>publicurl</literal>.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><literal>--adminurl</literal></term>
<listitem>
<para>The URL for the admin endpoint for the
service. The Keystone and EC2 services use
different endpoints for
<literal>adminurl</literal> and
<literal>publicurl</literal>, but for other
services these endpoints will be the same.</para>
</listitem>
</varlistentry>
</variablelist>
</listitem>
</orderedlist>
</para>
<para>Keystone allows some URLs to contain special variables,
which are automatically substituted with the correct value at
runtime. Some examples in this document employ the
<literal>tenant_id</literal> variable, which we use when
specifying the Volume and Compute service endpoints. Variables
can be specified using either
<literal>%(<replaceable>varname</replaceable>)s</literal>
or <literal>$(<replaceable>varname</replaceable>)s</literal>
notation. In this document, we always use the
<literal>%(<replaceable>varname</replaceable>)s</literal>
notation (e.g., <literal>%(tenant_id)s</literal>) since
<literal>$</literal> is interpreted as a special character
by Unix shells.</para>
</section>
<section xml:id="keystone-service-endpoint-create">
<title>Creating keystone services and service endpoints</title>
<para>Here we define the services and their endpoints. Recall that you must have the following
environment variables
set.<screen><prompt>$</prompt> <userinput>export OS_SERVICE_TOKEN=012345SECRET99TOKEN012345</userinput>
<prompt>$</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://192.168.206.130:35357/v2.0</userinput></screen></para>
<para>Define the Identity service:</para>
<screen>
<prompt>$</prompt> <userinput>keystone service-create --name=keystone --type=identity --description=&quot;Identity Service&quot;
</userinput>
<computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Identity Service |
| id | 15c11a23667e427e91bc31335b45f4bd |
| name | keystone |
| type | identity |
+-------------+----------------------------------+</computeroutput>
<prompt>$</prompt> <userinput>keystone endpoint-create \
--region RegionOne \
--service-id=15c11a23667e427e91bc31335b45f4bd \
--publicurl=http://192.168.206.130:5000/v2.0 \
--internalurl=http://192.168.206.130:5000/v2.0 \
--adminurl=http://192.168.206.130:35357/v2.0</userinput>
<computeroutput>+-------------+-----------------------------------+
| Property | Value |
+-------------+-----------------------------------+
| adminurl | http://192.168.206.130:35357/v2.0 |
| id | 11f9c625a3b94a3f8e66bf4e5de2679f |
| internalurl | http://192.168.206.130:5000/v2.0 |
| publicurl | http://192.168.206.130:5000/v2.0 |
| region | RegionOne |
| service_id | 15c11a23667e427e91bc31335b45f4bd |
+-------------+-----------------------------------+
</computeroutput>
</screen>
<para>Define the Compute service, which requires a separate
endpoint for each tenant. Here we use the
<literal>service</literal> tenant from the previous section. <note>
<para>The <literal>%(tenant_id)s</literal> and single quotes
around the <literal>publicurl</literal>,
<literal>internalurl</literal>, and
<literal>adminurl</literal> must be typed exactly as
shown for both the Compute endpoint and the Volume
endpoint.</para>
</note></para>
<screen>
<prompt>$</prompt> <userinput>keystone service-create --name=nova --type=compute --description=&quot;Compute Service&quot;</userinput>
<computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Compute Service |
| id | abc0f03c02904c24abdcc3b7910e2eed |
| name | nova |
| type | compute |
+-------------+----------------------------------+
</computeroutput>
<prompt>$</prompt> <userinput>keystone endpoint-create \
--region RegionOne \
--service-id=abc0f03c02904c24abdcc3b7910e2eed \
--publicurl='http://192.168.206.130:8774/v2/%(tenant_id)s' \
--internalurl='http://192.168.206.130:8774/v2/%(tenant_id)s' \
--adminurl='http://192.168.206.130:8774/v2/%(tenant_id)s'</userinput>
<computeroutput>+-------------+----------------------------------------------+
| Property | Value |
+-------------+----------------------------------------------+
| adminurl | http://192.168.206.130:8774/v2/%(tenant_id)s |
| id | 935fd37b6fa74b2f9fba6d907fa95825 |
| internalurl | http://192.168.206.130:8774/v2/%(tenant_id)s |
| publicurl | http://192.168.206.130:8774/v2/%(tenant_id)s |
| region | RegionOne |
| service_id | abc0f03c02904c24abdcc3b7910e2eed |
+-------------+----------------------------------------------+
</computeroutput>
</screen>
<para>Define the Volume service, which also requires a separate
endpoint for each tenant.</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name=cinder --type=volume --description=&quot;Volume Service&quot;</userinput>
<computeroutput>
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Volume Service |
| id | 1ff4ece13c3e48d8a6461faebd9cd38f |
| name | volume |
| type | volume |
+-------------+----------------------------------+
</computeroutput>
<prompt>$</prompt> <userinput>keystone endpoint-create \
--region RegionOne \
--service-id=1ff4ece13c3e48d8a6461faebd9cd38f \
--publicurl='http://192.168.206.130:8776/v1/%(tenant_id)s' \
--internalurl='http://192.168.206.130:8776/v1/%(tenant_id)s' \
--adminurl='http://192.168.206.130:8776/v1/%(tenant_id)s'</userinput>
<computeroutput>
+-------------+----------------------------------------------+
| Property | Value |
+-------------+----------------------------------------------+
| adminurl | http://192.168.206.130:8776/v1/%(tenant_id)s |
| id | 1ff4ece13c3e48d8a6461faebd9cd38f |
| internalurl | http://192.168.206.130:8776/v1/%(tenant_id)s |
| publicurl | http://192.168.206.130:8776/v1/%(tenant_id)s |
| region | RegionOne |
| service_id | 8a70cd235c7d4a05b43b2dffb9942cc0 |
+-------------+----------------------------------------------+
</computeroutput></screen>
<para>Define the Image service:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name=glance --type=image --description="Image Service"</userinput>
<computeroutput>
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Image Service |
| id | 7d5258c490144c8c92505267785327c1 |
| name | glance |
| type | image |
+-------------+----------------------------------+
</computeroutput>
<prompt>$</prompt> <userinput>keystone endpoint-create \
--region RegionOne \
--service-id=7d5258c490144c8c92505267785327c1 \
--publicurl=http://192.168.206.130:9292 \
--internalurl=http://192.168.206.130:9292 \
--adminurl=http://192.168.206.130:9292</userinput>
<computeroutput>
+-------------+-----------------------------------+
| Property | Value |
+-------------+-----------------------------------+
| adminurl | http://192.168.206.130:9292 |
| id | 3c8c0d749f21490b90163bfaed9befe7 |
| internalurl | http://192.168.206.130:9292 |
| publicurl | http://192.168.206.130:9292 |
| region | RegionOne |
| service_id | 7d5258c490144c8c92505267785327c1 |
+-------------+-----------------------------------+
</computeroutput></screen>
<para>Define the EC2 compatibility service:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name=ec2 --type=ec2 --description=&quot;EC2 Compatibility Layer&quot;</userinput>
<computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | EC2 Compatibility Layer |
| id | 181cdad1d1264387bcc411e1c6a6a5fd |
| name | ec2 |
| type | ec2 |
+-------------+----------------------------------+
</computeroutput>
<prompt>$</prompt> <userinput>keystone endpoint-create \
--region RegionOne \
--service-id=181cdad1d1264387bcc411e1c6a6a5fd \
--publicurl=http://192.168.206.130:8773/services/Cloud \
--internalurl=http://192.168.206.130:8773/services/Cloud \
--adminurl=http://192.168.206.130:8773/services/Admin</userinput>
<computeroutput>
+-------------+--------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------+
| adminurl | http://192.168.206.130:8773/services/Admin |
| id | d2a3d7490c61442f9b2c8c8a2083c4b6 |
| internalurl | http://192.168.206.130:8773/services/Cloud |
| publicurl | http://192.168.206.130:8773/services/Cloud |
| region | RegionOne |
| service_id | 181cdad1d1264387bcc411e1c6a6a5fd |
+-------------+--------------------------------------------+
</computeroutput></screen>
<para>Define the Object Storage service:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name=swift --type=object-store --description=&quot;Object Storage Service&quot;</userinput>
<computeroutput>+-------------+---------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Object Storage Service |
| id | 272efad2d1234376cbb911c1e5a5a6ed |
| name | swift |
| type | object-store |
+-------------+----------------------------------+
</computeroutput>
<prompt>$</prompt> <userinput>keystone endpoint-create \
--region RegionOne \
--service-id=272efad2d1234376cbb911c1e5a5a6ed \
--publicurl 'http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s' \
--internalurl 'http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s' \
--adminurl 'http://192.168.206.130:8888/v1'</userinput>
<computeroutput>
+-------------+---------------------------------------------------+
| Property | Value |
+-------------+---------------------------------------------------+
| adminurl | http://192.168.206.130:8888/v1 |
| id | e32b3c4780e51332f9c128a8c208a5a4 |
| internalurl | http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s |
| publicurl | http://192.168.206.130:8888/v1/AUTH_%(tenant_id)s |
| region | RegionOne |
| service_id | 272efad2d1234376cbb911c1e5a5a6ed |
+-------------+---------------------------------------------------+
</computeroutput></screen>
</section>
<section xml:id="scripted-keystone-setup">
<title>Setting up Tenants, Users, Roles, and Services -
Scripted</title>
<para>The Keystone project offers a bash script for populating
tenants, users, roles and services at <link
xlink:href="https://github.com/openstack/keystone/blob/master/tools/sample_data.sh"
>https://github.com/openstack/keystone/blob/master/tools/sample_data.sh</link>
with sample data. This script uses 127.0.0.1 for all endpoint
IP addresses. This script also defines services for you.</para>
</section>
</section>
</section>
View Git Blame Copy Permalink