openstack-manuals/doc/install-guide/source/keystone-users.rst
Christian Berendt b0f94e630a [install] add field domain_id to outputs of role creations
Change-Id: I8bb71fe388383a55e2fcfafa76e42c25ada95dbe
2016-04-19 19:06:28 -05:00

7.1 KiB

Create a domain, projects, users, and roles

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains <domain>, projects<project> (tenants), users<user>, and roles<role>.

  1. Create the default domain:

    $ openstack domain create --description "Default Domain" default
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Default Domain                   |
    | enabled     | True                             |
    | id          | e0353a670a9e496da891347c589539e9 |
    | name        | default                          |
    +-------------+----------------------------------+
  2. Create an administrative project, user, and role for administrative operations in your environment:

    • Create the admin project:

      $ openstack project create --domain default \
        --description "Admin Project" admin
      +-------------+----------------------------------+
      | Field       | Value                            |
      +-------------+----------------------------------+
      | description | Admin Project                    |
      | domain_id   | e0353a670a9e496da891347c589539e9 |
      | enabled     | True                             |
      | id          | 343d245e850143a096806dfaefa9afdc |
      | is_domain   | False                            |
      | name        | admin                            |
      | parent_id   | None                             |
      +-------------+----------------------------------+

      Note

      OpenStack generates IDs dynamically, so you will see different values in the example command output.

    • Create the admin user:

      $ openstack user create --domain default \
        --password-prompt admin
      User Password:
      Repeat User Password:
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | e0353a670a9e496da891347c589539e9 |
      | enabled   | True                             |
      | id        | ac3377633149401296f6c0d92d79dc16 |
      | name      | admin                            |
      +-----------+----------------------------------+
    • Create the admin role:

      $ openstack role create admin
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | None                             |
      | id        | cd2cb9a39e874ea69e5d4b896eb16128 |
      | name      | admin                            |
      +-----------+----------------------------------+
    • Add the admin role to the admin project and user:

      $ openstack role add --project admin --user admin admin

      Note

      This command provides no output.

      Note

      Any roles that you create must map to roles specified in the policy.json file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the admin role. For more information, see the Operations Guide - Managing Projects and Users.

  3. This guide uses a service project that contains a unique user for each service that you add to your environment. Create the service project:

    $ openstack project create --domain default \
      --description "Service Project" service
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Service Project                  |
    | domain_id   | e0353a670a9e496da891347c589539e9 |
    | enabled     | True                             |
    | id          | 894cdfa366d34e9d835d3de01e752262 |
    | is_domain   | False                            |
    | name        | service                          |
    | parent_id   | None                             |
    +-------------+----------------------------------+
  4. Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the demo project and user.

    • Create the demo project:

      $ openstack project create --domain default \
        --description "Demo Project" demo
      +-------------+----------------------------------+
      | Field       | Value                            |
      +-------------+----------------------------------+
      | description | Demo Project                     |
      | domain_id   | e0353a670a9e496da891347c589539e9 |
      | enabled     | True                             |
      | id          | ed0b60bf607743088218b0a533d5943f |
      | is_domain   | False                            |
      | name        | demo                             |
      | parent_id   | None                             |
      +-------------+----------------------------------+

      Note

      Do not repeat this step when creating additional users for this project.

    • Create the demo user:

      $ openstack user create --domain default \
        --password-prompt demo
      User Password:
      Repeat User Password:
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | e0353a670a9e496da891347c589539e9 |
      | enabled   | True                             |
      | id        | 58126687cbcc4888bfa9ab73a2256f27 |
      | name      | demo                             |
      +-----------+----------------------------------+
    • Create the user role:

      $ openstack role create user
      +-----------+----------------------------------+
      | Field     | Value                            |
      +-----------+----------------------------------+
      | domain_id | None                             |
      | id        | 997ce8d05fc143ac97d83fdfb5998552 |
      | name      | user                             |
      +-----------+----------------------------------+
    • Add the user role to the demo project and user:

      $ openstack role add --project demo --user demo user

      Note

      This command provides no output.

Note

You can repeat this procedure to create additional projects and users.