openstack/openstack-manuals
Code Issues Proposed changes
91c725cd6e
openstack-manuals/doc/install-guide/section_keystone-verify.xml
Matthew Kassawara 9031181f27 Improve install guide keystone verify section 
Improve the keystone verify section of the installation guide
as follows:

1) Clarify steps to test operation for both admin and normal
   users.
2) Add step to show that normal users cannot run admin-only
   commands.
3) Provide more links to useful topics.
4) Adjust titles.
5) Create temporary workaround for Debian issues.

This patch implements changes approved for other patches associated
with this blueprint. I will provide instructions to create openrc
files in a separate patch.

Implements: blueprint installation-guide-improvements
Change-Id: I42ebc321ef39911b090f450ff49bb6e1a1e9bf4e
2014-07-05 20:24:09 +00:00

114 lines
6.6 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-verify">
<title>Verify operation</title>
<para>This section describes how to verify operation of the Identity
service.</para>
<procedure>
<step>
<para>Unset the temporary <envar>OS_SERVICE_TOKEN</envar> and
<envar>OS_SERVICE_ENDPOINT</envar> environment variables:</para>
<screen><prompt>$</prompt> <userinput>unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT</userinput></screen>
</step>
<step>
<para>As the <literal>admin</literal> tenant and user, request an
authentication token:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
--os-auth-url http://controller:35357/v2.0 token-get</userinput></screen>
<para>Replace <replaceable>ADMIN_PASS</replaceable> with the password
you chose for the <literal>admin</literal> user in the Identity
service. You might need to use single quotes (') around your password
if it includes special characters.</para>
<para>Lengthy output that includes a token value verifies operation
for the <literal>admin</literal> tenant and user.</para>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> tenant and user, list tenants to verify
that the <literal>admin</literal> tenant and user can execute
admin-only CLI commands and that the Identity service contains the
tenants that you created in <xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> tenant and user, list
tenants to verify that the <literal>admin</literal> tenant and user
can execute admin-only CLI commands and that the Identity service
contains the tenants created by the configuration tool:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
--os-auth-url http://controller:35357/v2.0 tenant-list</userinput>
<computeroutput>+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| 6f4c1e4cbfef4d5a8a1345882fbca110 | admin | True |
| 4aa51bb942be4dd0ac0555d7591f80a6 | demo | True |
| 6b69202e1bf846a4ae50d65bc4789122 | service | True |
+----------------------------------+----------+---------+</computeroutput></screen>
<note>
<para>Because OpenStack generates IDs dynamically, you will see
different values from this example command output.</para>
</note>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> tenant and user, list users to verify
that the Identity service contains the users that you created
in <xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> tenant and user, list
users to verify that the Identity service contains the users
created by the configuration tool:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
--os-auth-url http://controller:35357/v2.0 user-list</userinput>
<computeroutput>+----------------------------------+---------+---------+---------------------+
| id | name | enabled | email |
+----------------------------------+---------+---------+---------------------+
| ea8c352d253443118041c9c8b8416040 | admin | True | admin@example.com |
| 7004dfa0dda84d63aef81cf7f100af01 | demo | True | demo@example.com |
+----------------------------------+---------+---------+---------------------+</computeroutput></screen>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> tenant and user, list roles to verify
that the Identity service contains the role that you created
in <xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> tenant and user, list
roles to verify that the Identity service contains the role
created by the configuration tool:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
--os-auth-url http://controller:35357/v2.0 role-list</userinput>
<computeroutput>+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| bff3a6083b714fa29c9344bf8930d199 | admin |
+----------------------------------+----------+</computeroutput></screen>
</step>
<step>
<para>As the <literal>demo</literal> tenant and user, request an
authentication token:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-tenant-name demo --os-username demo --os-password <replaceable>DEMO_PASS</replaceable> \
--os-auth-url http://controller:35357/v2.0 token-get</userinput></screen>
<para>Replace <replaceable>DEMO_PASS</replaceable> with the password
you chose for the <literal>demo</literal> user in the Identity
service.</para>
<para>Lengthy output that includes a token value verifies operation
for the <literal>demo</literal> tenant and user.</para>
</step>
<step>
<para>As the <literal>demo</literal> tenant and user, attempt to list
users to verify that you cannot execute admin-only CLI
commands:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-tenant-name demo --os-username demo --os-password <replaceable>DEMO_PASS</replaceable> \
--os-auth-url http://controller:35357/v2.0 user-list</userinput>
<computeroutput>You are not authorized to perform the requested action, admin_required. (HTTP 403)</computeroutput></screen>
<note>
<para>Each OpenStack service references a
<filename>policy.json</filename> file to determine the operations
available to a particular tenant, user, or role. For more
information, see the
<link xlink:href="http://docs.openstack.org/openstack-ops/content/projects_users.html">Operations Guide - Managing Projects and Users</link>.</para>
</note>
</step>
</procedure>
</section>
View Git Blame Copy Permalink