64b6c9261e
Current folder name New folder name Book title ---------------------------------------------------------- basic-install DELETE cli-guide DELETE common common NEW admin-guide-cloud Cloud Administrators Guide docbkx-example DELETE openstack-block-storage-admin DELETE openstack-compute-admin DELETE openstack-config config-reference OpenStack Configuration Reference openstack-ha high-availability-guide OpenStack High Availabilty Guide openstack-image image-guide OpenStack Virtual Machine Image Guide openstack-install install-guide OpenStack Installation Guide openstack-network-connectivity-admin admin-guide-network OpenStack Networking Administration Guide openstack-object-storage-admin DELETE openstack-security security-guide OpenStack Security Guide openstack-training training-guide OpenStack Training Guide openstack-user user-guide OpenStack End User Guide openstack-user-admin user-guide-admin OpenStack Admin User Guide glossary NEW OpenStack Glossary bug: #1220407 Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7 author: diane fleming
82 lines
4.6 KiB
XML
82 lines
4.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xml:id="identity-configure-keystone"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
|
|
<title>Defining Roles and Users in the Identity Service (Keystone)</title>
|
|
<para>Before you begin, ensure that the OpenStack Compute and Image
|
|
services are installed and connect all databases prior to
|
|
configuring the Identity Service endpoints.</para>
|
|
<para>Create tenants first. Here is an example set.</para>
|
|
<literallayout class="monospaced">ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
|
|
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
|
|
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
|
|
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)</literallayout>
|
|
<para>Next, create users.</para>
|
|
<literallayout class="monospaced">ADMIN_USER=$(get_id keystone user-create --name=admin \
|
|
--pass="$ADMIN_PASSWORD" \
|
|
--email=admin@example.com)
|
|
DEMO_USER=$(get_id keystone user-create --name=demo \
|
|
--pass="$ADMIN_PASSWORD" \
|
|
--email=demo@example.com)</literallayout>
|
|
<para>Here are some roles to create.</para>
|
|
<literallayout class="monospaced">ADMIN_ROLE=$(get_id keystone role-create --name=admin)
|
|
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
|
|
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
|
|
SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin)
|
|
NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin)</literallayout>
|
|
<para>Add Roles to Users in Tenants</para>
|
|
<literallayout class="monospaced">keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
|
|
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
|
|
keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT
|
|
keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT
|
|
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
|
|
keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
|
|
</literallayout>
|
|
<para>Also, the Member role is used by Horizon and Swift so we need to continue creating it:</para>
|
|
<literallayout class="monospaced">MEMBER_ROLE=$(get_id keystone role-create --name=Member)
|
|
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
|
|
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT</literallayout>
|
|
|
|
<section xml:id="identity-define-services-endpoints">
|
|
<title>Define Services and Endpoints</title>
|
|
<para>Now that all your starter tenants, users, and roles have
|
|
been created, let's move on to endpoints.</para>
|
|
<para>First add all the services you want to have the Identity
|
|
service connected with. Here's an example using all the
|
|
available services in this example.</para>
|
|
|
|
<literallayout class="monospaced">keystone service-create --name=keystone \
|
|
--type=identity \
|
|
--description="Keystone Identity Service"
|
|
|
|
keystone service-create --name=nova \
|
|
--type=compute \
|
|
--description="Nova Compute Service"
|
|
NOVA_USER=$(get_id keystone user-create --name=nova \
|
|
--pass="$SERVICE_PASSWORD" \
|
|
--tenant_id $SERVICE_TENANT \
|
|
--email=nova@example.com)
|
|
keystone user-role-add --tenant_id $SERVICE_TENANT \
|
|
--user $NOVA_USER \
|
|
--role $ADMIN_ROLE
|
|
|
|
keystone service-create --name=ec2 \
|
|
--type=ec2 \
|
|
--description="EC2 Compatibility Layer"
|
|
|
|
keystone service-create --name=glance \
|
|
--type=image \
|
|
--description="Glance Image Service"
|
|
GLANCE_USER=$(get_id keystone user-create --name=glance \
|
|
--pass="$SERVICE_PASSWORD" \
|
|
--tenant_id $SERVICE_TENANT \
|
|
--email=glance@example.com)
|
|
keystone user-role-add --tenant_id $SERVICE_TENANT \
|
|
--user $GLANCE_USER \
|
|
--role $ADMIN_ROLE</literallayout>
|
|
<para>The Identity Service, Keystone, is now configured and ready
|
|
to accept requests.</para>
|
|
</section>
|
|
</section>
|