openstack/openstack-manuals
Code Issues Proposed changes
d49d27d085
openstack-manuals/doc/install-guide/section_keystone-users.xml
annegentle 679dc9bfd5 Adds to swift install chapter 
Updates from grizzly doc

TF Changes:
* link in object storage overview for architecture
* remove references to auth node and swauth

Updates markup and addresses review comments

Change-Id: I42b87f019361408a55c2b77d0c9778351ce997d8
2013-10-11 17:23:58 +02:00

54 lines
2.8 KiB
XML
Raw Blame History

<section xmlns="http://docbook.org/ns/docbook"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-users">
<title>Defining Users, Tenants, and Roles</title>
<para>Once Keystone is installed and running, you set up users, tenants,
and roles to authenticate against. These are used to allow access to
services and endpoints, described in the next section.</para>
<para>Typically, you would use a username and password to authenticate
with the Identity service. At this point, however, we have not created
any users, so we have to use the authorization token created in the
previous section. You can pass this with the <option>--token</option>
option to the <command>keystone</command> command or set the
<envar>OS_SERVICE_TOKEN</envar> environment variable. We'll set
<envar>OS_SERVICE_TOKEN</envar>, as well as
<envar>OS_SERVICE_ENDPOINT</envar> to specify where the Identity
Service is running. Replace
<userinput><replaceable>FCAF3E...</replaceable></userinput>
with your authorization token.</para>
<screen><prompt>#</prompt> <userinput>export OS_SERVICE_TOKEN=<replaceable>FCAF3E...</replaceable></userinput>
<prompt>#</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0</userinput></screen>
<para>First, create a tenant for an administrative user and a tenant
for other OpenStack services to use.</para>
<screen><prompt>#</prompt> <userinput>keystone tenant-create --name=admin --description="Admin Tenant"</userinput>
<prompt>#</prompt> <userinput>keystone tenant-create --name=service --description="Service Tenant"</userinput></screen>
<para>Next, create an administrative user called <literal>admin</literal>.
Choose a password for the <literal>admin</literal> user and specify an
email address for the account.</para>
<screen><prompt>#</prompt> <userinput>keystone user-create --name=admin --pass=<replaceable>ADMIN_PASS</replaceable> --email=<replaceable>admin@example.com</replaceable></userinput></screen>
<para>Create a role for administrative tasks called <literal>admin</literal>.
Any roles you create should map to roles specified in the
<filename>policy.json</filename> files of the various OpenStack services.
The default policy files use the <literal>admin</literal> role to allow
access to most services.</para>
<screen><prompt>#</prompt> <userinput>keystone role-create --name=admin</userinput></screen>
<para>Finally, you have to add roles to users. Users always log in with
a tenant, and roles are assigned to users within roles. Add the
<literal>admin</literal> role to the <literal>admin</literal> user when
logging in with the <literal>admin</literal> tenant.</para>
<screen><prompt>#</prompt> <userinput>keystone user-role-add --user=admin --tenant=admin --role=admin</userinput></screen>
</section>
View Git Blame Copy Permalink