64b6c9261e
Current folder name New folder name Book title ---------------------------------------------------------- basic-install DELETE cli-guide DELETE common common NEW admin-guide-cloud Cloud Administrators Guide docbkx-example DELETE openstack-block-storage-admin DELETE openstack-compute-admin DELETE openstack-config config-reference OpenStack Configuration Reference openstack-ha high-availability-guide OpenStack High Availabilty Guide openstack-image image-guide OpenStack Virtual Machine Image Guide openstack-install install-guide OpenStack Installation Guide openstack-network-connectivity-admin admin-guide-network OpenStack Networking Administration Guide openstack-object-storage-admin DELETE openstack-security security-guide OpenStack Security Guide openstack-training training-guide OpenStack Training Guide openstack-user user-guide OpenStack End User Guide openstack-user-admin user-guide-admin OpenStack Admin User Guide glossary NEW OpenStack Glossary bug: #1220407 Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7 author: diane fleming
168 lines
9.1 KiB
XML
168 lines
9.1 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
|
|
xml:id="adding-users-tenants-and-roles-with-python-keystoneclient">
|
|
<?dbhtml stop-chunking?>
|
|
<title>Create and manage services and service users</title>
|
|
<para>The Identity Service enables you to define services in the
|
|
following ways:</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para>Service catalog template. The Identity Service acts
|
|
as a service catalog of endpoints for other OpenStack
|
|
services. The
|
|
<literal>etc/default_catalog.templates</literal>
|
|
template file defines the endpoints for services. When
|
|
the Identity Service uses a template file back-end,
|
|
any changes that are made to the endpoints are cached.
|
|
These changes do not persist when you restart the
|
|
service or reboot the machine.</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para>A SQL back-end for the catalog service. When the
|
|
Identity Service is online, you must add the services
|
|
to the catalog. When you deploy a system for
|
|
production, use the SQL back-end.</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para>The <literal>auth_token</literal> middleware supports the
|
|
use of either a shared secret or users for each
|
|
service.</para>
|
|
<para>To authenticate users against the Identity Service, you must
|
|
create a service user for each OpenStack service. For example,
|
|
create a service user for the Compute, Block Storage, and
|
|
Network services.</para>
|
|
<para>To configure the OpenStack services with service users,
|
|
create a project for all services and create users for each
|
|
service. Assign the admin role to each service user-project
|
|
pair. This role enables users to validate tokens and
|
|
authenticate and authorize other user requests.</para>
|
|
<section xml:id="cli_service-create">
|
|
<title>Create a service</title>
|
|
<procedure>
|
|
<step>
|
|
<para>List the available services:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone service-list</userinput></screen>
|
|
<screen><computeroutput>+----------------------------------+----------+----------+---------------------------+
|
|
| id | name | type | description |
|
|
+----------------------------------+----------+----------+---------------------------+
|
|
| 9816f1faaa7c4842b90fb4821cd09223 | cinder | volume | Cinder Volume Service |
|
|
| da8cf9f8546b4a428c43d5e032fe4afc | ec2 | ec2 | EC2 Compatibility Layer |
|
|
| 5f105eeb55924b7290c8675ad7e294ae | glance | image | Glance Image Service |
|
|
| dcaa566e912e4c0e900dc86804e3dde0 | keystone | identity | Keystone Identity Service |
|
|
| 4a715cfbc3664e9ebf388534ff2be76a | nova | compute | Nova Compute Service |
|
|
| 6feb2e0b98874d88bee221974770e372 | s3 | s3 | S3 |
|
|
+----------------------------------+----------+----------+---------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>To create a service, you use the following
|
|
command syntax:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone help service-create</userinput></screen>
|
|
<screen><computeroutput>usage: keystone service-create --name <name> --type <type>
|
|
[--description <service-description>]
|
|
|
|
Add service to Service Catalog.
|
|
|
|
Arguments:
|
|
--name <name> Name of new service (must be unique)
|
|
--type <type> Service type (one of: identity, compute, network,
|
|
image, or object-store)
|
|
--description <service-description>
|
|
Description of service</computeroutput></screen>
|
|
<para>For example, to create a service named
|
|
<literal>swift</literal> of type
|
|
<literal>object-store</literal>, run the
|
|
following command:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone service-create --name swift --type object-store --description "object store service"</userinput></screen>
|
|
<screen><computeroutput>+-------------+----------------------------------+
|
|
| Property | Value |
|
|
+-------------+----------------------------------+
|
|
| description | object store service |
|
|
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
|
|
| name | swift |
|
|
| type | object-store |
|
|
+-------------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>To get details for a specified service:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone service-get 84c23f4b942c44c38b9c42c5e517cd9a</userinput></screen>
|
|
<screen><computeroutput>+-------------+----------------------------------+
|
|
| Property | Value |
|
|
+-------------+----------------------------------+
|
|
| description | object store service |
|
|
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
|
|
| name | swift |
|
|
| type | object-store |
|
|
+-------------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="cli_create_service_users">
|
|
<title>Create service users</title>
|
|
<procedure>
|
|
<step>
|
|
<para>Create a project for the service users.
|
|
Typically, this project is named
|
|
<literal>service</literal>, but you can choose
|
|
any name you like:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name service</userinput></screen>
|
|
<para>The output shows the ID for the project. Note
|
|
this ID; you need it to create service users and
|
|
assign roles.</para>
|
|
<screen><computeroutput>+-------------+----------------------------------+
|
|
| Property | Value |
|
|
+-------------+----------------------------------+
|
|
| description | |
|
|
| enabled | True |
|
|
| id | 3e9f3f5399624b2db548d7f871bd5322 |
|
|
| name | service |
|
|
+-------------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create service users for the relevant services
|
|
for your deployment.</para>
|
|
</step>
|
|
<step>
|
|
<para>To assign the admin role to the service
|
|
user-project pairs, get the ID of the admin
|
|
role:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
|
|
<screen><computeroutput>+----------------------------------+---------------+
|
|
| id | name |
|
|
+----------------------------------+---------------+
|
|
| 71ccc37d41c8491c975ae72676db687f | Member |
|
|
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
|
|
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
|
|
| 6ecf391421604da985db2f141e46a7c8 | admin |
|
|
| deb4fffd123c4d02a907c2c74559dccf | anotherrole |
|
|
| bef1f95537914b1295da6aa038ef4de6 | new-role |
|
|
+----------------------------------+---------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Assign the admin role to the user-project pair,
|
|
as follows:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user <replaceable>SERVICE_USER_ID</replaceable> --role <replaceable>ADMIN_ROLE_ID</replaceable> --tenant <replaceable>SERVICE_PROJECT_ID</replaceable></userinput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
<section xml:id="cli_delete_service">
|
|
<title>Delete a service</title>
|
|
<procedure xml:id="service-delete">
|
|
<step>
|
|
<para>To delete a specified service, specify its ID,
|
|
as follows:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone service-delete <replaceable>SERVICE_ID</replaceable></userinput></screen>
|
|
<screen><computeroutput>+-------------+----------------------------------+
|
|
| Property | Value |
|
|
+-------------+----------------------------------+
|
|
| description | object store service |
|
|
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
|
|
| name | swift |
|
|
| type | object-store |
|
|
+-------------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</procedure>
|
|
</section>
|
|
</section>
|