openstack/openstack-manuals
Code Issues Proposed changes
ee1c854256
openstack-manuals/doc/install-guide/section_keystone-verify.xml
ZhiQiang Fan 2f5604f876 Correct sample output of keystone user-role-list 
The sample output of keystone user-role-list should keep the user-id
as same as previous output of keystone user-list, otherwise it will
be a bit confused for readers.

Change-Id: Icc5cc5a84ecfc279f3e00604f76601b3d995bed6
Closes-Bug: #1308501
2014-04-16 22:40:44 +08:00

104 lines
5.6 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="keystone-verify"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Verify the Identity Service installation</title>
<procedure>
<step>
<para>To verify that the Identity Service is installed and
configured correctly, clear the values in the
<envar>OS_SERVICE_TOKEN</envar> and
<envar>OS_SERVICE_ENDPOINT</envar> environment
variables:</para>
<screen><prompt>$</prompt> <userinput>unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT</userinput></screen>
<para>These variables, which were used to bootstrap the
administrative user and register the Identity Service, are no
longer needed.</para>
</step>
<step>
<para>You can now use regular user name-based
authentication.</para>
<para>Request a authentication token by using the
<literal>admin</literal> user and the password you chose for
that user:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-username=admin --os-password=<replaceable>ADMIN_PASS</replaceable> \
--os-auth-url=http://controller:35357/v2.0 token-get</userinput></screen>
<para>In response, you receive a token paired with your user ID.
This verifies that the Identity Service is running on the
expected endpoint and that your user account is established
with the expected credentials.</para>
</step>
<step>
<para>Verify that authorization behaves as expected. To do so,
request authorization on a tenant:</para>
<screen><prompt>$</prompt> <userinput>keystone --os-username=admin --os-password=<replaceable>ADMIN_PASS</replaceable> \
--os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 \
token-get</userinput></screen>
<para>In response, you receive a token that includes the ID of
the tenant that you specified. This verifies that your user
account has an explicitly defined role on the specified tenant
and the tenant exists as expected.</para>
</step>
<step>
<para>You can also set your <literal>--os-*</literal> variables
in your environment to simplify command-line usage. Set up a
<filename>admin-openrc.sh</filename> file with the admin
credentials and admin endpoint:</para>
<programlisting language="bash">export OS_USERNAME=admin
export OS_PASSWORD=<replaceable>ADMIN_PASS</replaceable>
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0</programlisting>
</step>
<step>
<para>Source this file to read in the environment
variables:</para>
<screen><prompt>$</prompt> <userinput>source admin-openrc.sh</userinput></screen>
</step>
<step>
<para>Verify that your <filename>admin-openrc.sh</filename> file is
configured correctly. Run the same command without the
<literal>--os-*</literal> arguments:</para>
<screen><prompt>$</prompt> <userinput>keystone token-get</userinput></screen>
<para>The command returns a token and the ID of the specified
tenant. This verifies that you have configured your
environment variables correctly.</para>
</step>
<step>
<para>Verify that your admin account has authorization to
perform administrative commands:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput>
<computeroutput>+----------------------------------+-------+---------+-------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------------------+
| afea5bde3be9413dbd60e479fddf9228 | admin | True | admin@example.com |
| 32aca1f9a47540c29d6988091f76c934 | demo | True | demo@example.com |
+----------------------------------+-------+---------+-------------------+
</computeroutput></screen>
<screen><prompt>$</prompt> <userinput>keystone user-role-list --user admin --tenant admin</userinput>
<computeroutput>+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 |
| 5d3b60b66f1f438b80eaae41a77b5951 | admin | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 |
+----------------------------------+----------+----------------------------------+----------------------------------+</computeroutput></screen>
<para>Seeing that the <literal>id</literal> in the output
from the <command>keystone user-list</command>
command matches the <literal>user_id</literal> in the
<command>keystone user-role-list</command> command,
and that the admin role is listed for that user, for the
related tenant, this verifies that your user account has the
<literal>admin</literal> role, which matches the role
used in the Identity Service <filename>policy.json</filename>
file.</para>
<note>
<para>As long as you define your credentials and the Identity
Service endpoint through the command line or environment
variables, you can run all OpenStack client commands from
any machine. For details, see <xref linkend="ch_clients"
/>.</para>
</note>
</step>
</procedure>
</section>
View Git Blame Copy Permalink