OpenStack Grizzly - Configure Keystone #2
2013/08/13 |
Add Users or Roles, Services and so on in Keystone.
|
|
[1] | load environment variables first set value for "SERVICE_TOKE" from the value "admin_token" in keystone.conf. |
[root@dlp ~]# export SERVICE_TOKEN=admintoken [root@dlp ~]# export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/ |
[2] | Add Tenants ( like group ) |
# add admin tenant [root@dlp ~]# keystone tenant-create --name admin --description "Admin Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 2751413388064becb657e04afc0e7695 | | name | admin | +-------------+----------------------------------+ # add service tenant [root@dlp ~]# keystone tenant-create --name service --description "Service Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | a2ce1b64a0b742f68110edf193e30af7 | | name | service | +-------------+----------------------------------+ # confirm settings [root@dlp ~]# keystone tenant-list +----------------------------------+---------+---------+ | id | name | enabled | +----------------------------------+---------+---------+ | 2751413388064becb657e04afc0e7695 | admin | True | | a2ce1b64a0b742f68110edf193e30af7 | service | True | +----------------------------------+---------+---------+ |
[3] | Add Roles |
# add admin role [root@dlp ~]# keystone role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 2f068e6dd2074674b8fdd2d0bccb32ff | | name | admin | +----------+----------------------------------+ # add Member role [root@dlp ~]# keystone role-create --name Member +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 88900b30d29845ccbc5ff01a71e37d49 | | name | Member | +----------+----------------------------------+ # confirm settings [root@dlp ~]# keystone role-list +----------------------------------+----------+ | id | name | +----------------------------------+----------+ | 88900b30d29845ccbc5ff01a71e37d49 | Member | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 2f068e6dd2074674b8fdd2d0bccb32ff | admin | +----------------------------------+----------+ |
[4] | Add Users |
# add admin user (in admin tenant) [root@dlp ~]# keystone user-create --tenant_id 2751413388064becb657e04afc0e7695 --name admin --pass adminpassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | c44c8f91d0144fd49471bf89465e9eb0 | | name | admin | | tenantId | 2751413388064becb657e04afc0e7695 | +----------+----------------------------------+ # add admin user in admin role [root@dlp ~]# keystone user-role-add --user-id c44c8f91d0144fd49471bf89465e9eb0 --tenant_id 2751413388064becb657e04afc0e7695 --role-id 2f068e6dd2074674b8fdd2d0bccb32ff
# add cinder user (in service tenant) [root@dlp ~]# keystone user-create --tenant_id a2ce1b64a0b742f68110edf193e30af7 --name cinder --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 425dc8fdb81241819468c9432a2d4569 | | name | cinder | | tenantId | a2ce1b64a0b742f68110edf193e30af7 | +----------+----------------------------------+ # add cinder user in admin role [root@dlp ~]# keystone user-role-add --user-id 425dc8fdb81241819468c9432a2d4569 --tenant_id a2ce1b64a0b742f68110edf193e30af7 --role-id 2f068e6dd2074674b8fdd2d0bccb32ff
# add glance user (service tenant) [root@dlp ~]# keystone user-create --tenant_id a2ce1b64a0b742f68110edf193e30af7 --name glance --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | e68a6a08575b4464bba426af4d722538 | | name | glance | | tenantId | a2ce1b64a0b742f68110edf193e30af7 | +----------+----------------------------------+ # add glance user in admin role [root@dlp ~]# keystone user-role-add --user-id e68a6a08575b4464bba426af4d722538 --tenant_id a2ce1b64a0b742f68110edf193e30af7 --role-id 2f068e6dd2074674b8fdd2d0bccb32ff
# add nova user (in service) [root@dlp ~]# keystone user-create --tenant_id a2ce1b64a0b742f68110edf193e30af7 --name nova --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 0becd68333334ceda6af3c81c33fab4a | | name | nova | | tenantId | a2ce1b64a0b742f68110edf193e30af7 | +----------+----------------------------------+ # add nova user in admin role [root@dlp ~]# keystone user-role-add --user-id 0becd68333334ceda6af3c81c33fab4a --tenant_id a2ce1b64a0b742f68110edf193e30af7 --role-id 2f068e6dd2074674b8fdd2d0bccb32ff
# confirm settings [root@dlp ~]# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | c44c8f91d0144fd49471bf89465e9eb0 | admin | True | | | 425dc8fdb81241819468c9432a2d4569 | cinder | True | | | e68a6a08575b4464bba426af4d722538 | glance | True | | | 0becd68333334ceda6af3c81c33fab4a | nova | True | | +----------------------------------+--------+---------+-------+ |
[5] | Add entries for services |
# add for keystone [root@dlp ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | 24aa6eb74a3644888d36944a9e4a24b2 | | name | keystone | | type | identity | +-------------+----------------------------------+ # add for cinder [root@dlp ~]# keystone service-create --name=cinder --type=volume --description="Cinder Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Cinder Service | | id | f098586f23374812b8907e4f166507ea | | name | cinder | | type | volume | +-------------+----------------------------------+ # add for glance [root@dlp ~]# keystone service-create --name=glance --type=image --description="Glance Image Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Glance Image Service | | id | a8431d1527354b5a8c1a97b13468f937 | | name | glance | | type | image | +-------------+----------------------------------+ # add for nova [root@dlp ~]# keystone service-create --name=nova --type=compute --description="Nova Compute Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | id | 34e0bd084ae349dfae3f5ede135dea02 | | name | nova | | type | compute | +-------------+----------------------------------+ # confirm settings [root@dlp ~]# keystone service-list +----------------------------------+----------+----------+---------------------------+ | id | name | type | description | +----------------------------------+----------+----------+---------------------------+ | f098586f23374812b8907e4f166507ea | cinder | volume | Cinder Service | | a8431d1527354b5a8c1a97b13468f937 | glance | image | Glance Image Service | | 24aa6eb74a3644888d36944a9e4a24b2 | keystone | identity | Keystone Identity Service | | 34e0bd084ae349dfae3f5ede135dea02 | nova | compute | Nova Compute Service | +----------------------------------+----------+----------+---------------------------+ |
[6] | Add Endpoints |
# define my host [root@dlp ~]# export my_host=127.0.0.1
# add endpoint for keystone [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service_id=24aa6eb74a3644888d36944a9e4a24b2 \ --publicurl="http://$my_host:\$(public_port)s/v2.0" \ --internalurl="http://$my_host:\$(public_port)s/v2.0" \ --adminurl="http://$my_host:\$(admin_port)s/v2.0" +-------------+---------------------------------------+ | Property | Value | +-------------+---------------------------------------+ | adminurl | http://127.0.0.1:$(admin_port)s/v2.0 | | id | babc2a40289c4a0898bfbbb18960145d | | internalurl | http://127.0.0.1:$(public_port)s/v2.0 | | publicurl | http://127.0.0.1:$(public_port)s/v2.0 | | region | RegionOne | | service_id | 24aa6eb74a3644888d36944a9e4a24b2 | +-------------+---------------------------------------+ # add endpoint for cinder [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service_id=f098586f23374812b8907e4f166507ea \ --publicurl="http://$my_host:8776/v1/\$(tenant_id)s" \ --internalurl="http://$my_host:8776/v1/\$(tenant_id)s" \ --adminurl="http://$my_host:8776/v1/\$(tenant_id)s" +-------------+----------------------------------------+ | Property | Value | +-------------+----------------------------------------+ | adminurl | http://127.0.0.1:8776/v1/$(tenant_id)s | | id | 708244ae6f2742bb9701d696581c8db2 | | internalurl | http://127.0.0.1:8776/v1/$(tenant_id)s | | publicurl | http://127.0.0.1:8776/v1/$(tenant_id)s | | region | RegionOne | | service_id | f098586f23374812b8907e4f166507ea | +-------------+----------------------------------------+ # add endpoint for glance [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service_id=a8431d1527354b5a8c1a97b13468f937 \ --publicurl="http://$my_host:9292/v1" \ --internalurl="http://$my_host:9292/v1" \ --adminurl="http://$my_host:9292/v1" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://127.0.0.1:9292/v1 | | id | 5b21c4efee0a443fbaddf85cf2367e7e | | internalurl | http://127.0.0.1:9292/v1 | | publicurl | http://127.0.0.1:9292/v1 | | region | RegionOne | | service_id | a8431d1527354b5a8c1a97b13468f937 | +-------------+----------------------------------+ # add endpoint for nova [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service_id=34e0bd084ae349dfae3f5ede135dea02 \ --publicurl="http://$my_host:\$(compute_port)s/v1.1/\$(tenant_id)s" \ --internalurl="http://$my_host:\$(compute_port)s/v1.1/\$(tenant_id)s" \ --adminurl="http://$my_host:\$(compute_port)s/v1.1/\$(tenant_id)s" +-------------+------------------------------------------------------+ | Property | Value | +-------------+------------------------------------------------------+ | adminurl | http://127.0.0.1:$(compute_port)s/v1.1/$(tenant_id)s | | id | 2a280b289c564b2d8131645171226a2c | | internalurl | http://127.0.0.1:$(compute_port)s/v1.1/$(tenant_id)s | | publicurl | http://127.0.0.1:$(compute_port)s/v1.1/$(tenant_id)s | | region | RegionOne | | service_id | 34e0bd084ae349dfae3f5ede135dea02 | +-------------+------------------------------------------------------+ # confirm settings [root@dlp ~]# keystone endpoint-list +----------------------------------+-----------+------------------------------------------------------+ | id | region | publicurl | +----------------------------------+-----------+------------------------------------------------------+ | 2a280b289c564b2d8131645171226a2c | RegionOne | http://127.0.0.1:$(compute_port)s/v1.1/$(tenant_id)s | | 5b21c4efee0a443fbaddf85cf2367e7e | RegionOne | http://127.0.0.1:9292/v1 | | 708244ae6f2742bb9701d696581c8db2 | RegionOne | http://127.0.0.1:8776/v1/$(tenant_id)s | | babc2a40289c4a0898bfbbb18960145d | RegionOne | http://127.0.0.1:$(public_port)s/v2.0 | +----------------------------------+-----------+------------------------------------------------------+ +------------------------------------------------------+------------------------------------------------------+ | internalurl | adminurl | +------------------------------------------------------+------------------------------------------------------+ | http://127.0.0.1:$(compute_port)s/v1.1/$(tenant_id)s | http://127.0.0.1:$(compute_port)s/v1.1/$(tenant_id)s | | http://127.0.0.1:9292/v1 | http://127.0.0.1:9292/v1 | | http://127.0.0.1:8776/v1/$(tenant_id)s | http://127.0.0.1:8776/v1/$(tenant_id)s | | http://127.0.0.1:$(public_port)s/v2.0 | http://127.0.0.1:$(admin_port)s/v2.0 | +------------------------------------------------------+------------------------------------------------------+ +----------------------------------+ | service_id | +----------------------------------+ | 34e0bd084ae349dfae3f5ede135dea02 | | a8431d1527354b5a8c1a97b13468f937 | | f098586f23374812b8907e4f166507ea | | 24aa6eb74a3644888d36944a9e4a24b2 | +----------------------------------+ |