|
OpenStack Havana - Configure Keystone#2
2013/10/22 |
|
Add Users or Roles, Services and so on in Keystone.
|
|
| [1] | Load environment variables first. set value for "SERVICE_TOKEN" from the value "admin_token" in keystone.conf. |
|
[root@dlp ~]# export SERVICE_TOKEN=admintoken [root@dlp ~]# export SERVICE_ENDPOINT=http://10.0.0.30:35357/v2.0/ |
| [2] | Add Tenants ( like group ) |
|
# add admin tenant [root@dlp ~]# keystone tenant-create --name admin --description "Admin Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 97be94660c2043e58fee407bc9cde0d5 | | name | admin | +-------------+----------------------------------+ # add service tenant [root@dlp ~]# keystone tenant-create --name service --description "Service Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 17867024fb23470f8005a15c6ccfed44 | | name | service | +-------------+----------------------------------+ # confirm settings [root@dlp ~]# keystone tenant-list +----------------------------------+---------+---------+ | id | name | enabled | +----------------------------------+---------+---------+ | 97be94660c2043e58fee407bc9cde0d5 | admin | True | | 17867024fb23470f8005a15c6ccfed44 | service | True | +----------------------------------+---------+---------+ |
| [3] | Add Roles |
|
# add admin role [root@dlp ~]# keystone role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 51077b36f67b47e299cfc275157eb5a6 | | name | admin | +----------+----------------------------------+ # add Member role [root@dlp ~]# keystone role-create --name Member +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | e67eabd9c4ff4559b3f3e09666473bc6 | | name | Member | +----------+----------------------------------+ # confirm settings [root@dlp ~]# keystone role-list +----------------------------------+----------+ | id | name | +----------------------------------+----------+ | e67eabd9c4ff4559b3f3e09666473bc6 | Member | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 51077b36f67b47e299cfc275157eb5a6 | admin | +----------------------------------+----------+ |
| [4] | Add Users |
|
# add admin user (set in admin tenant) [root@dlp ~]# keystone user-create --tenant admin --name admin --pass adminpassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 279ade4f97014020b0e7855f2f72e40f | | name | admin | | tenantId | 97be94660c2043e58fee407bc9cde0d5 | +----------+----------------------------------+ # add admin user in admin role [root@dlp ~]# keystone user-role-add --user admin --tenant admin --role admin
# add cinder user (set in service tenant) [root@dlp ~]# keystone user-create --tenant service --name cinder --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 68fb4adcb2664dcb8747be70a12173ff | | name | cinder | | tenantId | 17867024fb23470f8005a15c6ccfed44 | +----------+----------------------------------+ # add cinder user in admin role [root@dlp ~]# keystone user-role-add --user cinder --tenant service --role admin
# add glance user (set in service tenant) [root@dlp ~]# keystone user-create --tenant service --name glance --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | ea825d2bae8c4b27bd2fea1186c433bb | | name | glance | | tenantId | 17867024fb23470f8005a15c6ccfed44 | +----------+----------------------------------+ # add glance user in admin role [root@dlp ~]# keystone user-role-add --user glance --tenant service --role admin
# add nova user (set in service tenant)) [root@dlp ~]# keystone user-create --tenant service --name nova --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 66abd2503a7c40d8b3d6fe9a733787ec | | name | nova | | tenantId | 17867024fb23470f8005a15c6ccfed44 | +----------+----------------------------------+ # add nova user in admin role [root@dlp ~]# keystone user-role-add --user nova --tenant service --role admin
# confirm settings [root@dlp ~]# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | 279ade4f97014020b0e7855f2f72e40f | admin | True | | | 68fb4adcb2664dcb8747be70a12173ff | cinder | True | | | ea825d2bae8c4b27bd2fea1186c433bb | glance | True | | | 66abd2503a7c40d8b3d6fe9a733787ec | nova | True | | +----------------------------------+--------+---------+-------+ |
| [5] | Add entries for services |
|
# add for keystone [root@dlp ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | 90e34600f87043dc95488a5cf6f30118 | | name | keystone | | type | identity | +-------------+----------------------------------+ # add for cinder [root@dlp ~]# keystone service-create --name=cinder --type=volume --description="Cinder Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Cinder Service | | id | 8214ec203d6e434f8a0eb2687ef7aa0c | | name | cinder | | type | volume | +-------------+----------------------------------+ # add for glance [root@dlp ~]# keystone service-create --name=glance --type=image --description="Glance Image Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Glance Image Service | | id | d364dd1bb04741ff86a303c36cee4a47 | | name | glance | | type | image | +-------------+----------------------------------+ # add for nova [root@dlp ~]# keystone service-create --name=nova --type=compute --description="Nova Compute Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | id | 8d2ff23b12144ce3a645aeb85cbbeec3 | | name | nova | | type | compute | +-------------+----------------------------------+ # confirm settings [root@dlp ~]# keystone service-list +----------------------------------+----------+----------+---------------------------+ | id | name | type | description | +----------------------------------+----------+----------+---------------------------+ | 8214ec203d6e434f8a0eb2687ef7aa0c | cinder | volume | Cinder Service | | d364dd1bb04741ff86a303c36cee4a47 | glance | image | Glance Image Service | | 90e34600f87043dc95488a5cf6f30118 | keystone | identity | Keystone Identity Service | | 8d2ff23b12144ce3a645aeb85cbbeec3 | nova | compute | Nova Compute Service | +----------------------------------+----------+----------+---------------------------+ |
| [6] | Add Endpoints |
|
# define my host [root@dlp ~]# export my_host=10.0.0.30
# add endpoint for keystone [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service keystone \ --publicurl "http://$my_host:\$(public_port)s/v2.0" \ --internalurl "http://$my_host:\$(public_port)s/v2.0" \ --adminurl "http://$my_host:\$(admin_port)s/v2.0" +-------------+---------------------------------------+ | Property | Value | +-------------+---------------------------------------+ | adminurl | http://10.0.0.30:$(admin_port)s/v2.0 | | id | 8abd184835d849c89e2853b1d5e110d5 | | internalurl | http://10.0.0.30:$(public_port)s/v2.0 | | publicurl | http://10.0.0.30:$(public_port)s/v2.0 | | region | RegionOne | | service_id | 90e34600f87043dc95488a5cf6f30118 | +-------------+---------------------------------------+ # add endpoint for cinder [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service cinder \ --publicurl "http://$my_host:8776/v1/\$(tenant_id)s" \ --internalurl "http://$my_host:8776/v1/\$(tenant_id)s" \ --adminurl "http://$my_host:8776/v1/\$(tenant_id)s" +-------------+----------------------------------------+ | Property | Value | +-------------+----------------------------------------+ | adminurl | http://10.0.0.30:8776/v1/$(tenant_id)s | | id | e1e864f12648435fa7ad1ed4d94729c5 | | internalurl | http://10.0.0.30:8776/v1/$(tenant_id)s | | publicurl | http://10.0.0.30:8776/v1/$(tenant_id)s | | region | RegionOne | | service_id | 8214ec203d6e434f8a0eb2687ef7aa0c | +-------------+----------------------------------------+ # add endpoint for glance [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service glance \ --publicurl "http://$my_host:9292/v1" \ --internalurl "http://$my_host:9292/v1" \ --adminurl "http://$my_host:9292/v1" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://10.0.0.30:9292/v1 | | id | 99a80cd8a9f3495a88bdb9d446735663 | | internalurl | http://10.0.0.30:9292/v1 | | publicurl | http://10.0.0.30:9292/v1 | | region | RegionOne | | service_id | d364dd1bb04741ff86a303c36cee4a47 | +-------------+----------------------------------+ # add endpoint for nova [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service nova \ --publicurl "http://$my_host:\$(compute_port)s/v1.1/\$(tenant_id)s" \ --internalurl "http://$my_host:\$(compute_port)s/v1.1/\$(tenant_id)s" \ --adminurl "http://$my_host:\$(compute_port)s/v1.1/\$(tenant_id)s" +-------------+------------------------------------------------------+ | Property | Value | +-------------+------------------------------------------------------+ | adminurl | http://10.0.0.30:$(compute_port)s/v1.1/$(tenant_id)s | | id | a7358113abe64724a52877ab45dab0f5 | | internalurl | http://10.0.0.30:$(compute_port)s/v1.1/$(tenant_id)s | | publicurl | http://10.0.0.30:$(compute_port)s/v1.1/$(tenant_id)s | | region | RegionOne | | service_id | 8d2ff23b12144ce3a645aeb85cbbeec3 | +-------------+------------------------------------------------------+ # confirm settings [root@dlp ~]# keystone endpoint-list +----------------------------------+-----------+ | id | region | +----------------------------------+-----------+ | 8abd184835d849c89e2853b1d5e110d5 | RegionOne | | 99a80cd8a9f3495a88bdb9d446735663 | RegionOne | | a7358113abe64724a52877ab45dab0f5 | RegionOne | | e1e864f12648435fa7ad1ed4d94729c5 | RegionOne | +----------------------------------+-----------+ +------------------------------------------------------+ | publicurl | +------------------------------------------------------+ | http://10.0.0.30:$(public_port)s/v2.0 | | http://10.0.0.30:9292/v1 | | http://10.0.0.30:$(compute_port)s/v1.1/$(tenant_id)s | | http://10.0.0.30:8776/v1/$(tenant_id)s | +------------------------------------------------------+ +------------------------------------------------------+ | internalurl | +------------------------------------------------------+ | http://10.0.0.30:$(public_port)s/v2.0 | | http://10.0.0.30:9292/v1 | | http://10.0.0.30:$(compute_port)s/v1.1/$(tenant_id)s | | http://10.0.0.30:8776/v1/$(tenant_id)s | +------------------------------------------------------+ +------------------------------------------------------+ | adminurl | +------------------------------------------------------+ | http://10.0.0.30:$(admin_port)s/v2.0 | | http://10.0.0.30:9292/v1 | | http://10.0.0.30:$(compute_port)s/v1.1/$(tenant_id)s | | http://10.0.0.30:8776/v1/$(tenant_id)s | +------------------------------------------------------+ +----------------------------------+ | service_id | +----------------------------------+ | 90e34600f87043dc95488a5cf6f30118 | | d364dd1bb04741ff86a303c36cee4a47 | | 8d2ff23b12144ce3a645aeb85cbbeec3 | | 8214ec203d6e434f8a0eb2687ef7aa0c | +----------------------------------+ |