|
OpenStack Icehouse : Configure Keystone#2
2014/05/13 |
|
Add Users or Roles, Services and so on in Keystone.
|
|
| [1] | Load environment variables first. Set value for "SERVICE_TOKEN" from the value "admin_token" in keystone.conf. |
|
root@dlp:~# export SERVICE_TOKEN=admintoken root@dlp:~# export SERVICE_ENDPOINT=http://10.0.0.30:35357/v2.0/ |
| [2] | Add Tenants ( like group ) |
|
# add admin tenant root@dlp:~# keystone tenant-create --name admin --description "Admin Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 0bf06fa0415043cb924ead3db08e2518 | | name | admin | +-------------+----------------------------------+ # add service tenant root@dlp:~# keystone tenant-create --name service --description "Service Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 45fa65597c464d48a20be990f660a27b | | name | service | +-------------+----------------------------------+ # confirm settings root@dlp:~# keystone tenant-list +----------------------------------+---------+---------+ | id | name | enabled | +----------------------------------+---------+---------+ | 0bf06fa0415043cb924ead3db08e2518 | admin | True | | 45fa65597c464d48a20be990f660a27b | service | True | +----------------------------------+---------+---------+ |
| [3] | Add Roles |
|
# add admin role root@dlp:~# keystone role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 9b5fb09c8f8d4271ae30d445794299c5 | | name | admin | +----------+----------------------------------+ # add Member role root@dlp:~# keystone role-create --name Member +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 2fa81c7f476748e89e6806cfadeea5cf | | name | Member | +----------+----------------------------------+ # confirm settings root@dlp:~# keystone role-list +----------------------------------+----------+ | id | name | +----------------------------------+----------+ | 2fa81c7f476748e89e6806cfadeea5cf | Member | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 9b5fb09c8f8d4271ae30d445794299c5 | admin | +----------------------------------+----------+ |
| [4] | Add Users |
|
# add admin user (set in admin tenant) root@dlp:~# keystone user-create --tenant admin --name admin --pass adminpassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | dd7518983aac411a9b24be64e6fa220f | | name | admin | | tenantId | 0bf06fa0415043cb924ead3db08e2518 | | username | admin | +----------+----------------------------------+ # add admin user in admin role root@dlp:~# keystone user-role-add --user admin --tenant admin --role admin
# add glance user (set in service tenant) root@dlp:~# keystone user-create --tenant service --name glance --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | bf57c97785d44d658da80f6414ba9e66 | | name | glance | | tenantId | 45fa65597c464d48a20be990f660a27b | | username | glance | +----------+----------------------------------+ # add glance user in admin role root@dlp:~# keystone user-role-add --user glance --tenant service --role admin
# add nova user (set in service tenant) root@dlp:~# keystone user-create --tenant service --name nova --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | f9713827b52040328749fa810b15d0ed | | name | nova | | tenantId | 45fa65597c464d48a20be990f660a27b | | username | nova | +----------+----------------------------------+ # add nova user in admin role root@dlp:~# keystone user-role-add --user nova --tenant service --role admin
# confirm settings root@dlp:~# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | dd7518983aac411a9b24be64e6fa220f | admin | True | | | bf57c97785d44d658da80f6414ba9e66 | glance | True | | | f9713827b52040328749fa810b15d0ed | nova | True | | +----------------------------------+--------+---------+-------+ |
| [5] | Add entries for services |
|
# add for keystone root@dlp:~# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | enabled | True | | id | 57a1dad6cdcd4ec5a6e96862edd8d7bd | | name | keystone | | type | identity | +-------------+----------------------------------+ # add for glance root@dlp:~# keystone service-create --name=glance --type=image --description="Glance Image Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Glance Image Service | | enabled | True | | id | daf11cbfbabb45d3a1408132a90af89e | | name | glance | | type | image | +-------------+----------------------------------+ # add for nova root@dlp:~# keystone service-create --name=nova --type=compute --description="Nova Compute Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | enabled | True | | id | 585abf4e7ca94fdba9618e41e6ae394e | | name | nova | | type | compute | +-------------+----------------------------------+ # confirm settings root@dlp:~# keystone service-list +----------------------------------+----------+----------+---------------------------+ | id | name | type | description | +----------------------------------+----------+----------+---------------------------+ | daf11cbfbabb45d3a1408132a90af89e | glance | image | Glance Image Service | | 57a1dad6cdcd4ec5a6e96862edd8d7bd | keystone | identity | Keystone Identity Service | | 585abf4e7ca94fdba9618e41e6ae394e | nova | compute | Nova Compute Service | +----------------------------------+----------+----------+---------------------------+ |
| [6] | Add Endpoints |
|
# define my host root@dlp:~# export my_host=10.0.0.30
# add endpoint for keystone root@dlp:~# keystone endpoint-create --region RegionOne \ --service keystone \ --publicurl "http://$my_host:\$(public_port)s/v2.0" \ --internalurl "http://$my_host:\$(public_port)s/v2.0" \ --adminurl "http://$my_host:\$(admin_port)s/v2.0" +-------------+---------------------------------------+ | Property | Value | +-------------+---------------------------------------+ | adminurl | http://10.0.0.30:$(admin_port)s/v2.0 | | id | f3d986a2d5fe482b91071bcaca83c94a | | internalurl | http://10.0.0.30:$(public_port)s/v2.0 | | publicurl | http://10.0.0.30:$(public_port)s/v2.0 | | region | RegionOne | | service_id | 57a1dad6cdcd4ec5a6e96862edd8d7bd | +-------------+---------------------------------------+ # add endpoint for glance root@dlp:~# keystone endpoint-create --region RegionOne \ --service glance \ --publicurl "http://$my_host:9292/v1" \ --internalurl "http://$my_host:9292/v1" \ --adminurl "http://$my_host:9292/v1" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://10.0.0.30:9292/v1 | | id | e2ba460ae291487fadf33f96b6bc56dd | | internalurl | http://10.0.0.30:9292/v1 | | publicurl | http://10.0.0.30:9292/v1 | | region | RegionOne | | service_id | daf11cbfbabb45d3a1408132a90af89e | +-------------+----------------------------------+ # add endpoint for nova root@dlp:~# keystone endpoint-create --region RegionOne \ --service nova \ --publicurl "http://$my_host:\$(compute_port)s/v2/\$(tenant_id)s" \ --internalurl "http://$my_host:\$(compute_port)s/v2/\$(tenant_id)s" \ --adminurl "http://$my_host:\$(compute_port)s/v2/\$(tenant_id)s" +-------------+----------------------------------------------------+ | Property | Value | +-------------+----------------------------------------------------+ | adminurl | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | id | 530d64cee22d4dff89e97bada01e4886 | | internalurl | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | publicurl | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | region | RegionOne | | service_id | 585abf4e7ca94fdba9618e41e6ae394e | +-------------+----------------------------------------------------+ # confirm settings root@dlp:~# keystone endpoint-list +----------------------------------+-----------+----------------------------------------------------+ | id | region | publicurl | +----------------------------------+-----------+----------------------------------------------------+ | 530d64cee22d4dff89e97bada01e4886 | RegionOne | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | e2ba460ae291487fadf33f96b6bc56dd | RegionOne | http://10.0.0.30:9292/v1 | | f3d986a2d5fe482b91071bcaca83c94a | RegionOne | http://10.0.0.30:$(public_port)s/v2.0 | +----------------------------------+-----------+----------------------------------------------------+ +----------------------------------------------------+ | internalurl | +----------------------------------------------------+ | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | http://10.0.0.30:9292/v1 | | http://10.0.0.30:$(public_port)s/v2.0 | +----------------------------------------------------+ +----------------------------------------------------+----------------------------------+ | adminurl | service_id | +----------------------------------------------------+----------------------------------+ | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | 585abf4e7ca94fdba9618e41e6ae394e | | http://10.0.0.30:9292/v1 | daf11cbfbabb45d3a1408132a90af89e | | http://10.0.0.30:$(admin_port)s/v2.0 | 57a1dad6cdcd4ec5a6e96862edd8d7bd | +----------------------------------------------------+----------------------------------+ |