|
OpenStack Icehouse : Configure Keystone#2
2014/06/23 |
|
Add Users or Roles, Services and so on in Keystone.
|
|
| [1] | Load environment variables first. Set value for "SERVICE_TOKEN" from the value "admin_token" in keystone.conf. |
|
[root@dlp ~]# export SERVICE_TOKEN=admintoken [root@dlp ~]# export SERVICE_ENDPOINT=http://10.0.0.30:35357/v2.0/ |
| [2] | Add Tenants ( like group ) |
|
# add admin tenant [root@dlp ~]# keystone tenant-create --name admin --description "Admin Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 35f01938c8fc4021ab8e9710512a1201 | | name | admin | +-------------+----------------------------------+ # add service tenant [root@dlp ~]# keystone tenant-create --name service --description "Service Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 8653393a3ea5426b81eb8f2a47935491 | | name | service | +-------------+----------------------------------+ # confirm settings [root@dlp ~]# keystone tenant-list +----------------------------------+---------+---------+ | id | name | enabled | +----------------------------------+---------+---------+ | 35f01938c8fc4021ab8e9710512a1201 | admin | True | | 8653393a3ea5426b81eb8f2a47935491 | service | True | +----------------------------------+---------+---------+ |
| [3] | Add Roles |
|
# add admin role [root@dlp ~]# keystone role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 3f1e588b69914116a4cb8cda8674f870 | | name | admin | +----------+----------------------------------+ # add Member role [root@dlp ~]# keystone role-create --name Member +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 09d4f72c8b774358baeee84035ef01f2 | | name | Member | +----------+----------------------------------+ # confirm settings [root@dlp ~]# keystone role-list +----------------------------------+----------+ | id | name | +----------------------------------+----------+ | 09d4f72c8b774358baeee84035ef01f2 | Member | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 3f1e588b69914116a4cb8cda8674f870 | admin | +----------------------------------+----------+ |
| [4] | Add Users |
|
# add admin user (set in admin tenant) [root@dlp ~]# keystone user-create --tenant admin --name admin --pass adminpassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 1d24294fc26f46e3b60c0fbe637c4d08 | | name | admin | | tenantId | 35f01938c8fc4021ab8e9710512a1201 | | username | admin | +----------+----------------------------------+ # add admin user in admin role [root@dlp ~]# keystone user-role-add --user admin --tenant admin --role admin
# add glance user (set in service tenant) [root@dlp ~]# keystone user-create --tenant service --name glance --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | a2d5d591feb847e186e407226465f329 | | name | glance | | tenantId | 8653393a3ea5426b81eb8f2a47935491 | | username | glance | +----------+----------------------------------+ # add glance user in admin role [root@dlp ~]# keystone user-role-add --user glance --tenant service --role admin
# add nova user (set in service tenant) [root@dlp ~]# keystone user-create --tenant service --name nova --pass servicepassword --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | 9001ced195e64ac0ae2a32645f56c146 | | name | nova | | tenantId | 8653393a3ea5426b81eb8f2a47935491 | | username | nova | +----------+----------------------------------+ # add nova user in admin role [root@dlp ~]# keystone user-role-add --user nova --tenant service --role admin
# confirm settings [root@dlp ~]# keystone user-list +----------------------------------+--------+---------+-------+ | id | name | enabled | email | +----------------------------------+--------+---------+-------+ | 1d24294fc26f46e3b60c0fbe637c4d08 | admin | True | | | a2d5d591feb847e186e407226465f329 | glance | True | | | 9001ced195e64ac0ae2a32645f56c146 | nova | True | | +----------------------------------+--------+---------+-------+ |
| [5] | Add entries for services |
|
# add for keystone [root@dlp ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | enabled | True | | id | 58569f744c474d5d913b57ca9707d850 | | name | keystone | | type | identity | +-------------+----------------------------------+ # add for glance [root@dlp ~]# keystone service-create --name=glance --type=image --description="Glance Image Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Glance Image Service | | enabled | True | | id | 7e3e11e9eebd44be8abc83abd5e48ae6 | | name | glance | | type | image | +-------------+----------------------------------+ # add for nova [root@dlp ~]# keystone service-create --name=nova --type=compute --description="Nova Compute Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | enabled | True | | id | 50bd9a2ec5984051b0977dec2380777e | | name | nova | | type | compute | +-------------+----------------------------------+ # confirm settings [root@dlp ~]# keystone service-list +----------------------------------+----------+----------+---------------------------+ | id | name | type | description | +----------------------------------+----------+----------+---------------------------+ | 7e3e11e9eebd44be8abc83abd5e48ae6 | glance | image | Glance Image Service | | 58569f744c474d5d913b57ca9707d850 | keystone | identity | Keystone Identity Service | | 50bd9a2ec5984051b0977dec2380777e | nova | compute | Nova Compute Service | +----------------------------------+----------+----------+---------------------------+ |
| [6] | Add Endpoints |
|
# define my host [root@dlp ~]# export my_host=10.0.0.30
# add endpoint for keystone [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service keystone \ --publicurl "http://$my_host:\$(public_port)s/v2.0" \ --internalurl "http://$my_host:\$(public_port)s/v2.0" \ --adminurl "http://$my_host:\$(admin_port)s/v2.0" +-------------+---------------------------------------+ | Property | Value | +-------------+---------------------------------------+ | adminurl | http://10.0.0.30:$(admin_port)s/v2.0 | | id | 89d92c5f256a425ebf9ed94a1bcf395d | | internalurl | http://10.0.0.30:$(public_port)s/v2.0 | | publicurl | http://10.0.0.30:$(public_port)s/v2.0 | | region | RegionOne | | service_id | 58569f744c474d5d913b57ca9707d850 | +-------------+---------------------------------------+ # add endpoint for glance [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service glance \ --publicurl "http://$my_host:9292/v1" \ --internalurl "http://$my_host:9292/v1" \ --adminurl "http://$my_host:9292/v1" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://10.0.0.30:9292/v1 | | id | 7adc89800ea943e891603f966a727c73 | | internalurl | http://10.0.0.30:9292/v1 | | publicurl | http://10.0.0.30:9292/v1 | | region | RegionOne | | service_id | 7e3e11e9eebd44be8abc83abd5e48ae6 | +-------------+----------------------------------+ # add endpoint for nova [root@dlp ~]# keystone endpoint-create --region RegionOne \ --service nova \ --publicurl "http://$my_host:\$(compute_port)s/v2/\$(tenant_id)s" \ --internalurl "http://$my_host:\$(compute_port)s/v2/\$(tenant_id)s" \ --adminurl "http://$my_host:\$(compute_port)s/v2/\$(tenant_id)s" +-------------+----------------------------------------------------+ | Property | Value | +-------------+----------------------------------------------------+ | adminurl | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | id | 99a04b567bbf49a0926d3627adfba299 | | internalurl | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | publicurl | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | | region | RegionOne | | service_id | 50bd9a2ec5984051b0977dec2380777e | +-------------+----------------------------------------------------+ # confirm settings [root@dlp ~]# keystone endpoint-list +----------------------------------+-----------+----------------------------------------------------+ | id | region | publicurl | +----------------------------------+-----------+----------------------------------------------------+ | 7adc89800ea943e891603f966a727c73 | RegionOne | http://10.0.0.30:9292/v1 | | 89d92c5f256a425ebf9ed94a1bcf395d | RegionOne | http://10.0.0.30:$(public_port)s/v2.0 | | 99a04b567bbf49a0926d3627adfba299 | RegionOne | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | +----------------------------------+-----------+----------------------------------------------------+ +----------------------------------------------------+----------------------------------------------------+ | internalurl | adminurl | +----------------------------------------------------+----------------------------------------------------+ | http://10.0.0.30:9292/v1 | http://10.0.0.30:9292/v1 | | http://10.0.0.30:$(public_port)s/v2.0 | http://10.0.0.30:$(admin_port)s/v2.0 | | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | http://10.0.0.30:$(compute_port)s/v2/$(tenant_id)s | +----------------------------------------------------+----------------------------------------------------+ +----------------------------------+ | service_id | +----------------------------------+ | 7e3e11e9eebd44be8abc83abd5e48ae6 | | 58569f744c474d5d913b57ca9707d850 | | 50bd9a2ec5984051b0977dec2380777e | +----------------------------------+ |