Basic concepts
- User: normal human user
- Role: user's function, like admin or manager
- Tenant: organization or project or business unit
The /etc/[SERVICE_CODENAME]/policy.json controls what users are allowed to do for a given service. For example, /etc/nova/policy.json specifies the access policy for the Compute service, /etc/glance/policy.json specifies the access policy for the Image service, and /etc/keystone/policy.json specifies the access policy for the Identity service.
Add role, tenant and user manually with keystone commands
Add tenant
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 tenant-create --name defaulttenant --description "Default Tenant"
response from command
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Default Tenant | | enabled | True | | id | d3ab6c32167244aabeb63939ea85245f | | name | defaulttenant | +-------------+----------------------------------+
Add user
[root@openstack1 vic]# keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name admin --pass dingqiqing --tenant-id d3ab6c32167244aabeb63939ea85245f
response from command
+----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | 784f31ab49214d8e9312f787fdd3bf52 | | name | admin | | password | $6$rounds=40000$2D1AWkK5NZNbxwbe$JSUKUvw3HD/DfJsfH4UiGynIvXFzx9wRvgvjG7Ja1/V9vHwATNV7eNmrsmRvYrS6cKfKJ5cVoDXMfUOPHGNwq. | | tenantId | d3ab6c32167244aabeb63939ea85245f | +----------+-------------------------------------------------------------------------------------------------------------------------+
Add role: Admin and Member
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 role-create --name Admin keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 role-create --name Member
response from command
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 5d2559c588f544b4a85ad40c3504f96c | | name | Admin | +----------+----------------------------------+ +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 828c45b4c0d24feb820ceb9895978ad3 | | name | Member | +----------+----------------------------------+
Add admin as Admin in Tenant
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 784f31ab49214d8e9312f787fdd3bf52 --tenant-id d3ab6c32167244aabeb63939ea85245f --role-id 5d2559c588f544b4a85ad40c3504f96c
Create a dedicated tenant: service for all the Services
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 tenant-create --name service --description "Service Tenant"
response from command
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | c34f61b17ba44089b7e7b24840a2e5d0 | | name | service | +-------------+----------------------------------+
Add user for services in service tenant and grant them Admin role
should be run for each service we are going to add user: glance
#Create user in the tenant [root@openstack1 vic]# keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name glance --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | 413e3d4104cf4176ab8e854393314ec3 | | name | glance | | password | $6$rounds=40000$Ohyap0YqW3A5O9gC$ZdsvTAMYpeZNnzis98gmRJE9pMoJJLOrvXU4rIX7ghIR.pGBhierwkO2AXdLwUo8srvpOtDolp4Mc/mKaG3Wu0 | | tenantId | c34f61b17ba44089b7e7b24840a2e5d0 | +----------+-------------------------------------------------------------------------------------------------------------------------+ #Assign role Admin to the newly created user in that tenant keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 413e3d4104cf4176ab8e854393314ec3 --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
user: nova
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name nova --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | 2b626bfb635f423aa84b7dadf13c191d | | name | nova | | password | $6$rounds=40000$XFJY6DN6e81V/1kD$V.Z0dPxPi8jXnIcumeI1EB5KUx0WWXm8nE30AR7SzTXsh3/i.zdiykh4rDaAxdD55gzSwxgIo2tdlRnhRxO5N. | | tenantId | c34f61b17ba44089b7e7b24840a2e5d0 | +----------+-------------------------------------------------------------------------------------------------------------------------+ #assign role Admin to user nova keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 2b626bfb635f423aa84b7dadf13c191d --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
user: ec2
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name ec2 --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | f77f9cf9e5f64591a332e5ee0294e2e6 | | name | ec2 | | password | $6$rounds=40000$iDzgCvxNp9OOoMIF$Xy5H9XnEOvD44/.83nMYyavE6EkHr3EEiy0ukGcai8AoV13G3Emd1eW7Hr08pRbL.JS1CFu//M39CfcQv75yc/ | | tenantId | c34f61b17ba44089b7e7b24840a2e5d0 | +----------+-------------------------------------------------------------------------------------------------------------------------+ # role assignment keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id f77f9cf9e5f64591a332e5ee0294e2e6 --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
user: swift
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name swift --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | | | enabled | True | | id | 2ee34bc27a00432a82661f6fd6cbf126 | | name | swift | | password | $6$rounds=40000$PjY6dpd4bx7N9Uas$umRB6ElRsDlwbORbe9GvrM6rMbJXeNeXc1UeP3Nu7.meYbe6lW4qBi1siRQhdnRcM0pCUIIKJV0mLB5rVn0XM/ | | tenantId | c34f61b17ba44089b7e7b24840a2e5d0 | +----------+-------------------------------------------------------------------------------------------------------------------------+ #role assignment keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 2ee34bc27a00432a82661f6fd6cbf126 --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
Add tenants, roles and groups with a script
The script code from OpenStack community
#!/usr/bin/env bash # Copyright 2013 OpenStack LLC # # Licensed under the Apache License, Version 2.0 (the "License"); you may # not use this file except in compliance with the License. You may obtain # a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the # License for the specific language governing permissions and limitations # under the License. # Sample initial data for Keystone using python-keystoneclient # # This script is based on the original DevStack keystone_data.sh script. # # It demonstrates how to bootstrap Keystone with an administrative user # using the SERVICE_TOKEN and SERVICE_ENDPOINT environment variables # and the administrative API. It will get the admin_token (SERVICE_TOKEN) # and admin_port from keystone.conf if available. # # Disable creation of endpoints by setting DISABLE_ENDPOINTS environment variable. # Use this with the Catalog Templated backend. # # A EC2-compatible credential is created for the admin user and # placed in etc/ec2rc. # # Tenant User Roles # ------------------------------------------------------- # demo admin admin # service glance admin # service nova admin # service ec2 admin # service swift admin CONTROLLER_PUBLIC_ADDRESS=${CONTROLLER_PUBLIC_ADDRESS:-localhost} CONTROLLER_ADMIN_ADDRESS=${CONTROLLER_ADMIN_ADDRESS:-localhost} CONTROLLER_INTERNAL_ADDRESS=${CONTROLLER_INTERNAL_ADDRESS:-localhost} TOOLS_DIR=$(cd $(dirname "$0") && pwd) KEYSTONE_CONF=${KEYSTONE_CONF:-/etc/keystone/keystone.conf} if [[ -r "$KEYSTONE_CONF" ]]; then EC2RC="$(dirname "$KEYSTONE_CONF")/ec2rc" elif [[ -r "$TOOLS_DIR/../etc/keystone.conf" ]]; then # assume git checkout KEYSTONE_CONF="$TOOLS_DIR/../etc/keystone.conf" EC2RC="$TOOLS_DIR/../etc/ec2rc" else KEYSTONE_CONF="" EC2RC="ec2rc" fi # Extract some info from Keystone's configuration file if [[ -r "$KEYSTONE_CONF" ]]; then CONFIG_SERVICE_TOKEN=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_token= | cut -d'=' -f2) CONFIG_ADMIN_PORT=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_port= | cut -d'=' -f2) fi export SERVICE_TOKEN=${SERVICE_TOKEN:-$CONFIG_SERVICE_TOKEN} if [[ -z "$SERVICE_TOKEN" ]]; then echo "No service token found." echo "Set SERVICE_TOKEN manually from keystone.conf admin_token." exit 1 fi export SERVICE_ENDPOINT=${SERVICE_ENDPOINT:-http://$CONTROLLER_PUBLIC_ADDRESS:${CONFIG_ADMIN_PORT:-35357}/v2.0} function get_id () { echo `"$@" | grep ' id ' | awk '{print $4}'` } # # Default tenant # DEMO_TENANT=$(get_id keystone tenant-create --name=demo \ --description "Default Tenant") ADMIN_USER=$(get_id keystone user-create --name=admin \ --pass=secrete) ADMIN_ROLE=$(get_id keystone role-create --name=admin) keystone user-role-add --user-id $ADMIN_USER \ --role-id $ADMIN_ROLE \ --tenant-id $DEMO_TENANT # # Service tenant # SERVICE_TENANT=$(get_id keystone tenant-create --name=service \ --description "Service Tenant") GLANCE_USER=$(get_id keystone user-create --name=glance \ --pass=glance) keystone user-role-add --user-id $GLANCE_USER \ --role-id $ADMIN_ROLE \ --tenant-id $SERVICE_TENANT NOVA_USER=$(get_id keystone user-create --name=nova \ --pass=nova \ --tenant-id $SERVICE_TENANT) keystone user-role-add --user-id $NOVA_USER \ --role-id $ADMIN_ROLE \ --tenant-id $SERVICE_TENANT EC2_USER=$(get_id keystone user-create --name=ec2 \ --pass=ec2 \ --tenant-id $SERVICE_TENANT) keystone user-role-add --user-id $EC2_USER \ --role-id $ADMIN_ROLE \ --tenant-id $SERVICE_TENANT SWIFT_USER=$(get_id keystone user-create --name=swift \ --pass=swiftpass \ --tenant-id $SERVICE_TENANT) keystone user-role-add --user-id $SWIFT_USER \ --role-id $ADMIN_ROLE \ --tenant-id $SERVICE_TENANT # # Keystone service # KEYSTONE_SERVICE=$(get_id \ keystone service-create --name=keystone \ --type=identity \ --description="Keystone Identity Service") if [[ -z "$DISABLE_ENDPOINTS" ]]; then keystone endpoint-create --region RegionOne --service-id $KEYSTONE_SERVICE \ --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:\$(public_port)s/v2.0" \ --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:\$(admin_port)s/v2.0" \ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(public_port)s/v2.0" fi # # Nova service # NOVA_SERVICE=$(get_id \ keystone service-create --name=nova \ --type=compute \ --description="Nova Compute Service") if [[ -z "$DISABLE_ENDPOINTS" ]]; then keystone endpoint-create --region RegionOne --service-id $NOVA_SERVICE \ --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:\$(compute_port)s/v1.1/\$(tenant_id)s" \ --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:\$(compute_port)s/v1.1/\$(tenant_id)s" \ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(compute_port)s/v1.1/\$(tenant_id)s" fi # # Volume service # VOLUME_SERVICE=$(get_id \ keystone service-create --name=volume \ --type=volume \ --description="Nova Volume Service") if [[ -z "$DISABLE_ENDPOINTS" ]]; then keystone endpoint-create --region RegionOne --service-id $VOLUME_SERVICE \ --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8776/v1/\$(tenant_id)s" \ --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8776/v1/\$(tenant_id)s" \ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8776/v1/\$(tenant_id)s" fi # # Image service # GLANCE_SERVICE=$(get_id \ keystone service-create --name=glance \ --type=image \ --description="Glance Image Service") if [[ -z "$DISABLE_ENDPOINTS" ]]; then keystone endpoint-create --region RegionOne --service-id $GLANCE_SERVICE \ --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:9292" \ --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:9292" \ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9292" fi # # EC2 service # EC2_SERVICE=$(get_id \ keystone service-create --name=ec2 \ --type=ec2 \ --description="EC2 Compatibility Layer") if [[ -z "$DISABLE_ENDPOINTS" ]]; then keystone endpoint-create --region RegionOne --service-id $EC2_SERVICE \ --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8773/services/Cloud" \ --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8773/services/Admin" \ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8773/services/Cloud" fi # # Swift service # SWIFT_SERVICE=$(get_id \ keystone service-create --name=swift \ --type="object-store" \ --description="Swift Service") if [[ -z "$DISABLE_ENDPOINTS" ]]; then keystone endpoint-create --region RegionOne --service-id $SWIFT_SERVICE \ --publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8888/v1/AUTH_\$(tenant_id)s" \ --adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8888/v1" \ --internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8888/v1/AUTH_\$(tenant_id)s" fi # create ec2 creds and parse the secret and access key returned RESULT=$(keystone ec2-credentials-create --tenant-id=$SERVICE_TENANT --user-id=$ADMIN_USER) ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'` ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'` # write the secret and access to ec2rc cat > $EC2RC <<EOF ADMIN_ACCESS=$ADMIN_ACCESS ADMIN_SECRET=$ADMIN_SECRET EOF
Add services
add identity service
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0/ service-create --name=keystone --type=identity --description="Keystone Identity Service"
response from the command
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | ed69115205a949939c49f01a767b2a02 | | name | keystone | | type | identity | +-------------+----------------------------------+
add region
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0/ endpoint-create --region RegionOne --service-id=ed69115205a949939c49f01a767b2a02 --publicurl=http://192.168.0.169:5000/v2.0 --internalurl=http://192.168.0.169:5000/v2.0 --adminurl=http://192.168.0.169:35357/v2.0
response from command
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://192.168.0.169:35357/v2.0 | | id | 3d045e30678e4d1f8dd9a5917524c724 | | internalurl | http://192.168.0.169:5000/v2.0 | | publicurl | http://192.168.0.169:5000/v2.0 | | region | RegionOne | | service_id | ed69115205a949939c49f01a767b2a02 | +-------------+----------------------------------+
Add compute service (nova)
keystone --token 1234 \ --endpoint http://192.168.0.169:35357/v2.0/ \ service-create \ --name=nova \ --type=compute \ --description="Nova Compute Service"
response from command
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | id | 04ac82f3a2ce4603be9778988aab30b0 | | name | nova | | type | compute | +-------------+----------------------------------+
add service endpoint for EACH tenants (required)
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0/ endpoint-create --region RegionOne --service-id=04ac82f3a2ce4603be9778988aab30b0 --publicurl='http://192.168.0.169:8774/v2/%(tenant_id)s' --internalurl='http://192.168.0.169:8774/v2/%(tenant_id)s' --adminurl='http://192.168.0.169:8774/v2/%(tenant_id)s'
response from command
+-------------+--------------------------------------------+ | Property | Value | +-------------+--------------------------------------------+ | adminurl | http://192.168.0.169:8774/v2/%(tenant_id)s | | id | 9c64d765ae564a1bb5d634f8fcca9ea4 | | internalurl | http://192.168.0.169:8774/v2/%(tenant_id)s | | publicurl | http://192.168.0.169:8774/v2/%(tenant_id)s | | region | RegionOne | | service_id | 04ac82f3a2ce4603be9778988aab30b0 | +-------------+--------------------------------------------+
