[[openstack|back]]
==== Basic concepts ====
* User: normal human user
* Role: user's function, like admin or manager
* Tenant: organization or project or business unit
The /etc/[SERVICE_CODENAME]/policy.json controls what users are allowed to do for a given service. For example, /etc/nova/policy.json specifies the access policy for the Compute service, /etc/glance/policy.json specifies the access policy for the Image service, and /etc/keystone/policy.json specifies the access policy for the Identity service.
==== Add role, tenant and user manually with keystone commands ====
=== Add tenant ===
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 tenant-create --name defaulttenant --description "Default Tenant"
== response from command ==
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Default Tenant |
| enabled | True |
| id | d3ab6c32167244aabeb63939ea85245f |
| name | defaulttenant |
+-------------+----------------------------------+
=== Add user ===
[root@openstack1 vic]# keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name admin --pass dingqiqing --tenant-id d3ab6c32167244aabeb63939ea85245f
== response from command ==
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | 784f31ab49214d8e9312f787fdd3bf52 |
| name | admin |
| password | $6$rounds=40000$2D1AWkK5NZNbxwbe$JSUKUvw3HD/DfJsfH4UiGynIvXFzx9wRvgvjG7Ja1/V9vHwATNV7eNmrsmRvYrS6cKfKJ5cVoDXMfUOPHGNwq. |
| tenantId | d3ab6c32167244aabeb63939ea85245f |
+----------+-------------------------------------------------------------------------------------------------------------------------+
=== Add role: Admin and Member ===
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 role-create --name Admin
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 role-create --name Member
== response from command ==
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 5d2559c588f544b4a85ad40c3504f96c |
| name | Admin |
+----------+----------------------------------+
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 828c45b4c0d24feb820ceb9895978ad3 |
| name | Member |
+----------+----------------------------------+
=== Add admin as Admin in Tenant ===
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 784f31ab49214d8e9312f787fdd3bf52 --tenant-id d3ab6c32167244aabeb63939ea85245f --role-id 5d2559c588f544b4a85ad40c3504f96c
=== Create a dedicated tenant: service for all the Services ===
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 tenant-create --name service --description "Service Tenant"
== response from command ==
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | c34f61b17ba44089b7e7b24840a2e5d0 |
| name | service |
+-------------+----------------------------------+
=== Add user for services in service tenant and grant them Admin role ===
** should be run for each service we are going to add **
** user: glance **
#Create user in the tenant
[root@openstack1 vic]# keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name glance --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | 413e3d4104cf4176ab8e854393314ec3 |
| name | glance |
| password | $6$rounds=40000$Ohyap0YqW3A5O9gC$ZdsvTAMYpeZNnzis98gmRJE9pMoJJLOrvXU4rIX7ghIR.pGBhierwkO2AXdLwUo8srvpOtDolp4Mc/mKaG3Wu0 |
| tenantId | c34f61b17ba44089b7e7b24840a2e5d0 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
#Assign role Admin to the newly created user in that tenant
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 413e3d4104cf4176ab8e854393314ec3 --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
** user: nova **
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name nova --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | 2b626bfb635f423aa84b7dadf13c191d |
| name | nova |
| password | $6$rounds=40000$XFJY6DN6e81V/1kD$V.Z0dPxPi8jXnIcumeI1EB5KUx0WWXm8nE30AR7SzTXsh3/i.zdiykh4rDaAxdD55gzSwxgIo2tdlRnhRxO5N. |
| tenantId | c34f61b17ba44089b7e7b24840a2e5d0 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
#assign role Admin to user nova
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 2b626bfb635f423aa84b7dadf13c191d --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
** user: ec2 **
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name ec2 --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | f77f9cf9e5f64591a332e5ee0294e2e6 |
| name | ec2 |
| password | $6$rounds=40000$iDzgCvxNp9OOoMIF$Xy5H9XnEOvD44/.83nMYyavE6EkHr3EEiy0ukGcai8AoV13G3Emd1eW7Hr08pRbL.JS1CFu//M39CfcQv75yc/ |
| tenantId | c34f61b17ba44089b7e7b24840a2e5d0 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
# role assignment
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id f77f9cf9e5f64591a332e5ee0294e2e6 --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
** user: swift **
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-create --name swift --pass dingqiqing --tenant-id c34f61b17ba44089b7e7b24840a2e5d0
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | |
| enabled | True |
| id | 2ee34bc27a00432a82661f6fd6cbf126 |
| name | swift |
| password | $6$rounds=40000$PjY6dpd4bx7N9Uas$umRB6ElRsDlwbORbe9GvrM6rMbJXeNeXc1UeP3Nu7.meYbe6lW4qBi1siRQhdnRcM0pCUIIKJV0mLB5rVn0XM/ |
| tenantId | c34f61b17ba44089b7e7b24840a2e5d0 |
+----------+-------------------------------------------------------------------------------------------------------------------------+
#role assignment
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0 user-role-add --user-id 2ee34bc27a00432a82661f6fd6cbf126 --tenant-id c34f61b17ba44089b7e7b24840a2e5d0 --role-id 5d2559c588f544b4a85ad40c3504f96c
==== Add tenants, roles and groups with a script ====
The script code from OpenStack community
#!/usr/bin/env bash
# Copyright 2013 OpenStack LLC
#
# Licensed under the Apache License, Version 2.0 (the "License"); you may
# not use this file except in compliance with the License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
# License for the specific language governing permissions and limitations
# under the License.
# Sample initial data for Keystone using python-keystoneclient
#
# This script is based on the original DevStack keystone_data.sh script.
#
# It demonstrates how to bootstrap Keystone with an administrative user
# using the SERVICE_TOKEN and SERVICE_ENDPOINT environment variables
# and the administrative API. It will get the admin_token (SERVICE_TOKEN)
# and admin_port from keystone.conf if available.
#
# Disable creation of endpoints by setting DISABLE_ENDPOINTS environment variable.
# Use this with the Catalog Templated backend.
#
# A EC2-compatible credential is created for the admin user and
# placed in etc/ec2rc.
#
# Tenant User Roles
# -------------------------------------------------------
# demo admin admin
# service glance admin
# service nova admin
# service ec2 admin
# service swift admin
CONTROLLER_PUBLIC_ADDRESS=${CONTROLLER_PUBLIC_ADDRESS:-localhost}
CONTROLLER_ADMIN_ADDRESS=${CONTROLLER_ADMIN_ADDRESS:-localhost}
CONTROLLER_INTERNAL_ADDRESS=${CONTROLLER_INTERNAL_ADDRESS:-localhost}
TOOLS_DIR=$(cd $(dirname "$0") && pwd)
KEYSTONE_CONF=${KEYSTONE_CONF:-/etc/keystone/keystone.conf}
if [[ -r "$KEYSTONE_CONF" ]]; then
EC2RC="$(dirname "$KEYSTONE_CONF")/ec2rc"
elif [[ -r "$TOOLS_DIR/../etc/keystone.conf" ]]; then
# assume git checkout
KEYSTONE_CONF="$TOOLS_DIR/../etc/keystone.conf"
EC2RC="$TOOLS_DIR/../etc/ec2rc"
else
KEYSTONE_CONF=""
EC2RC="ec2rc"
fi
# Extract some info from Keystone's configuration file
if [[ -r "$KEYSTONE_CONF" ]]; then
CONFIG_SERVICE_TOKEN=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_token= | cut -d'=' -f2)
CONFIG_ADMIN_PORT=$(sed 's/[[:space:]]//g' $KEYSTONE_CONF | grep ^admin_port= | cut -d'=' -f2)
fi
export SERVICE_TOKEN=${SERVICE_TOKEN:-$CONFIG_SERVICE_TOKEN}
if [[ -z "$SERVICE_TOKEN" ]]; then
echo "No service token found."
echo "Set SERVICE_TOKEN manually from keystone.conf admin_token."
exit 1
fi
export SERVICE_ENDPOINT=${SERVICE_ENDPOINT:-http://$CONTROLLER_PUBLIC_ADDRESS:${CONFIG_ADMIN_PORT:-35357}/v2.0}
function get_id () {
echo `"$@" | grep ' id ' | awk '{print $4}'`
}
#
# Default tenant
#
DEMO_TENANT=$(get_id keystone tenant-create --name=demo \
--description "Default Tenant")
ADMIN_USER=$(get_id keystone user-create --name=admin \
--pass=secrete)
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
keystone user-role-add --user-id $ADMIN_USER \
--role-id $ADMIN_ROLE \
--tenant-id $DEMO_TENANT
#
# Service tenant
#
SERVICE_TENANT=$(get_id keystone tenant-create --name=service \
--description "Service Tenant")
GLANCE_USER=$(get_id keystone user-create --name=glance \
--pass=glance)
keystone user-role-add --user-id $GLANCE_USER \
--role-id $ADMIN_ROLE \
--tenant-id $SERVICE_TENANT
NOVA_USER=$(get_id keystone user-create --name=nova \
--pass=nova \
--tenant-id $SERVICE_TENANT)
keystone user-role-add --user-id $NOVA_USER \
--role-id $ADMIN_ROLE \
--tenant-id $SERVICE_TENANT
EC2_USER=$(get_id keystone user-create --name=ec2 \
--pass=ec2 \
--tenant-id $SERVICE_TENANT)
keystone user-role-add --user-id $EC2_USER \
--role-id $ADMIN_ROLE \
--tenant-id $SERVICE_TENANT
SWIFT_USER=$(get_id keystone user-create --name=swift \
--pass=swiftpass \
--tenant-id $SERVICE_TENANT)
keystone user-role-add --user-id $SWIFT_USER \
--role-id $ADMIN_ROLE \
--tenant-id $SERVICE_TENANT
#
# Keystone service
#
KEYSTONE_SERVICE=$(get_id \
keystone service-create --name=keystone \
--type=identity \
--description="Keystone Identity Service")
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
keystone endpoint-create --region RegionOne --service-id $KEYSTONE_SERVICE \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:\$(public_port)s/v2.0" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:\$(admin_port)s/v2.0" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(public_port)s/v2.0"
fi
#
# Nova service
#
NOVA_SERVICE=$(get_id \
keystone service-create --name=nova \
--type=compute \
--description="Nova Compute Service")
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
keystone endpoint-create --region RegionOne --service-id $NOVA_SERVICE \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:\$(compute_port)s/v1.1/\$(tenant_id)s" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:\$(compute_port)s/v1.1/\$(tenant_id)s" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:\$(compute_port)s/v1.1/\$(tenant_id)s"
fi
#
# Volume service
#
VOLUME_SERVICE=$(get_id \
keystone service-create --name=volume \
--type=volume \
--description="Nova Volume Service")
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
keystone endpoint-create --region RegionOne --service-id $VOLUME_SERVICE \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8776/v1/\$(tenant_id)s" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8776/v1/\$(tenant_id)s" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8776/v1/\$(tenant_id)s"
fi
#
# Image service
#
GLANCE_SERVICE=$(get_id \
keystone service-create --name=glance \
--type=image \
--description="Glance Image Service")
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
keystone endpoint-create --region RegionOne --service-id $GLANCE_SERVICE \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:9292" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:9292" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:9292"
fi
#
# EC2 service
#
EC2_SERVICE=$(get_id \
keystone service-create --name=ec2 \
--type=ec2 \
--description="EC2 Compatibility Layer")
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
keystone endpoint-create --region RegionOne --service-id $EC2_SERVICE \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8773/services/Cloud" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8773/services/Admin" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8773/services/Cloud"
fi
#
# Swift service
#
SWIFT_SERVICE=$(get_id \
keystone service-create --name=swift \
--type="object-store" \
--description="Swift Service")
if [[ -z "$DISABLE_ENDPOINTS" ]]; then
keystone endpoint-create --region RegionOne --service-id $SWIFT_SERVICE \
--publicurl "http://$CONTROLLER_PUBLIC_ADDRESS:8888/v1/AUTH_\$(tenant_id)s" \
--adminurl "http://$CONTROLLER_ADMIN_ADDRESS:8888/v1" \
--internalurl "http://$CONTROLLER_INTERNAL_ADDRESS:8888/v1/AUTH_\$(tenant_id)s"
fi
# create ec2 creds and parse the secret and access key returned
RESULT=$(keystone ec2-credentials-create --tenant-id=$SERVICE_TENANT --user-id=$ADMIN_USER)
ADMIN_ACCESS=`echo "$RESULT" | grep access | awk '{print $4}'`
ADMIN_SECRET=`echo "$RESULT" | grep secret | awk '{print $4}'`
# write the secret and access to ec2rc
cat > $EC2RC <
==== Add services ====
=== add identity service ===
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0/ service-create --name=keystone --type=identity --description="Keystone Identity Service"
== response from the command ==
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Keystone Identity Service |
| id | ed69115205a949939c49f01a767b2a02 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
=== add region ===
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0/ endpoint-create --region RegionOne --service-id=ed69115205a949939c49f01a767b2a02 --publicurl=http://192.168.0.169:5000/v2.0 --internalurl=http://192.168.0.169:5000/v2.0 --adminurl=http://192.168.0.169:35357/v2.0
== response from command ==
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://192.168.0.169:35357/v2.0 |
| id | 3d045e30678e4d1f8dd9a5917524c724 |
| internalurl | http://192.168.0.169:5000/v2.0 |
| publicurl | http://192.168.0.169:5000/v2.0 |
| region | RegionOne |
| service_id | ed69115205a949939c49f01a767b2a02 |
+-------------+----------------------------------+
=== Add compute service (nova) ===
keystone --token 1234 \
--endpoint http://192.168.0.169:35357/v2.0/ \
service-create \
--name=nova \
--type=compute \
--description="Nova Compute Service"
== response from command ==
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Nova Compute Service |
| id | 04ac82f3a2ce4603be9778988aab30b0 |
| name | nova |
| type | compute |
+-------------+----------------------------------+
=== add service endpoint for EACH tenants (required) ===
keystone --token 1234 --endpoint http://192.168.0.169:35357/v2.0/ endpoint-create --region RegionOne --service-id=04ac82f3a2ce4603be9778988aab30b0 --publicurl='http://192.168.0.169:8774/v2/%(tenant_id)s' --internalurl='http://192.168.0.169:8774/v2/%(tenant_id)s' --adminurl='http://192.168.0.169:8774/v2/%(tenant_id)s'
== response from command ==
+-------------+--------------------------------------------+
| Property | Value |
+-------------+--------------------------------------------+
| adminurl | http://192.168.0.169:8774/v2/%(tenant_id)s |
| id | 9c64d765ae564a1bb5d634f8fcca9ea4 |
| internalurl | http://192.168.0.169:8774/v2/%(tenant_id)s |
| publicurl | http://192.168.0.169:8774/v2/%(tenant_id)s |
| region | RegionOne |
| service_id | 04ac82f3a2ce4603be9778988aab30b0 |
+-------------+--------------------------------------------+