openstack
/
keystone
Code Issues Proposed changes

Added keystone installation guides 

Currently some keystone installation guide docs are part of
general OpenStack-manuals. Migrating those docs to keystone
documentation so that they can be reviewed effectively by
keystone developers too.

Added installation guides for Ubuntu, openSUSE and
Red Hat Enterprise. The installation guides for Debian will
be added once they are complete in openstack-manuals.

Also changed the toctree structure in install-guides to
include directives so that all sections appear on one page
rather than just links.

Partial-Bug #1694460

Change-Id: I03aecfd1544b559a8fbd1ab11c5474145cff9ff9
This commit is contained in:
Samriddhi Jain 2017-06-15 12:37:40 +05:30
parent 9070172084
commit c69c283bf8
15 changed files with 1353 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
doc/source/index.rst
View File

@ -47,6 +47,13 @@ client library`_.
.. _`Authentication library`: https://docs.openstack.org/developer/keystoneauth/
.. _`Python client library`: https://docs.openstack.org/developer/python-keystoneclient/
Installation Guides
~~~~~~~~~~~~~~~~~~~
.. toctree::
:maxdepth: 2
install/index.rst
General Information
~~~~~~~~~~~~~~~~~~~

52
doc/source/install/common/get-started-identity.rst Normal file
View File

@ -0,0 +1,52 @@
Identity service overview
~~~~~~~~~~~~~~~~~~~~~~~~~
The OpenStack Identity service provides a single point of integration for
managing authentication, authorization, and a catalog of services.
The Identity service is typically the first service a user interacts with. Once
authenticated, an end user can use their identity to access other OpenStack
services. Likewise, other OpenStack services leverage the Identity service to
ensure users are who they say they are and discover where other services are
within the deployment. The Identity service can also integrate with some
external user management systems (such as LDAP).
Users and services can locate other services by using the service catalog,
which is managed by the Identity service. As the name implies, a service
catalog is a collection of available services in an OpenStack deployment. Each
service can have one or many endpoints and each endpoint can be one of three
types: admin, internal, or public. In a production environment, different
endpoint types might reside on separate networks exposed to different types of
users for security reasons. For instance, the public API network might be
visible from the Internet so customers can manage their clouds. The admin API
network might be restricted to operators within the organization that manages
cloud infrastructure. The internal API network might be restricted to the hosts
that contain OpenStack services. Also, OpenStack supports multiple regions for
scalability. For simplicity, this guide uses the management network for all
endpoint types and the default ``RegionOne`` region. Together, regions,
services, and endpoints created within the Identity service comprise the
service catalog for a deployment. Each OpenStack service in your deployment
needs a service entry with corresponding endpoints stored in the Identity
service. This can all be done after the Identity service has been installed and
configured.
The Identity service contains these components:
Server
A centralized server provides authentication and authorization
services using a RESTful interface.
Drivers
Drivers or a service back end are integrated to the centralized
server. They are used for accessing identity information in
repositories external to OpenStack, and may already exist in
the infrastructure where OpenStack is deployed (for example, SQL
databases or LDAP servers).
Modules
Middleware modules run in the address space of the OpenStack
component that is using the Identity service. These modules
intercept service requests, extract user credentials, and send them
to the centralized server for authorization. The integration between
the middleware modules and OpenStack components uses the Python Web
Server Gateway Interface.

50
doc/source/install/index-obs.rst Normal file
View File

@ -0,0 +1,50 @@
=====================================================================
Keystone Installation Tutorial for openSUSE and SUSE Linux Enterprise
=====================================================================
Abstract
~~~~~~~~
This guide will show you how to install OpenStack by using packages
on openSUSE Leap 42.2 and SUSE Linux Enterprise Server 12 - for
both SP1 and SP2 - through the Open Build Service Cloud repository.
Explanations of configuration options and sample configuration files
are included.
.. note::
The Training Labs scripts provide an automated way of deploying the
cluster described in this Installation Guide into VirtualBox or KVM
VMs. You will need a desktop computer or a laptop with at least 8
GB memory and 20 GB free storage running Linux, MaOS, or Windows.
Please see the
`OpenStack Training Labs <https://docs.openstack.org/training_labs/>`_.
This guide documents the OpenStack Ocata release.
.. warning::
This guide is a work-in-progress and is subject to updates frequently.
Pre-release packages have been used for testing, and some instructions
may not work with final versions. Please help us make this guide better
by reporting any errors you encounter.
Contents
~~~~~~~~
.. toctree::
:maxdepth: 2
common/get-started-identity.rst
keystone-install-obs.rst
keystone-users.rst
keystone-verify-obs.rst
keystone-openrc.rst
.. Pseudo only directive for each distribution used by the build tool.
This pseudo only directive for toctree only works fine with Tox.
When you directly build this guide with Sphinx,
some navigation menu may not work properly.
.. Keep this pseudo only directive not to break translation tool chain
at the openstack-doc-tools repo until it is changed.
.. end of contents

50
doc/source/install/index-rdo.rst Normal file
View File

@ -0,0 +1,50 @@
======================================================================
Keystone Installation Tutorial for Red Hat Enterprise Linux and CentOS
======================================================================
Abstract
~~~~~~~~
This guide will show you how to install Keystone by using packages
available on Red Hat Enterprise Linux 7 and its derivatives through
the RDO repository.
Explanations of configuration options and sample configuration files
are included.
.. note::
The Training Labs scripts provide an automated way of deploying the
cluster described in this Installation Guide into VirtualBox or KVM
VMs. You will need a desktop computer or a laptop with at least 8
GB memory and 20 GB free storage running Linux, MaOS, or Windows.
Please see the
`OpenStack Training Labs <https://docs.openstack.org/training_labs/>`_.
This guide documents the OpenStack Ocata release.
.. warning::
This guide is a work-in-progress and is subject to updates frequently.
Pre-release packages have been used for testing, and some instructions
may not work with final versions. Please help us make this guide better
by reporting any errors you encounter.
Contents
~~~~~~~~
.. toctree::
:maxdepth: 2
common/get-started-identity.rst
keystone-install-rdo.rst
keystone-users.rst
keystone-verify-rdo.rst
keystone-openrc.rst
.. Pseudo only directive for each distribution used by the build tool.
This pseudo only directive for toctree only works fine with Tox.
When you directly build this guide with Sphinx,
some navigation menu may not work properly.
.. Keep this pseudo only directive not to break translation tool chain
at the openstack-doc-tools repo until it is changed.
.. end of contents

50
doc/source/install/index-ubuntu.rst Normal file
View File

@ -0,0 +1,50 @@
=========================================
Keystone Installation Tutorial for Ubuntu
=========================================
Abstract
~~~~~~~~
This guide will walk through an installation by using packages
available through Canonical's Ubuntu Cloud archive repository for
Ubuntu 16.04 (LTS).
Explanations of configuration options and sample configuration files
are included.
.. note::
The Training Labs scripts provide an automated way of deploying the
cluster described in this Installation Guide into VirtualBox or KVM
VMs. You will need a desktop computer or a laptop with at least 8
GB memory and 20 GB free storage running Linux, MaOS, or Windows.
Please see the
`OpenStack Training Labs <https://docs.openstack.org/training_labs/>`_.
This guide documents the OpenStack Ocata release.
.. warning::
This guide is a work-in-progress and is subject to updates frequently.
Pre-release packages have been used for testing, and some instructions
may not work with final versions. Please help us make this guide better
by reporting any errors you encounter.
Contents
~~~~~~~~
.. toctree::
:maxdepth: 2
common/get-started-identity.rst
keystone-install-ubuntu.rst
keystone-users.rst
keystone-verify-ubuntu.rst
keystone-openrc.rst
.. Pseudo only directive for each distribution used by the build tool.
This pseudo only directive for toctree only works fine with Tox.
When you directly build this guide with Sphinx,
some navigation menu may not work properly.
.. Keep this pseudo only directive not to break translation tool chain
at the openstack-doc-tools repo until it is changed.
.. end of contents

22
doc/source/install/index.rst Normal file
View File

@ -0,0 +1,22 @@
=================================
Keystone Installation Tutorial
=================================
The OpenStack system consists of several key services that are separately
installed. These services work together depending on your cloud
needs and include the Compute, Identity, Networking, Image, Block Storage,
Object Storage, Telemetry, Orchestration, and Database services. You
can install any of these projects separately and configure them stand-alone
or as connected entities.
This section describes how to install and configure the OpenStack
Identity service, code-named keystone, on the controller node. For
scalability purposes, this configuration deploys Fernet tokens and
the Apache HTTP server to handle requests.
.. toctree::
:maxdepth: 3
index-obs
index-rdo
index-ubuntu

261
doc/source/install/keystone-install-obs.rst Normal file
View File

@ -0,0 +1,261 @@
Install and configure
~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the OpenStack
Identity service, code-named keystone, on the controller node. For
scalability purposes, this configuration deploys Fernet tokens and
the Apache HTTP server to handle requests.
Prerequisites
-------------
Before you install and configure the Identity service, you must
create a database.
.. note::
Before you begin, ensure you have the most recent version of
``python-pyasn1`` `installed <https://pypi.python.org/pypi/pyasn1>`_.
#. Use the database access client to connect to the database
server as the ``root`` user:
.. code-block:: console
$ mysql -u root -p
.. end
2. Create the ``keystone`` database:
.. code-block:: console
MariaDB [(none)]> CREATE DATABASE keystone;
.. end
#. Grant proper access to the ``keystone`` database:
.. code-block:: console
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
.. end
Replace ``KEYSTONE_DBPASS`` with a suitable password.
#. Exit the database access client.
.. _keystone-install-configure-obs:
Install and configure components
--------------------------------
.. include:: shared/note_configuration_vary_by_distribution.rst
.. note::
This guide uses the Apache HTTP server with ``mod_wsgi`` to serve
Identity service requests on ports 5000 and 35357. By default, the
keystone service still listens on these ports. Therefore, this guide
manually disables the keystone service.
.. note::
Starting with the Newton release, SUSE OpenStack packages are shipping
with the upstream default configuration files. For example
``/etc/keystone/keystone.conf``, with customizations in
``/etc/keystone/keystone.conf.d/010-keystone.conf``. While the
following instructions modify the default configuration file, adding a
new file in ``/etc/keystone/keystone.conf.d`` achieves the same
result.
#. Run the following command to install the packages:
.. code-block:: console
# zypper install openstack-keystone apache2-mod_wsgi
.. end
2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
actions:
* In the ``[database]`` section, configure database access:
.. path /etc/keystone/keystone.conf
.. code-block:: ini
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
.. end
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
.. note::
Comment out or remove any other ``connection`` options in the
``[database]`` section.
* In the ``[token]`` section, configure the Fernet token provider:
.. path /etc/keystone/keystone.conf
.. code-block:: ini
[token]
# ...
provider = fernet
.. end
3. Populate the Identity service database:
.. code-block:: console
# su -s /bin/sh -c "keystone-manage db_sync" keystone
.. end
4. Initialize Fernet key repositories:
.. code-block:: console
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
.. end
5. Bootstrap the Identity service:
.. code-block:: console
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
.. end
Replace ``ADMIN_PASS`` with a suitable password for an administrative user.
Configure the Apache HTTP server
--------------------------------
#. Edit the ``/etc/sysconfig/apache2`` file and configure the
``APACHE_SERVERNAME`` option to reference the controller node:
.. path /etc/sysconfig/apache2
.. code-block:: shell
APACHE_SERVERNAME="controller"
.. end
#. Create the ``/etc/apache2/conf.d/wsgi-keystone.conf`` file
with the following content:
.. path /etc/apache2/conf.d/wsgi-keystone.conf
.. code-block:: apache
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
.. end
#. Recursively change the ownership of the ``/etc/keystone`` directory:
.. code-block:: console
# chown -R keystone:keystone /etc/keystone
.. end
Finalize the installation
-------------------------
#. Start the Apache HTTP service and configure it to start when the system
boots:
.. code-block:: console
# systemctl enable apache2.service
# systemctl start apache2.service
.. end
2. Configure the administrative account
.. code-block:: console
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
.. end
Replace ``ADMIN_PASS`` with the password used in the
``keystone-manage bootstrap`` command in `keystone-install-configure-obs`_.

203
doc/source/install/keystone-install-rdo.rst Normal file
View File

@ -0,0 +1,203 @@
Install and configure
~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the OpenStack
Identity service, code-named keystone, on the controller node. For
scalability purposes, this configuration deploys Fernet tokens and
the Apache HTTP server to handle requests.
Prerequisites
-------------
Before you install and configure the Identity service, you must
create a database.
#. Use the database access client to connect to the database
server as the ``root`` user:
.. code-block:: console
$ mysql -u root -p
.. end
2. Create the ``keystone`` database:
.. code-block:: console
MariaDB [(none)]> CREATE DATABASE keystone;
.. end
#. Grant proper access to the ``keystone`` database:
.. code-block:: console
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
.. end
Replace ``KEYSTONE_DBPASS`` with a suitable password.
#. Exit the database access client.
.. _keystone-install-configure-rdo:
Install and configure components
--------------------------------
.. include:: shared/note_configuration_vary_by_distribution.rst
.. note::
This guide uses the Apache HTTP server with ``mod_wsgi`` to serve
Identity service requests on ports 5000 and 35357. By default, the
keystone service still listens on these ports. Therefore, this guide
manually disables the keystone service.
#. Run the following command to install the packages:
.. code-block:: console
# yum install openstack-keystone httpd mod_wsgi
.. end
2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
actions:
* In the ``[database]`` section, configure database access:
.. path /etc/keystone/keystone.conf
.. code-block:: ini
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
.. end
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
.. note::
Comment out or remove any other ``connection`` options in the
``[database]`` section.
* In the ``[token]`` section, configure the Fernet token provider:
.. path /etc/keystone/keystone.conf
.. code-block:: ini
[token]
# ...
provider = fernet
.. end
3. Populate the Identity service database:
.. code-block:: console
# su -s /bin/sh -c "keystone-manage db_sync" keystone
.. end
4. Initialize Fernet key repositories:
.. code-block:: console
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
.. end
5. Bootstrap the Identity service:
.. code-block:: console
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
.. end
Replace ``ADMIN_PASS`` with a suitable password for an administrative user.
Configure the Apache HTTP server
--------------------------------
#. Edit the ``/etc/httpd/conf/httpd.conf`` file and configure the
``ServerName`` option to reference the controller node:
.. path /etc/httpd/conf/httpd
.. code-block:: apache
ServerName controller
.. end
#. Create a link to the ``/usr/share/keystone/wsgi-keystone.conf`` file:
.. code-block:: console
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
.. end
Finalize the installation
-------------------------
#. Start the Apache HTTP service and configure it to start when the system
boots:
.. code-block:: console
# systemctl enable httpd.service
# systemctl start httpd.service
.. end
2. Configure the administrative account
.. code-block:: console
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
.. end
Replace ``ADMIN_PASS`` with the password used in the
``keystone-manage bootstrap`` command in `keystone-install-configure-rdo`_.

193
doc/source/install/keystone-install-ubuntu.rst Normal file
View File

@ -0,0 +1,193 @@
Install and configure
~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the OpenStack
Identity service, code-named keystone, on the controller node. For
scalability purposes, this configuration deploys Fernet tokens and
the Apache HTTP server to handle requests.
Prerequisites
-------------
Before you install and configure the Identity service, you must
create a database.
#. Use the database access client to connect to the database
server as the ``root`` user:
.. code-block:: console
# mysql
.. end
2. Create the ``keystone`` database:
.. code-block:: console
MariaDB [(none)]> CREATE DATABASE keystone;
.. end
#. Grant proper access to the ``keystone`` database:
.. code-block:: console
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
.. end
Replace ``KEYSTONE_DBPASS`` with a suitable password.
#. Exit the database access client.
.. _keystone-install-configure-ubuntu:
Install and configure components
--------------------------------
.. include:: shared/note_configuration_vary_by_distribution.rst
.. note::
This guide uses the Apache HTTP server with ``mod_wsgi`` to serve
Identity service requests on ports 5000 and 35357. By default, the
keystone service still listens on these ports. The package handles
all of the Apache configuration for you (including the activation of
the ``mod_wsgi`` apache2 module and keystone configuration in Apache).
#. Run the following command to install the packages:
.. code-block:: console
# apt install keystone
.. end
2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
actions:
* In the ``[database]`` section, configure database access:
.. path /etc/keystone/keystone.conf
.. code-block:: ini
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
.. end
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
.. note::
Comment out or remove any other ``connection`` options in the
``[database]`` section.
* In the ``[token]`` section, configure the Fernet token provider:
.. path /etc/keystone/keystone.conf
.. code-block:: ini
[token]
# ...
provider = fernet
.. end
3. Populate the Identity service database:
.. code-block:: console
# su -s /bin/sh -c "keystone-manage db_sync" keystone
.. end
4. Initialize Fernet key repositories:
.. code-block:: console
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
.. end
5. Bootstrap the Identity service:
.. code-block:: console
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
.. end
Replace ``ADMIN_PASS`` with a suitable password for an administrative user.
Configure the Apache HTTP server
--------------------------------
#. Edit the ``/etc/apache2/apache2.conf`` file and configure the
``ServerName`` option to reference the controller node:
.. path /etc/apache2/apache2.conf
.. code-block:: apache
ServerName controller
.. end
Finalize the installation
-------------------------
#. Restart the Apache service:
.. code-block:: console
# service apache2 restart
.. end
2. Configure the administrative account
.. code-block:: console
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
.. end
Replace ``ADMIN_PASS`` with the password used in the
``keystone-manage bootstrap`` command in `keystone-install-configure-ubuntu`_.

96
doc/source/install/keystone-openrc.rst Normal file
View File

@ -0,0 +1,96 @@
Create OpenStack client environment scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The previous section used a combination of environment variables and
command options to interact with the Identity service via the
``openstack`` client. To increase efficiency of client operations,
OpenStack supports simple client environment scripts also known as
OpenRC files. These scripts typically contain common options for
all clients, but also support unique options. For more information, see the
`OpenStack End User Guide <https://docs.openstack.org/user-guide/common/
cli_set_environment_variables_using_openstack_rc.html>`_.
Creating the scripts
--------------------
Create client environment scripts for the ``admin`` and ``demo``
projects and users. Future portions of this guide reference these
scripts to load appropriate credentials for client operations.
#. Create and edit the ``admin-openrc`` file and add the following content:
.. note::
The OpenStack client also supports using a ``clouds.yaml`` file.
For more information, see
the `os-client-config <http://docs.openstack.org/developer/os-client-config/>`_.
.. code-block:: bash
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
.. end
Replace ``ADMIN_PASS`` with the password you chose
for the ``admin`` user in the Identity service.
#. Create and edit the ``demo-openrc`` file and add the following content:
.. code-block:: bash
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
.. end
Replace ``DEMO_PASS`` with the password you chose
for the ``demo`` user in the Identity service.
Using the scripts
-----------------
To run clients as a specific project and user, you can simply load
the associated client environment script prior to running them.
For example:
#. Load the ``admin-openrc`` file to populate
environment variables with the location of the Identity service
and the ``admin`` project and user credentials:
.. code-block:: console
$ . admin-openrc
.. end
#. Request an authentication token:
.. code-block:: console
$ openstack token issue
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:44:35.659723Z |
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
.. end

113
doc/source/install/keystone-users.rst Normal file
View File

@ -0,0 +1,113 @@
Create a domain, projects, users, and roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Identity service provides authentication services for each OpenStack
service. The authentication service uses a combination of domains,
projects, users, and roles.
#. This guide uses a service project that contains a unique user for each
service that you add to your environment. Create the ``service``
project:
.. code-block:: console
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
.. end
#. Regular (non-admin) tasks should use an unprivileged project and user.
As an example, this guide creates the ``demo`` project and user.
* Create the ``demo`` project:
.. code-block:: console
$ openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
.. end
.. note::
Do not repeat this step when creating additional users for this
project.
* Create the ``demo`` user:
.. code-block:: console
$ openstack user create --domain default \
--password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
.. end
* Create the ``user`` role:
.. code-block:: console
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
.. end
* Add the ``user`` role to the ``demo`` project and user:
.. code-block:: console
$ openstack role add --project demo --user demo user
.. end
.. note::
This command provides no output.
.. note::
You can repeat this procedure to create additional projects and
users.

83
doc/source/install/keystone-verify-obs.rst Normal file
View File

@ -0,0 +1,83 @@
Verify operation
~~~~~~~~~~~~~~~~
Verify operation of the Identity service before installing other
services.
.. note::
Perform these commands on the controller node.
#. For security reasons, disable the temporary authentication
token mechanism:
Edit the ``/etc/keystone/keystone-paste.ini``
file and remove ``admin_token_auth`` from the
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
and ``[pipeline:api_v3]`` sections.
2. Unset the temporary ``OS_AUTH_URL`` and ``OS_PASSWORD``
environment variable:
.. code-block:: console
$ unset OS_AUTH_URL OS_PASSWORD
.. end
3. As the ``admin`` user, request an authentication token:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
.. end
.. note::
This command uses the password for the ``admin`` user.
4. As the ``demo`` user, request an authentication token:
.. code-block:: console
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
.. end
.. note::
This command uses the password for the ``demo``
user and API port 5000 which only allows regular (non-admin)
access to the Identity service API.

83
doc/source/install/keystone-verify-rdo.rst Normal file
View File

@ -0,0 +1,83 @@
Verify operation
~~~~~~~~~~~~~~~~
Verify operation of the Identity service before installing other
services.
.. note::
Perform these commands on the controller node.
#. For security reasons, disable the temporary authentication
token mechanism:
Edit the ``/etc/keystone/keystone-paste.ini``
file and remove ``admin_token_auth`` from the
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
and ``[pipeline:api_v3]`` sections.
2. Unset the temporary ``OS_AUTH_URL`` and ``OS_PASSWORD``
environment variable:
.. code-block:: console
$ unset OS_AUTH_URL OS_PASSWORD
.. end
3. As the ``admin`` user, request an authentication token:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
.. end
.. note::
This command uses the password for the ``admin`` user.
4. As the ``demo`` user, request an authentication token:
.. code-block:: console
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
.. end
.. note::
This command uses the password for the ``demo``
user and API port 5000 which only allows regular (non-admin)
access to the Identity service API.

83
doc/source/install/keystone-verify-ubuntu.rst Normal file
View File

@ -0,0 +1,83 @@
Verify operation
~~~~~~~~~~~~~~~~
Verify operation of the Identity service before installing other
services.
.. note::
Perform these commands on the controller node.
#. For security reasons, disable the temporary authentication
token mechanism:
Edit the ``/etc/keystone/keystone-paste.ini``
file and remove ``admin_token_auth`` from the
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
and ``[pipeline:api_v3]`` sections.
2. Unset the temporary ``OS_AUTH_URL`` and ``OS_PASSWORD``
environment variable:
.. code-block:: console
$ unset OS_AUTH_URL OS_PASSWORD
.. end
3. As the ``admin`` user, request an authentication token:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
.. end
.. note::
This command uses the password for the ``admin`` user.
4. As the ``demo`` user, request an authentication token:
.. code-block:: console
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
.. end
.. note::
This command uses the password for the ``demo``
user and API port 5000 which only allows regular (non-admin)
access to the Identity service API.

7
doc/source/install/shared/note_configuration_vary_by_distribution.rst Normal file
View File

@ -0,0 +1,7 @@
.. note::
Default configuration files vary by distribution. You might need
to add these sections and options rather than modifying existing
sections and options. Also, an ellipsis (``...``) in the configuration
snippets indicates potential default configuration options that you
should retain.