diff --git a/doc/source/reference/monasca-guide.rst b/doc/source/reference/monasca-guide.rst index a34b717e46..e2f7504b42 100644 --- a/doc/source/reference/monasca-guide.rst +++ b/doc/source/reference/monasca-guide.rst @@ -147,7 +147,7 @@ images: .. code-block:: console - $ kolla-build cron fluentd mariadb kolla-toolbox keystone memcached keepalived haproxy + $ kolla-build cron chrony fluentd mariadb kolla-toolbox keystone memcached keepalived haproxy Deployment ~~~~~~~~~~ @@ -157,8 +157,93 @@ to decrypt secrets if you have encrypted them with Ansible Vault: .. code-block:: console + $ kolla-genpwd $ kolla-ansible deploy +Quick start +~~~~~~~~~~~ + +The first thing you will want to do is to create a Monasca user to view +metrics harvested by the Monasca Agent. By default these are saved into the +`monasca_control_plane` project, which serves as a place to store all +control plane logs and metrics: + +.. code-block:: console + + [vagrant@operator kolla]$ openstack project list + +----------------------------------+-----------------------+ + | ID | Name | + +----------------------------------+-----------------------+ + | 03cb4b7daf174febbc4362d5c79c5be8 | service | + | 2642bcc8604f4491a50cb8d47e0ec55b | monasca_control_plane | + | 6b75784f6bc942c6969bc618b80f4a8c | admin | + +----------------------------------+-----------------------+ + +The permissions of Monasca users are governed by the roles which they have +assigned to them in a given OpenStack project. This is an important point +and forms the basis of how Monasca supports multi-tenancy. + +By default the `admin` role and the `monasca-read-only-user` role are +configured. The `admin` role grants read/write privileges and the +`monasca-read-only-user` role grants read privileges to a user. + +.. code-block:: console + + [vagrant@operator kolla]$ openstack role list + +----------------------------------+------------------------+ + | ID | Name | + +----------------------------------+------------------------+ + | 0419463fd5a14ace8e5e1a1a70bbbd84 | agent | + | 1095e8be44924ae49585adc5d1136f86 | member | + | 60f60545e65f41749b3612804a7f6558 | admin | + | 7c184ade893442f78cea8e074b098cfd | _member_ | + | 7e56318e207a4e85b7d7feeebf4ba396 | reader | + | fd200a805299455d90444a00db5074b6 | monasca-read-only-user | + +----------------------------------+------------------------+ + +Now lets consider the example of creating a monitoring user who has +read/write privileges in the `monasca_control_plane` project. First +we create the user: + +.. code-block:: console + + openstack user create --project monasca_control_plane mon_user + User Password: + Repeat User Password: + +---------------------+----------------------------------+ + | Field | Value | + +---------------------+----------------------------------+ + | default_project_id | 2642bcc8604f4491a50cb8d47e0ec55b | + | domain_id | default | + | enabled | True | + | id | 088a725872c9410d9c806c24952f9ae1 | + | name | mon_user | + | options | {} | + | password_expires_at | None | + +---------------------+----------------------------------+ + +Secondly we assign the user the `admin` role in the `monasca_control_plane` +project: + +.. code-block:: console + + openstack role add admin --project monasca_control_plane --user mon_user + +Alternatively we could have assigned the user the read only role: + +.. code-block:: console + + openstack role add monasca_read_only_user --project monasca_control_plane --user mon_user + +The user is now active and the credentials can be used to log into the +Monasca fork of Grafana which will be available by default on port `3001` on +both internal and external VIPs. + +For log analysis Kibana is also available, by default on port `5601` on both +internal and external VIPs. Currently the Keystone authentication plugin is +not configured and the HAProxy endpoints are protected by a password which is +defined in `/etc/kolla/passwords.yml` under `kibana_password`. + System requirements and performance impact ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~