openstack/openstack-manuals
Code Issues Proposed changes

[install] Incorporate bootstrap into keystone content

Browse Source 
Since the keystone-manage bootstrap command has been implemented we
can refactor our installation process to use that, instead of
creating the Identity service and endpoints manually with the
ADMIN_TOKEN.

This also includes moving a bunch of the information in
keystone-services.rst to the get-started-identity.rst guide, since
creating the keystone service and endpoints manually is no longer
required (bootstrap does this for us now). The remaining information
in keystone-services.rst for exporting environment variables to use
the ``openstack`` client were moved to the keystone-install.rst
document since that's essentially the last step of keystone's
installation and configuration.

Change-Id: I6be3f286daf968dddf808f0204f2b317a5f09a59
This commit is contained in:
Lance Bragstad 2016-09-14 20:47:49 +00:00
parent 531118e545
commit 06062151de
5 changed files with 45 additions and 192 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
doc/common/get-started-identity.rst
View File

@ -3,16 +3,34 @@ Identity service overview
=========================
The OpenStack :term:`Identity service` provides a single point of
integration for managing authentication, authorization, and service catalog
services. Other OpenStack services use the Identity service as a common
unified API. Additionally, services that provide information about users
but that are not included in OpenStack (such as LDAP services) can be
integrated into a pre-existing infrastructure.
integration for managing authentication, authorization, and a catalog of
services.
In order to benefit from the Identity service, other OpenStack services need to
collaborate with it. When an OpenStack service receives a request from a user,
it checks with the Identity service whether the user is authorized to make the
request.
The Identity service is typically the first service a user interacts with. Once
authenticated, an end user can use their identity to access other OpenStack
services. Likewise, other OpenStack services leverage the Identity service to
ensure users are who they say they are and discover where other services are
within the deployment. The Identity service can also integrate with some
external user management systems (such as LDAP).
Users and services can locate other services by using the service catalog,
which is managed by the Identity service. As the name implies, a service
catalog is a collection of available services in an OpenStack deployment. Each
service can have one or many endpoints and each endpoint can be one of three
types: admin, internal, and public. In a production environment, different
endpoint types might reside on separate networks exposed to different types of
users for security reasons. For instance, the public API network might be
visible from the Internet so customers can manage their clouds. The admin API
network might be restricted to operators within the organization that manages
cloud infrastructure. The internal API network might be restricted to the hosts
that contain OpenStack services. Also, OpenStack supports multiple regions for
scalability. For simplicity, this guide uses the management network for all
endpoint types and the default ``RegionOne`` region. Together, regions,
services, and endpoints created within the Identity service comprise the
service catalog for a deployment. Each OpenStack service in your deployment
needs a service entry with corresponding endpoints stored in the Identity
service. This can all be done after the Identity service has been installed and
configured.
The Identity service contains these components:
@ -34,8 +52,3 @@ Modules
to the centralized server for authorization. The integration between
the middleware modules and OpenStack components uses the Python Web
Server Gateway Interface.
When installing OpenStack Identity service, you must register each
service in your OpenStack installation. Identity service can then track
which OpenStack services are installed, and where they are located on
the network.

1
doc/install-guide-debconf/source/keystone-services.rst
View File

@ -1 +0,0 @@
../../install-guide/source/keystone-services.rst

18
doc/install-guide/source/keystone-install.rst
View File

@ -335,3 +335,21 @@ Install and configure components
# systemctl enable apache2.service
# systemctl start apache2.service
6. Configure the administrative account
.. code-block:: console
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASSWORD
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
.. only:: obs or rdo or ubuntu
Replace ``ADMIN_PASSWORD`` with the password used in the
``keystone-manage bootstrap`` command from the section called
:ref:`keystone-install`.

176
doc/install-guide/source/keystone-services.rst
View File

@ -1,176 +0,0 @@
Create the service entity and API endpoints
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Identity service provides a catalog of services and their locations.
Each service that you add to your OpenStack environment requires a
:term:`service` entity and several :term:`API endpoints<API endpoint>`
in the catalog.
Prerequisites
-------------
.. only:: obs or rdo or ubuntu
By default, the Identity service database contains no information to
support conventional authentication and catalog services. You must use a
temporary authentication token that you created in the section called
:doc:`keystone-install` to initialize the service entity and API endpoint
for the Identity service.
.. only:: debian
.. note::
The packages can automatically create the service entity and API
endpoints.
You must pass the value of the authentication token to the :command:`openstack`
command with the ``--os-token`` parameter or set the OS_TOKEN
environment variable. Similarly, you must also pass the value of the
Identity service URL to the :command:`openstack` command with the ``--os-url``
parameter or set the OS_URL environment variable. This guide uses
environment variables to reduce command length.
.. warning::
For security reasons, do not use the temporary authentication token
for longer than necessary to initialize the Identity service.
#. Configure the authentication token:
.. code-block:: console
$ export OS_TOKEN=ADMIN_TOKEN
.. only:: obs or rdo or ubuntu
Replace ``ADMIN_TOKEN`` with the authentication token that you
generated in the section called :doc:`keystone-install`.
For example:
.. code-block:: console
$ export OS_TOKEN=294a4c8a8a475f9b9836
#. Configure the endpoint URL:
.. code-block:: console
$ export OS_URL=http://controller:35357/v3
.. only:: debian
.. note::
The packages can automatically create the service entity and API
endpoint.
#. Configure the Identity API version:
.. code-block:: console
$ export OS_IDENTITY_API_VERSION=3
Create the service entity and API endpoints
-------------------------------------------
#. The Identity service manages a catalog of services in your OpenStack
environment. Services use this catalog to determine the other services
available in your environment.
Create the service entity for the Identity service:
.. code-block:: console
$ openstack service create \
--name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 4ddaae90388b4ebc9d252ec2252d8d10 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
.. note::
OpenStack generates IDs dynamically, so you will see different
values in the example command output.
#. The Identity service manages a catalog of API endpoints associated with
the services in your OpenStack environment. Services use this catalog to
determine how to communicate with other services in your environment.
OpenStack uses three API endpoint variants for each service: admin,
internal, and public. The admin API endpoint allows modifying users and
projects by default, while the public and internal APIs do not allow these
operations. In a production environment, the variants might reside on
separate networks that service different types of users for security
reasons. For instance, the public API network might be visible from the
Internet so customers can manage their clouds. The admin API network
might be restricted to operators within the organization that manages
cloud infrastructure. The internal API network might be restricted to
the hosts that contain OpenStack services. Also, OpenStack supports
multiple regions for scalability. For simplicity, this guide uses the
management network for all endpoint variations and the default
``RegionOne`` region.
Create the Identity service API endpoints:
.. code-block:: console
$ openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 30fff543e7dc4b7d9a0fb13791b78bf4 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4ddaae90388b4ebc9d252ec2252d8d10 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 57cfa543e7dc4b712c0ab137911bc4fe |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4ddaae90388b4ebc9d252ec2252d8d10 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 78c3dfa3e7dc44c98ab1b1379122ecb1 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 4ddaae90388b4ebc9d252ec2252d8d10 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:35357/v3 |
+--------------+----------------------------------+
.. note::
Each service that you add to your OpenStack environment requires one
or more service entities and three API endpoint variants in the Identity
service.

1
doc/install-guide/source/keystone.rst
View File

@ -6,7 +6,6 @@ Identity service
common/get-started-identity.rst
keystone-install.rst
keystone-services.rst
keystone-users.rst
keystone-verify.rst
keystone-openrc.rst