openstack/openstack-manuals
Code Issues Proposed changes

Final changes to OpenStack Admin User Guide

Browse Source 
bug: #1208507

Change-Id: I6c35b2a50be25a3aa06e3f951dec8598315503ec
author: diane fleming
This commit is contained in:
Diane Fleming 2013-08-05 16:18:08 -05:00 committed by annegentle
parent ec76a0f90b
commit 4aec880225
28 changed files with 1987 additions and 1226 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
doc/src/docbkx/common/figures/dashboard_admin_overview.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 48 KiB

BIN
doc/src/docbkx/common/figures/dashboard_admin_project_tab.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 71 KiB

36
doc/src/docbkx/common/section_cli_keystone_apiv3.xml Normal file
View File

@ -0,0 +1,36 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="use-v3-instead-of-default-v2" xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Use Identity Service API v3 instead of API v2.0</title>
<para>Use the following parameters in combination on any
keystone command to specify which version of the API to
use:</para>
<itemizedlist>
<listitem>
<para><parameter>--os-endpoint</parameter>. The
endpoint to use instead of the one in the service
catalog. Defaults to
<code>env[OS_SERVICE_ENDPOINT]</code>.</para>
<para>The <literal>keystone</literal> client detects
the version of the API from this parameter.</para>
</listitem>
<listitem>
<para><parameter>--os-auth_url</parameter>. The
Identity Service endpoint to use for
authentication. Defaults to
<code>env[OS_AUTH_URL]</code>.</para>
</listitem>
<listitem>
<para><parameter>--os-identity-api-version</parameter>.
The Identity Service API version. Defaults to
<code>env[OS_IDENTITY_API_VERSION]</code> or
<literal>2.0</literal>.</para>
</listitem>
</itemizedlist>
<para>For example, use the following parameters to use API
v3:</para>
<screen><userinput><parameter>--os-auth_url</parameter> "http://15.253.57.115:35357/v3" <parameter>--os-identity-api-version</parameter> 3</userinput></screen>
<para>Use the following parameters to use API v2.0:</para>
<screen><userinput><parameter>--os-auth_url</parameter> "http://15.253.57.115:35357/v2.0" <parameter>--os-identity-api-version</parameter> 2.0</userinput></screen>
</section>

119
doc/src/docbkx/common/section_cli_keystone_credentials.xml Normal file
View File

@ -0,0 +1,119 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="configure_keystone_client">
<title>Set up credentials for the keystone client</title>
<para>You can configure the
<filename>python-keystoneclient</filename> with admin
credentials with either an authentication token or a user name
and password.</para>
<procedure>
<title>To configure the keystone client with an authentication
token</title>
<step>
<para>Export your keystone endpoint to the
<varname>OS_SERVICE_ENDPOINT</varname> environment
variable:</para>
<screen><prompt>$</prompt> <userinput>export OS_SERVICE_ENDPOINT="&lt;keystoneEndpoint&gt;"</userinput></screen>
</step>
<step>
<para>Export the administrator service token to the
<varname>OS_SERVICE_TOKEN</varname> environment
variable:</para>
<screen><prompt>$</prompt> <userinput>export OS_SERVICE_TOKEN="&lt;serviceToken&gt;"</userinput></screen>
<note>
<para>Alternatively, you can specify these parameters
on any keystone client command:</para>
<itemizedlist>
<listitem>
<para>
<parameter>--os-endpoint
<replaceable>SERVICE_ENDPOINT</replaceable></parameter>.
An endpoint to use instead of the one in
the service catalog. Defaults to
<code>env[OS_SERVICE_ENDPOINT]</code>.
</para>
</listitem>
<listitem>
<para>
<parameter>--os-token
<replaceable>SERVICE_TOKEN</replaceable></parameter>.
An existing token to use instead of the
one generated by authentication. Defaults
to
<code>env[OS_SERVICE_TOKEN]</code>.</para>
</listitem>
</itemizedlist>
</note>
</step>
</procedure>
<procedure xml:id="password-auth-method">
<title>To configure the keystone client with a user name and
password</title>
<step>
<para>Export the administrator user name to the
<varname>OS_USERNAME</varname> environment
variable:</para>
<screen><prompt>$</prompt> <userinput>export OS_USERNAME="&lt;adminUserName&gt;"</userinput></screen>
</step>
<step>
<para>Export the administrator password to the
<varname>OS_PASSWORD</varname> environment
variable:</para>
<screen><prompt>$</prompt> <userinput>export OS_PASSWORD="&lt;adminPassword&gt;"</userinput></screen>
</step>
<step>
<para>Export the tenant name to the
<varname>OS_TENANT_NAME</varname> environment
variable:</para>
<screen><prompt>$</prompt> <userinput>export OS_TENANT_NAME="&lt;tenantName&gt;"</userinput></screen>
</step>
<step>
<para>Export the URL of the keystone auth server, for
example <link xlink:href="http://localhost:5000/v2.0'"
>http://localhost:5000/v2.0'</link>, to the
<varname>OS_AUTH_URL</varname> environment
variable:</para>
<screen><prompt>$</prompt> <userinput>export OS_AUTH_URL="&lt;authServerURL&gt;"</userinput></screen>
<note>
<para>Alternatively, you can specify these parameters
on any keystone client command:</para>
<itemizedlist>
<listitem>
<para>
<literal>--os-username
<replaceable>OS_USERNAME</replaceable></literal>.
Name used for authentication with the
Identity Service. Defaults to
<code>env[OS_USERNAME]</code>.</para>
</listitem>
<listitem>
<para>
<literal>--os-password
<replaceable>OS_PASSWORD</replaceable></literal>.
Password used for authentication with the
Identity Service. Defaults to
<code>env[OS_PASSWORD]</code>.</para>
</listitem>
<listitem>
<para>
<literal>--os-tenant_name
<replaceable>OS_TENANT_NAME</replaceable></literal>.
Tenant for which to request
authentication. Defaults to
<code>env[OS_TENANT_NAME]</code>.</para>
</listitem>
<listitem>
<para>
<literal>--os-auth_url
<replaceable>OS_AUTH_URL</replaceable></literal>.
The Identity Service endpoint to use for
authentication. Defaults to
<code>env[OS_AUTH_URL]</code>.</para>
</listitem>
</itemizedlist>
</note>
</step>
</procedure>
</section>

31
doc/src/docbkx/common/section_cli_keystone_example_usage.xml Normal file
View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="example-usage">
<title>keystone command-line client example usage</title>
<para>The keystone command-line client uses the following
syntax:</para>
<screen><prompt>$</prompt> <userinput>keystone <replaceable>PARAMETER</replaceable> <replaceable>COMMAND</replaceable> <replaceable>ARGUMENT</replaceable></userinput></screen>
<para>For example, you can run the
<command>user-list</command> and
<command>tenant-create</command> commands, as
follows:</para>
<screen><computeroutput># Using OS_SERVICE_ENDPOINT and OS_SERVICE_TOKEN environment variables</computeroutput>
<prompt>$</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/</userinput>
<prompt>$</prompt> <userinput>export OS_SERVICE_TOKEN=secrete_token</userinput>
<prompt>$</prompt> <userinput>keystone user-list</userinput>
<prompt>$</prompt> <userinput>keystone tenant-create --name demo</userinput>
<computeroutput># Using --os-token and os-endpoint parameters</computeroutput>
<prompt>$</prompt> <userinput>keystone --os-token <replaceable>token</replaceable> --os-endpoint <replaceable>endpoint</replaceable> user-list</userinput>
<prompt>$</prompt> <userinput>keystone --os-token <replaceable>token</replaceable> --os-endpoint <replaceable>endpoint</replaceable> tenant-create --name demo</userinput>
<computeroutput># Using OS_USERNAME, OS_PASSWORD, and OS_TENANT_NAME environment variables</computeroutput>
<prompt>$</prompt> <userinput>export OS_USERNAME=admin</userinput>
<prompt>$</prompt> <userinput>export OS_PASSWORD=secrete</userinput>
<prompt>$</prompt> <userinput>export OS_TENANT_NAME=admin</userinput>
<prompt>$</prompt> <userinput>keystone user-list</userinput>
<prompt>$</prompt> <userinput>keystone tenant-create --name demo</userinput>
<computeroutput># Using tenant_id parameter</computeroutput>
<prompt>$</prompt> <userinput>keystone user-list --tenant_id <replaceable>id</replaceable></userinput>
<computeroutput># Using --name, --description, and --enabled parameters</computeroutput>
<prompt>$</prompt> <userinput>keystone tenant-create --name demo --description "demo tenant" --enabled true</userinput></screen>
</section>

455
doc/src/docbkx/common/section_cli_keystone_users_tenants_roles.xml Normal file
View File

@ -0,0 +1,455 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="adding-users-tenants-and-roles-with-python-keystoneclient">
<?dbhtml stop-chunking?>
<title>Administer users, tenants, roles, and services</title>
<para>You must configure the keystone client with admin
credentials before you can create and manage users, tenants,
and roles. For information about configuration, see the <link
xlink:href="http://docs.openstack.org/grizzly/openstack-compute/admin/content/"
><citetitle>OpenStack Compute Administration
Guide</citetitle></link>.</para>
<para>You must create at least one tenant, user, and role. You
link the user to the tenant, and the role to the user-tenant
pairing.</para>
<para>To authenticate users against the Identity Service, you must
create service users for each of the OpenStack services, such
as Compute, Image Service, Networking, and so on.</para>
<para>The <literal>auth_token</literal> middleware supports the
use of either a shared secret or users for each service.</para>
<section xml:id="tenants">
<title>Tenants</title>
<para>A tenant is a group of zero or more users. In Compute, a
tenant owns virtual machines. In the Object Storage
Service, a tenant owns containers. You can associated
users with more than one tenant. You can associate each
tenant and user pairing with a role.</para>
<procedure xml:id="tenant-list">
<title>To list tenants</title>
<step>
<para>List all tenants:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
<screen><computeroutput>+----------------------------------+--------------------+---------+
| id | name | enabled |
+----------------------------------+--------------------+---------+
| 66265572db174a7aa66eba661f58eb9e | admin | True |
| ba7c172fe7d74a8a888939f1b8cc7f98 | alt_demo | True |
| b70d90d65e464582b6b2161cf3603ced | demo | True |
| 0675bbff347e4fc5aea94b6adad6000f | demodiane | True |
| c60467a6a1e140a08ba401b09a4f9adb | invisible_to_admin | True |
| a1d0e04f92f948ad9afe91ab8ebedfeb | service | True |
+----------------------------------+--------------------+---------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="tenant-create">
<title>To create a tenant</title>
<step>
<para>Create an enabled tenant named demo:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name demo1 --description "demo1 tenant" --enabled true</userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | demo1 tenant |
| enabled | True |
| id | c165a03f78164d7294a3133b345ee9fa |
| name | demo1 |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="tenant-disable">
<title>To disable a tenant</title>
<step>
<para>To disable a tenant, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update c165a03f78164d7294a3133b345ee9fa --enabled false</userinput></screen>
</step>
</procedure>
<procedure xml:id="tenant-get">
<title>To get tenant details</title>
<step>
<para>To get tenant details, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-get c165a03f78164d7294a3133b345ee9fa</userinput></screen>
<screen><computeroutput>+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | demo1 tenant |
| enabled | False |
| id | c165a03f78164d7294a3133b345ee9fa |
| name | demo1 |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="tenant-enable">
<title>To enable a tenant</title>
<step>
<para>To enable a tenant, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update c165a03f78164d7294a3133b345ee9fa --enabled true</userinput></screen>
</step>
</procedure>
<procedure xml:id="tenant-delete">
<title>To delete a tenant</title>
<step>
<para>To delete a tenant, specify the tenant
ID:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-delete f2b7b39c860840dfa47d9ee4adffa0b3</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="users">
<title>Users</title>
<procedure xml:id="user-list">
<title>To list users</title>
<step>
<para>To list all users for all tenants, run the following command:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
<screen><computeroutput>+----------------------------------+----------+---------+----------------------+
| id | name | enabled | email |
+----------------------------------+----------+---------+----------------------+
| 376744b5910b4b4da7d8e6cb483b06a8 | admin | True | admin@example.com |
| a7e160432ddf4a5c800fbab4ca8313a1 | admin1 | True | admin1@example.com |
| 6705b966b1dd450a91971b5c3bfe93ad | alt_demo | True | alt_demo@example.com |
| e900100b4cd54d53bcecac6c4736c4f3 | cinder | True | cinder@example.com |
| 867e53193998439992896bc88d9525f0 | demo | True | demo@example.com |
| 4105efb002cd4464b61580cbd68e5a3c | glance | True | glance@example.com |
| d4844c6e77924194b44a6151b4357ebd | nova | True | nova@example.com |
+----------------------------------+----------+---------+----------------------+</computeroutput></screen>
<para>To list users for a specified tenant, include
the <parameter>--tenant-id</parameter> parameter, as follows:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list --tenant-id 66265572db174a7aa66eba661f58eb9e</userinput></screen>
<screen><computeroutput>+----------------------------------+-------+---------+-------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+-------------------+
| 376744b5910b4b4da7d8e6cb483b06a8 | admin | True | admin@example.com |
+----------------------------------+-------+---------+-------------------+ </computeroutput></screen> </step>
</procedure>
<procedure xml:id="user-create">
<title>To create a user</title>
<step>
<para>To create a user named <literal>admin</literal>
with a specified password and email, run the
following command:</para><screen><prompt>$</prompt> <userinput>keystone user-create --name admin --pass secrete --email admin@example.com</userinput></screen>
<para>By default, the user is enabled and associated
with the default tenant.</para>
<para>The output does not display the password:</para>
<screen><computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | admin@example.com |
| enabled | True |
| id | a7e160432ddf4a5c800fbab4ca8313a1 |
| name | admin |
| tenantId | |
+----------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="user-update-email">
<title>To update the email address for a user</title>
<step>
<para>Update the email address for a user, as follows:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --email joe_admin@example.com admin</userinput></screen>
<screen><computeroutput>User has been updated.</computeroutput></screen>
</step>
<step><para>To confirm your changes, get details for the admin user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-get admin</userinput></screen>
<screen><computeroutput>+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | joe_admin@example.com |
| enabled | True |
| id | 376744b5910b4b4da7d8e6cb483b06a8 |
| name | admin |
| tenantId | |
+----------+----------------------------------+</computeroutput></screen></step>
</procedure>
<procedure xml:id="user-disable">
<title>To update a user to disable the user</title>
<step>
<para>Update the user and include the <parameter>--enabled</parameter> parameter:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --enabled false admin</userinput></screen>
<screen><userinput>User has been updated.</userinput></screen>
</step>
<step><para>To confirm your changes, get details for the admin user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-get admin</userinput></screen>
<screen><computeroutput>User is disabled: 376744b5910b4b4da7d8e6cb483b06a8 (HTTP 401)</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="user-enable">
<title>To update a user to enable the user</title>
<step>
<para>Update the user and include the <parameter>--enabled</parameter> parameter:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --enabled true admin</userinput></screen>
<screen><userinput>User has been updated.</userinput></screen>
</step>
<step><para>To confirm your changes, get details for the admin user:</para>
<screen><prompt>$</prompt> <userinput>keystone user-get admin</userinput></screen>
<screen><computeroutput>User is disabled: 376744b5910b4b4da7d8e6cb483b06a8 (HTTP 401)</computeroutput></screen>
</step>
</procedure>
<procedure xml:id="user-update-password">
<title>To update the password for a user</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>user_id</para>
</listitem>
<listitem>
<para>password</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --password 03c84b51574841ba9a0d8db7882ac645 foo</userinput></screen>
</step>
</procedure>
<procedure xml:id="user-delete">
<title>To delete a user</title>
<step>
<para>keyword arguments:</para>
<itemizedlist>
<listitem>
<para>user</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-delete f2b7b39c860840dfa47d9ee4adffa0b3</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="roles">
<title>Roles</title>
<procedure xml:id="role-create">
<title>To create a role</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-create --name demo</userinput></screen>
</step>
</procedure>
<procedure xml:id="role-delete">
<title>To delete a role</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-delete 19d1d3344873464d819c45f521ff9890</userinput></screen>
</step>
</procedure>
<procedure xml:id="role-list">
<title>To list roles</title>
<step>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
</step>
</procedure>
<procedure xml:id="role-get">
<title>To get details for a role</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-get role=19d1d3344873464d819c45f521ff9890</userinput></screen>
</step>
</procedure>
<procedure xml:id="add-user-role">
<title>To add a role to a user</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
<listitem>
<para>user_id</para>
</listitem>
<listitem>
<para>tenant_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone add-user-role \
3a751f78ef4c412b827540b829e2d7dd \
03c84b51574841ba9a0d8db7882ac645 \
20601a7f1d94447daa4dff438cb1c209</userinput></screen>
</step>
</procedure>
<procedure xml:id="remove-user-role">
<title>To remove a role from a user</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
<listitem>
<para>user_id</para>
</listitem>
<listitem>
<para>tenant_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone remove-user-role \
19d1d3344873464d819c45f521ff9890 \
08741d8ed88242ca88d1f61484a0fe3b \
20601a7f1d94447daa4dff438cb1c209</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="services">
<title>Services</title>
<procedure xml:id="service-create">
<title>To create a service</title>
<step>
<para>keyword arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
<listitem>
<para>type</para>
</listitem>
<listitem>
<para>description</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service create \
--name nova \
--type=compute \
--description=&quot;Nova Compute Service&quot;</userinput></screen>
</step>
</procedure>
<procedure xml:id="service-list">
<title>To list services</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-list</userinput></screen>
</step>
</procedure>
<procedure xml:id="service-get">
<title>To get service details</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-get 08741d8ed88242ca88d1f61484a0fe3b</userinput></screen>
</step>
</procedure>
<procedure xml:id="service-delete">
<title>To delete a service</title>
<step>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create service users</title>
<step><para>To configure the OpenStack services with service users, we
must create a tenant for all the services, and
then users for each of the services. We then
assign those service users an Admin role on the
service tenant. This allows them to validate
tokens - and authenticate and authorize other user
requests.</para>
<para>Create a tenant for the services, typically named
'service' (however, the name can be whatever you choose):</para>
<screen>keystone tenant-create --name=service</screen>
<para>This returns a UUID of the tenant - keep that, you'll
need it when creating the users and specifying the roles.</para>
<para>Create service users for nova, glance, swift, and
neutron (or whatever subset is relevant to your deployment):</para>
<screen>keystone user-create --name=nova \
--pass=Sekr3tPass \
--tenant_id=[the uuid of the tenant] \
--email=nova@nothing.com</screen>
<para>Repeat this for each service you want to enable. Email
is a required field in keystone right now, but not used in
relation to the service accounts. Each of these commands
will also return a UUID of the user. Keep those to assign
the Admin role.</para>
<para>For adding the Admin role to the service accounts,
you'll must know the UUID of the role you want to
add. If you don't have them handy, you can look it
up quickly with:</para>
<screen>keystone role-list</screen>
<para>Once you have it, assign the service users to the Admin
role. This is all assuming that you've already created the
basic roles and settings as described in the configuration
section:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --tenant_id=[uuid of the service tenant] \
--user=[uuid of the service account] \
--role=[uuid of the Admin role]</userinput></screen></step>
</procedure>
<procedure xml:id="defining-services">
<title>To define services</title>
<para>Keystone also acts as a service catalog to let other
OpenStack systems know where relevant API endpoints exist for
OpenStack Services. The OpenStack Dashboard, in particular,
uses this heavily - and this <emphasis role="strong"
>must</emphasis> be configured for the OpenStack dashboard
to properly function.</para>
<para>The endpoints for these services are defined in a
template, an example of which is in the project as the file
<literal>etc/default_catalog.templates</literal>. When
keystone uses a template file backend, then changes made to
the endpoints are kept in memory and don't persist if you
restart the service or reboot the machine. Use the SQL
backend when deploying a system for production.</para>
<para>Keystone supports two means of defining the services,
one is the catalog template, as described above - in which
case everything is detailed in that template.</para>
<para>The other is a SQL backend for the catalog service, in
which case after keystone is online, you must add the
services to the catalog:</para>
<step><screen><prompt>$</prompt> <userinput>keystone service-create --name=nova \
--type=compute \
--description=&quot;Nova Compute Service&quot;
keystone service-create --name=ec2 \
--type=ec2 \
--description=&quot;EC2 Compatibility Layer&quot;
keystone service-create --name=glance \
--type=image \
--description=&quot;Glance Image Service&quot;
keystone service-create --name=keystone \
--type=identity \
--description=&quot;Keystone Identity Service&quot;
keystone service-create --name=swift \
--type=object-store \
--description=&quot;Swift Service&quot;</userinput></screen></step>
</procedure>
</section>
</section>

239
doc/src/docbkx/common/section_dashboard_access.xml
View File

@ -13,18 +13,31 @@
<info>
<title>Overview</title>
</info>
<?dbhtml stop-chunking?>
<?dbhtml stop-chunking?>
<para>The following requirements must be fulfilled to access the
OpenStack dashboard:</para>
<itemizedlist>
<listitem>
<para>The cloud operator has set up an OpenStack
cloud.</para>
</listitem>
<listitem>
<para>You have a recent Web browser that supports HTML5.
It must have cookies and JavaScript enabled. To use
the VNC client for the dashboard, which is based on
noVNC, your browser must support HTML5 Canvas and
HTML5 WebSockets. For more details and a list of
browsers that support noVNC, see <link
xlink:href="https://github.com/kanaka/noVNC/blob/master/README.md"
>https://github.com/kanaka/noVNC/blob/master/README.md</link>,
and <link
xlink:href="https://github.com/kanaka/noVNC/wiki/Browser-support"
>https://github.com/kanaka/noVNC/wiki/Browser-support</link>,
respectively.</para>
</listitem>
</itemizedlist>
<para>Learn how to log in to the dashboard and get a short
overview of the interface.</para>
<!-- <note>
<para>To use the VNC client with the dashboard, the browser
must support HTML5 Canvas and HTML5 WebSockets.</para>
<para>For details about browsers that support noVNC, see <link
xlink:href="https://github.com/kanaka/noVNC/blob/master/README.md"
>noVNC: HTML5 VNC Client</link>, and <link
xlink:href="https://github.com/kanaka/noVNC/wiki/Browser-support"
>Browser support</link>, respectively.</para>
</note> -->
<section xml:id="log_in_dashboard">
<title>Log in to the dashboard</title>
<procedure>
@ -49,13 +62,13 @@
</step>
<step>
<para>Open a Web browser that supports HTML5. Make
sure that JavaScript and cookies are enabled.
</para>
sure that JavaScript and cookies are
enabled.</para>
</step>
<step>
<para>As a URL, enter the host name or IP address that
you got from the cloud operator.</para>
<literallayout>https://IP_ADDRESS_OR_HOSTNAME/</literallayout>
<literallayout>https://<replaceable>IP_ADDRESS_OR_HOSTNAME</replaceable>/</literallayout>
<note>
<title>Certificate Warning</title>
<para>You might get a certificate warning when you
@ -76,6 +89,204 @@
In</guibutton>.</para>
</step>
</procedure>
<para>After you log in, the following page appears:</para>
<figure os="enduser" xml:id="dashboard_main_page_user">
<title>OpenStack dashboard &ndash; Overview</title>
<mediaobject>
<imageobject>
<imagedata fileref="figures/dashboard-project.png"
format="PNG" contentwidth="6in" width="6in"/>
</imageobject>
</mediaobject>
</figure>
<figure os="adminuser" xml:id="dashboard_main_page_admin">
<title>OpenStack dashboard &ndash; Overview</title>
<mediaobject>
<imageobject>
<imagedata
fileref="figures/dashboard_admin_overview.png"
format="PNG" contentwidth="6in" width="6in"/>
</imageobject>
</mediaobject>
</figure>
<para>The top-level row shows the user name that you logged in
with. You can also access <guilabel>Settings</guilabel> or
<guibutton>Sign Out</guibutton> of the Web
interface.</para>
<note>
<para>The visible tabs and functions in the dashboard
depend on the access permissions of the user that is
logged in. They are defined by roles.</para>
</note>
<para os="enduser">If you are logged in as an end user rather
than an admin user, the main screen shows only the
<guilabel>Project</guilabel> tab.</para>
<para os="adminuser">If you are logged in as an administrator,
the main screen shows the <guilabel>Project</guilabel> and
<guilabel>Admin</guilabel> tabs.</para>
</section>
<section xml:id="dashboard_project_tab">
<title>OpenStack dashboard &ndash; Project tab</title>
<para>This tab shows details for the projects, or projects, of
which you are a member. <figure os="enduser"
xml:id="dashboard_project_user">
<title>OpenStack dashboard &ndash; Project tab</title>
<mediaobject>
<imageobject>
<imagedata
fileref="figures/dashboard-project.png"
format="PNG" contentwidth="6in"
width="6in"/>
</imageobject>
</mediaobject>
</figure>
<figure os="adminuser" xml:id="dashboard_project_admin">
<title>OpenStack dashboard &ndash; Project tab</title>
<mediaobject>
<imageobject>
<imagedata
fileref="figures/dashboard_admin_project_tab.png"
format="PNG" contentwidth="6in"
width="6in"/>
</imageobject>
</mediaobject>
</figure></para>
<para>Select a project from the drop-down list on the
left-hand side to access the following categories:</para>
<variablelist wordsize="10">
<varlistentry>
<term><guilabel>Overview</guilabel></term>
<listitem>
<para>Shows basic reports on the project.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Instances</guilabel></term>
<listitem>
<para>Lists instances and volumes created by users
of the project.</para>
<para>From here, you can stop, pause, or reboot
any instances or connect to them through
virtual network computing (VNC).</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Volumes</guilabel></term>
<listitem>
<para>Lists volumes created by users of the
project.</para>
<para>From here, you can create or delete
volumes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Images &amp;
Snapshots</guilabel></term>
<listitem>
<para>Lists images and snapshots created by users
of the project, plus any images that are
publicly available. Includes volume snapshots.
From here, you can create and delete images
and snapshots, and launch instances from
images and snapshots.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Access &amp;
Security</guilabel></term>
<listitem>
<para>On the <guilabel>Security Groups</guilabel>
tab, you can list, create, and delete security
groups and edit rules for security
groups.</para>
<para>On the <guilabel>Keypairs</guilabel> tab,
you can list, create, and import keypairs, and
delete keypairs.</para>
<para>On the <guilabel>Floating IPs</guilabel>
tab, you can allocate an IP address to or
release it from a project.</para>
<para>On the <guilabel>API Access</guilabel> tab,
you can list the API endpoints.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<section os="adminuser" xml:id="dashboard_admin_tab">
<title>OpenStack dashboard &ndash; Admin tab</title>
<para>This tab shows details for the projects, or projects, of
which you are a member.</para>
<figure xml:id="dashboard_admin_project_tab">
<title>OpenStack dashboard &ndash; Admin tab</title>
<mediaobject>
<imageobject>
<imagedata
fileref="figures/dashboard_admin_overview.png"
format="PNG" contentwidth="6in" width="6in"/>
</imageobject>
</mediaobject>
</figure>
<para>On the <guilabel>Admin</guilabel> tab, you can access
the following categories:</para>
<variablelist wordsize="10">
<varlistentry>
<term>Overview</term>
<listitem>
<para>Shows basic reports.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Instances</term>
<listitem>
<para>Lists all currently running instances
belonging to various users and projects. Not
all projects are visible to the administrator,
though.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Services</term>
<listitem>
<para>Lists the defined services.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Flavors</term>
<listitem>
<para>Lists the available <quote>sizes</quote> of
the VMs that users can launch.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Images</term>
<listitem>
<para>Shows the custom images that have been
uploaded. Lets you edit image properties or
delete images, if needed.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Project</term>
<listitem>
<para>Lists the available projects. Lets you
create projects and assign users to the
projects.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Users</term>
<listitem>
<para>Gives an overview of all users.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Quotas</term>
<listitem>
<para>Lists the default quota values, which are
hard-coded in OpenStack Nova. Includes
parameters such as the number of CPUs, RAM, or
instances.</para>
</listitem>
</varlistentry>
</variablelist>
</section>
<xi:include href="section_dashboard_overview.xml"/>
</section>

106
doc/src/docbkx/common/section_dashboard_overview.xml
View File

@ -1,106 +0,0 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!ENTITY ndash "&#x2013;">
<!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;">
]>
<section xml:id="dashboard-overview"
xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
<title>Dashboard overview</title>
<para>After you log in, the following page appears:
<figure xml:id="dashboard_main_page_user">
<title>OpenStack dashboard &ndash;
Overview</title>
<mediaobject>
<imageobject>
<imagedata
fileref="figures/dashboard-project.png"
format="PNG" contentwidth="6in"
width="6in"/>
</imageobject>
</mediaobject>
</figure>
</para>
<para>The top-level row shows the user name that you
logged in with. You can also access
<guilabel>Settings</guilabel> or <guibutton>Sign
Out</guibutton> of the Web interface.</para>
<note>
<para>The visible tabs and functions in the dashboard
depend on the access permissions of the user that
is logged in. They are defined by roles.</para>
</note>
<para>If you are logged in as an end user rather than an
admin user, the main screen shows only the
<guilabel>Project</guilabel> tab.</para>
<para>This tab shows details for the projects, or tenants,
of which you are a member.</para>
<para>Select a project from the drop-down list on the
left-hand side to access the following
categories:</para>
<variablelist wordsize="10">
<varlistentry>
<term><guilabel>Overview</guilabel></term>
<listitem>
<para>Shows basic reports on the project.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Instances</guilabel></term>
<listitem>
<para>Lists instances and volumes created by
users of the project.</para>
<para>From here, you can stop, pause, or
reboot any instances or connect to them
through virtual network computing (VNC).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Volumes</guilabel></term>
<listitem>
<para>Lists volumes created by users of the
project.</para>
<para>From here, you can create or delete
volumes.</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Images &amp;
Snapshots</guilabel></term>
<listitem>
<para>Lists images and snapshots created by
users of the project, plus any images that
are publicly available. Includes volume
snapshots. From here, you can create and
delete images and snapshots, and launch
instances from images and snapshots.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term><guilabel>Access &amp;
Security</guilabel></term>
<listitem>
<para>On the <guilabel>Security
Groups</guilabel> tab, you can list,
create, and delete security groups and
edit rules for security groups.</para>
<para>On the <guilabel>Keypairs</guilabel>
tab, you can list, create, and import
keypairs, and delete keypairs.</para>
<para>On the <guilabel>Floating IPs</guilabel>
tab, you can allocate an IP address to or
release it from a project.</para>
<para>On the <guilabel>API Access</guilabel>
tab, you can list the API
endpoints.</para>
</listitem>
</varlistentry>
</variablelist>
</section>

98
doc/src/docbkx/common/section_glance_cli_manage_images.xml
View File

@ -4,12 +4,14 @@
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_manage_images">
<title>Manage images</title>
<?dbhtml stop-chunking?>
<para>During set up of OpenStack cloud, the cloud operator sets
user permissions to manage images.</para>
<para>Image upload and management might be restricted to only
cloud administrators or cloud operators.</para>
<para>After you upload an image, it is considered <emphasis
role="italic">golden</emphasis> and you cannot change it.</para>
role="italic">golden</emphasis> and you cannot change
it.</para>
<para>You can upload images through the glance client or the Image
Service API. You can also use the nova client to list images,
set and delete image metadata, delete images, and take a
@ -22,7 +24,7 @@
<section xml:id="glance-image-list">
<title>Manage images with the glance client</title>
<procedure>
<title>To list images</title>
<title>To list or get details for images</title>
<step>
<para>To list the available images:</para>
<screen><prompt>$</prompt> <userinput>glance image-list</userinput></screen>
@ -41,8 +43,7 @@
| 3cf852bd-2332-48f4-9ae4-7d926d50945e | cirros-0.3.1-x86_64-uec-ramdisk | ari | ari | 3714968 | active |</computeroutput></screen>
</step>
<step>
<para>To show details for a specified image by name or
ID:</para>
<para>To get image details, by name or ID:</para>
<screen><prompt>$</prompt> <userinput>glance image-show myCirrosImage</userinput></screen>
<screen><computeroutput>+---------------------------------------+--------------------------------------+
| Property | Value |
@ -83,75 +84,77 @@
| updated_at | 2013-07-22T19:46:42 |
+---------------------------------------+--------------------------------------+</computeroutput></screen>
</step>
</procedure>
<procedure>
<title>To add an image</title>
<step>
<title>To add an image</title>
<para>The following example uploads a CentOS 6.3 image
in qcow2 format and configures it for public
access:</para>
<screen><prompt>$</prompt> <userinput>glance image-create --name centos63-image --disk-format=qcow2 --container-format=bare --is-public=True ./centos63.qcow2</userinput></screen>
</step>
</procedure>
<procedure>
<title>To update an image</title>
<step>
<title>To update an image</title>
<para>To update an image by name or ID:</para>
<para><screen><prompt>$</prompt> glance image-update IMAGE</screen></para>
<para><screen><prompt>$</prompt> <userinput>glance image-update <replaceable>IMAGE</replaceable></userinput></screen></para>
<para>To modify image properties, use the following
optional arguments:</para>
<itemizedlist>
<listitem>
<para><parameter>--name NAME</parameter>. The
name of the image.</para>
<para><parameter>--name
<replaceable>NAME</replaceable></parameter>.
The name of the image.</para>
</listitem>
<listitem>
<para><parameter>--disk-format
DISK_FORMAT</parameter>. The disk
format of the image. Acceptable formats
are ami, ari, aki, vhd, vmdk, raw, qcow2,
vdi, and iso.</para>
<replaceable>DISK_FORMAT</replaceable></parameter>.
The disk format of the image. Acceptable
formats are ami, ari, aki, vhd, vmdk, raw,
qcow2, vdi, and iso.</para>
</listitem>
<listitem>
<para><parameter>--container-format
CONTAINER_FORMAT</parameter>. The
container format of the image. Acceptable
formats are ami, ari, aki, bare, and ovf.</para>
<replaceable>CONTAINER_FORMAT</replaceable></parameter>.
The container format of the image.
Acceptable formats are ami, ari, aki,
bare, and ovf.</para>
</listitem>
<listitem>
<para><parameter>--owner
TENANT_ID</parameter>. The tenant who
should own the image.</para>
<replaceable>TENANT_ID</replaceable></parameter>.
The tenant who should own the
image.</para>
</listitem>
<listitem>
<para><parameter>--size SIZE</parameter>. The
size of image data, in bytes.</para>
<para><parameter>--size
<replaceable>SIZE</replaceable></parameter>.
The size of image data, in bytes.</para>
</listitem>
<listitem>
<para><parameter>--min-disk
DISK_GB</parameter>. The minimum size
of disk needed to boot image, in
gigabytes.</para>
<replaceable>DISK_GB</replaceable></parameter>.
The minimum size of disk needed to boot
image, in gigabytes.</para>
</listitem>
<listitem>
<para><parameter>--min-ram
DISK_RAM</parameter>. The minimum
amount of ram needed to boot image, in
megabytes.</para>
<replaceable>DISK_RAM</replaceable></parameter>.
The minimum amount of ram needed to boot
image, in megabytes.</para>
</listitem>
<listitem>
<para><parameter>--location
IMAGE_URL</parameter>. The URL where
the data for this image resides. For
example, if the image data is stored in
swift, you could specify
<replaceable>IMAGE_URL</replaceable></parameter>.
The URL where the data for this image
resides. For example, if the image data is
stored in swift, you could specify
<literal>swift://account:key@example.com/container/obj</literal>.</para>
</listitem>
<listitem>
<para><parameter>--file FILE</parameter>.
<para><parameter>--file
<replaceable>FILE</replaceable></parameter>.
Local file that contains disk image to be
uploaded during update. Alternatively, you
can pass images to the client through
@ -159,19 +162,19 @@
</listitem>
<listitem>
<para><parameter>--checksum
CHECKSUM</parameter>. Hash of image
data to use for verification.</para>
<replaceable>CHECKSUM</replaceable></parameter>.
Hash of image data to use for
verification.</para>
</listitem>
<listitem>
<para><parameter>--copy-from
IMAGE_URL</parameter>. Similar to
<replaceable>IMAGE_URL</replaceable></parameter>.
Similar to
<parameter>--location</parameter> in
usage, but indicates that the Glance
server should immediately copy the data
and store it in its configured image
store.</para>
</listitem>
<listitem>
<para><parameter>--is-public
@ -183,14 +186,12 @@
<para><parameter>--is-protected
[True|False]</parameter>. Prevents an
image from being deleted.</para>
</listitem>
<listitem>
<para><parameter>--property
KEY=VALUE</parameter>. Arbitrary
property to associate with image. Can be
used multiple times.</para>
<replaceable>KEY</replaceable>=<replaceable>VALUE</replaceable></parameter>.
Arbitrary property to associate with
image. Can be used multiple times.</para>
</listitem>
<listitem>
<para><parameter>--purge-props</parameter>.
@ -198,7 +199,6 @@
explicitly set in the update request.
Otherwise, those properties not referenced
are preserved.</para>
</listitem>
<listitem>
<para><parameter>--human-readable</parameter>.

137
doc/src/docbkx/common/section_keystone-ssl-config.xml
View File

@ -5,122 +5,95 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-ssl-config">
<title>SSL and Keystone Configuration</title>
<para>Keystone may be configured to support 2-way SSL
out-of-the-box. The x509 certificates used by Keystone must be
obtained externally and configured for use with Keystone as
described in this section. However, a set of sample
certificates is provided in the examples/pki/certs and
examples/pki/private directories with the Keystone
distribution for testing. Here is the description of each of
them and their purpose:</para>
<section xml:id="types-of-certificates">
<title>Types of certificates</title>
<variablelist>
<title>Configure the Identity Service with SSL</title>
<para>You can configure the Identity Service to support 2-way
SSL.</para>
<para>You must obtain the x509 certificates externally and
configure them.</para>
<para>The Identity Service provides a set of sample certificates
in the <filename class="directory"
>examples/pki/certs</filename> and <filename
class="directory">examples/pki/private</filename>
directories:</para>
<variablelist><title>Certificate types</title>
<varlistentry>
<term>
cacert.pem
<term>cacert.pem
</term>
<listitem>
<para>
Certificate Authority chain to validate against.
</para>
<para>Certificate Authority chain to validate against.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
ssl_cert.pem
<term>ssl_cert.pem
</term>
<listitem>
<para>
Public certificate for Keystone server.
</para>
<para>Public certificate for Identity Service
server.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
middleware.pem
<term>middleware.pem
</term>
<listitem>
<para>
Public and private certificate for Keystone
middleware/client.
</para>
<para>Public and private certificate for
Identity Service middleware/client.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
cakey.pem
<term>cakey.pem
</term>
<listitem>
<para>
Private key for the CA.
</para>
<para>Private key for the CA.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
ssl_key.pem
<term>ssl_key.pem
</term>
<listitem>
<para>
Private key for the Keystone server.
</para>
<para>Private key for the Identity Service
server.</para>
</listitem>
</varlistentry>
</variablelist>
<para>
Note that you may choose whatever names you want for these
certificates, or combine the public/private keys in the same
file if you wish. These certificates are just provided as an
example.
</para>
</section>
<section xml:id="ssl-configuration">
<title>SSL Configuration</title>
<para>
To enable SSL with client authentication, modify the
etc/keystone.conf file accordingly under the [ssl] section. SSL
configuration example using the included sample certificates:
</para>
<screen>
[ssl]
<note><para>You can choose names for
these certificates. You can also combine the public/private keys in the
same file, if you wish. These certificates are provided as
an example.</para></note>
<section xml:id="ssl-configuration">
<title>SSL configuration</title>
<para>To enable SSL with client authentication, modify the
<literal>[ssl]</literal> section in the
<filename>etc/keystone.conf</filename> file. The
following SSL configuration example uses the included
sample certificates:</para>
<screen><computeroutput>[ssl]
enable = True
certfile = &lt;path to keystone.pem&gt;
keyfile = &lt;path to keystonekey.pem&gt;
ca_certs = &lt;path to ca.pem&gt;
cert_required = True
</screen>
<itemizedlist>
cert_required = True</computeroutput></screen>
<itemizedlist><title>Options</title>
<listitem>
<para><literal>enable</literal>. True enables SSL.
Default is False.</para>
</listitem>
<listitem>
<para>
<literal>enable</literal>: True enables SSL. Defaults to
False.
<para><literal>certfile</literal>. Path to the Identity
Service public certificate file.</para>
</listitem>
<listitem>
<para><literal>keyfile</literal>. Path to the
Identity Service private certificate file. If you
include the private key in the certfile, you can
omit the keyfile.</para>
</listitem>
<listitem>
<para><literal>ca_certs</literal>. Path to the CA trust chain.
</para>
</listitem>
<listitem>
<para>
<literal>certfile</literal>: Path to Keystone public
certificate file.
</para>
</listitem>
<listitem>
<para>
<literal>keyfile</literal>: Path to Keystone private
certificate file. If the private key is included in the
certfile, the keyfile maybe omitted.
</para>
</listitem>
<listitem>
<para>
<literal>ca_certs</literal>: Path to CA trust chain.
</para>
</listitem>
<listitem>
<para>
<literal>cert_required</literal>: Requires client
certificate. Defaults to False.
</para>
<para><literal>cert_required</literal>. Requires
client certificate. Default is False.</para>
</listitem>
</itemizedlist>
</section>

14
doc/src/docbkx/common/section_nova_boot_from_volume.xml
View File

@ -3,17 +3,17 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="boot_from_volume">
<title>Launch an instance from a volume</title>
<title wordsize="20">Launch an instance from a volume</title>
<para>After you <link xlink:href="create_volume_from_image">create a
bootable volume</link>, you <link
xlink:href="#launch_image_from_volume">launch an instance from
the volume</link>.</para>
<procedure xml:id="create_volume_from_image">
<title>To launch an instance from a volume</title>
<title wordsize="20">To launch an instance from a volume</title>
<step>
<title>To create a bootable volume</title>
<para>Enter the following command to create a volume from an
image:
<title wordsize="20">To create a bootable volume</title>
<para>To create a volume from an image, run the following
command:
<screen><prompt>#</prompt> <userinput>cinder create --image-id 397e713c-b95b-4186-ad46-6126863ea0a9 --display-name my-bootable-vol 8</userinput> </screen>
</para>
<note>
@ -29,7 +29,7 @@
Configuration Reference</citetitle>.</para>
</step>
<step>
<title>To list volumes</title>
<title wordsize="20">To list volumes</title>
<para>Enter the following command:</para>
<screen><userinput><prompt>$</prompt> nova volume-list</userinput></screen>
<screen><computeroutput>+--------------------------------------+-----------+-----------------+------+-------------+-------------+
@ -41,7 +41,7 @@
volume.</para>
</step>
<step xml:id="launch_image_from_volume">
<title>To launch an instance</title>
<title wordsize="20">To launch an instance</title>
<para>Enter the <command>nova</command>
<option>boot</option> command with the
<parameter>--block_device_mapping</parameter> parameter, as

25
doc/src/docbkx/common/section_nova_cli_boot.xml
View File

@ -3,7 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_launch_instances">
<title>Launch instances</title>
<title wordsize="20">Launch instances</title>
<para>Instances are virtual machines that run inside the
cloud.</para>
<para>Before you can launch an instance, you must gather
@ -15,7 +15,8 @@
provides a pool of images that are accessible to members of
different projects.</para>
<section xml:id="gather_parms">
<title>Gather parameters to launch an instance</title>
<title wordsize="20">Gather parameters to launch an
instance</title>
<para>To launch an instance, you must specify the following
parameters:</para>
<itemizedlist xml:id="instance_parameters" spacing="compact">
@ -103,16 +104,15 @@
xlink:href="launch_from_image">image</link> or a <link
xlink:href="boot_from_volume">volume</link>.</para>
<procedure>
<title>To gather the parameters you need to launch an
<title wordsize="20">To gather the parameters to launch an
instance</title>
<step>
<para>On a shell, source the OpenStack RC file.
See <xref
linkend="cli_openrc"/>.</para>
<para>On a shell, source the OpenStack RC file. See
<xref linkend="cli_openrc"/>.</para>
</step>
<step>
<para>List the available flavors:</para>
<screen><prompt>$</prompt> nova flavor-list</screen>
<screen><prompt>$</prompt> <userinput>nova flavor-list</userinput></screen>
<screen><computeroutput>+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
| ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public |
+----+-----------+-----------+------+-----------+------+-------+-------------+-----------+
@ -187,14 +187,15 @@
</section>
<?hard page-break?>
<section xml:id="launch_from_image">
<title>Launch an instance from an image</title>
<title wordsize="20">Launch an instance from an image</title>
<para>Use this procedure to launch an instance from an
image.</para>
<procedure>
<title>To launch an instance from an image</title>
<title wordsize="20">To launch an instance from an
image</title>
<step>
<para>Now you have all parameters required to launch
an instance, run the following command. Specify
an instance, run the following command and specify
the server name, flavor ID, and image ID.
Optionally, you can provide a key name for access
control and security group for security. You can
@ -206,8 +207,8 @@
system and pass it at instance launch by using the
flag <literal>--user-data
&lt;user-data-file&gt;</literal>.</para>
<screen><prompt>$</prompt> <userinput>nova boot --flavor FLAVOR_ID --image IMAGE_ID --key_name KEY_NAME --user-data mydata.file \
--security_group NAME_OF_SEC_GROUP NAME_FOR_INSTANCE --meta KEY=VALUE --meta KEY=VALUE</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova boot --flavor <replaceable>FLAVOR_ID</replaceable> --image <replaceable>IMAGE_ID</replaceable> --key_name <replaceable>KEY_NAME</replaceable> --user-data mydata.file \
--security_group <replaceable>SEC_GROUP NAME_FOR_INSTANCE</replaceable> --meta <replaceable>KEY=VALUE</replaceable> --meta <replaceable>KEY=VALUE</replaceable></userinput></screen>
<para>The command returns a list of server properties,
depending on which parameters you provide.</para>
<para>A status of <literal>BUILD</literal> indicates

10
doc/src/docbkx/common/section_nova_cli_images.xml
View File

@ -76,15 +76,18 @@
| metadata kernel_id | df430cc2-3406-4061-b635-a51c16e488ac |
| metadata instance_type_ephemeral_gb | 0 |
+-------------------------------------+--------------------------------------+</computeroutput></screen>
<para>After a while, the image status changes from
<para>The image status changes from
<literal>SAVING</literal> to
<literal>ACTIVE</literal>. Only the tenant who
creates the image has access to it.</para>
</step>
</procedure>
<procedure>
<title>To launch an instance from your image</title>
<step>
<para>You can launch an instance from this image. Include
the image ID and flavor ID, as follows:</para>
<para>To launch an instance from your image, include the
image ID and flavor ID, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova boot newServer --image 7e5142af-1253-4634-bcc6-89482c5f2e8a --flavor 3</userinput></screen>
<screen><computeroutput>+-------------------------------------+--------------------------------------+
| Property | Value |
@ -120,7 +123,6 @@
</procedure>
<simplesect xml:id="troubleshoot">
<title>Troubleshoot image creation</title>
<itemizedlist>
<listitem>
<para>You cannot create a snapshot from an instance

9
doc/src/docbkx/openstack-admin-user/pom.xml
View File

@ -12,7 +12,6 @@
<release.path.name>grizzly</release.path.name>
<comments.enabled>1</comments.enabled>
</properties>
<!-- ################################################ -->
<!-- USE "mvn clean generate-sources" to run this POM -->
<!-- ################################################ -->
@ -31,9 +30,7 @@
</goals>
<phase>generate-sources</phase>
<configuration>
<includes> bk-admin-user-guide.xml</includes>
<chapterAutolabel>0</chapterAutolabel>
<security>external</security>
<includes> bk-admin-user-guide.xml</includes>
<generateToc>
appendix toc
article/appendix nop
@ -47,6 +44,9 @@
qandaset toc
reference toc,title
set toc,title </generateToc>
<profileOs>adminuser</profileOs>
<chapterAutolabel>0</chapterAutolabel>
<security>external</security>
<tocSectionDepth>1</tocSectionDepth>
<targetDirectory>target/docbkx/webhelp/</targetDirectory>
<webhelpDirname>admin-user-guide</webhelpDirname>
@ -55,6 +55,7 @@
</execution>
</executions>
<configuration>
<profileOs>adminuser</profileOs>
<highlightSource>false</highlightSource>
<xincludeSupported>true</xincludeSupported>
<showXslMessages>true</showXslMessages>

14
doc/src/docbkx/openstack-admin-user/src/bk-admin-user-guide.xml
View File

@ -38,18 +38,20 @@
<para>OpenStack is an open source cloud computing platform
for public and private clouds. A series of
interrelated projects deliver a cloud infrastructure
solution. This guide shows OpenStack admin users how to
create and manage resources in an OpenStack cloud with
the OpenStack dashboard or OpenStack client
commands.</para>
solution. This guide helps cloud administrators
perform daily administrative tasks with the OpenStack
dashboard or OpenStack client commands. Tasks include
management of projects, users, tenants, services,
images, flavors, and quotas.</para>
</abstract>
<revhistory>
<revision>
<date>2013-07-29</date>
<date>2013-08-08</date>
<revdescription>
<itemizedlist>
<listitem>
<para>First edition of this document.</para>
<para>First edition of this
document.</para>
</listitem>
</itemizedlist>
</revdescription>

1
doc/src/docbkx/openstack-admin-user/src/ch_cli.xml
View File

@ -14,6 +14,7 @@
<xi:include href="../../openstack-user/src/section_cli_version.xml"/>
<xi:include href="../../openstack-user/src/section_cli_openrc.xml"/>
<xi:include href="section_cli_manage_projects_users.xml"/>
<xi:include href="../../common/section_cli_keystone_users_tenants_roles.xml"/>
<xi:include href="../../common/section_glance_cli_manage_images.xml"/>
<xi:include href="section_cli_manage_flavors.xml"/>
<xi:include href="section_cli_set_quotas.xml"/>

16
doc/src/docbkx/openstack-admin-user/src/ch_dashboard.xml
View File

@ -6,17 +6,13 @@
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns:raxm="http://docs.rackspace.com/api/metadata" version="5.0"
xml:id="ch_dashboard">
<info>
<title>OpenStack dashboard</title>
</info>
<para>As a cloud end user, the OpenStack dashboard lets you to
provision your own resources within the limits set by
administrators. You can modify these examples to create other
types and sizes of server instances.</para>
<title>OpenStack dashboard</title>
<?dbhtml stop-chunking?>
<para>As a cloud administrative user, the OpenStack dashboard lets
you create and manage projects and users, images, and flavors,
and set quotas.</para>
<xi:include href="../../common/section_dashboard_access.xml"/>
<?hard-pagebreak?>
<xi:include href="../../common/section_dashboard_manage_images.xml"/>
<?hard-pagebreak?>
<xi:include href="section_dashboard_manage_projects_users.xml"/>
<?hard-pagebreak?>
<xi:include href="section_dashboard_manage_images.xml"/>
@ -24,4 +20,4 @@
<xi:include href="section_dashboard_manage_flavors.xml"/>
<?hard-pagebreak?>
<xi:include href="section_dashboard_set_quotas.xml"/>
</chapter>
</chapter>

11
doc/src/docbkx/openstack-admin-user/src/ch_overview.xml
View File

@ -7,11 +7,14 @@
xmlns:html="http://www.w3.org/1999/xhtml"
xmlns:db="http://docbook.org/ns/docbook" version="5.0"
xml:id="openstack_user_guide">
<title>How can I use an OpenStack cloud?</title>
<title>How can I administer an OpenStack cloud?</title>
<?dbhtml stop-chunking?>
<para>As an OpenStack cloud admin user, you can manage projects and users, images, or flavors, and set quotas. The examples in this guide
show you how to complete these tasks by using the OpenStack dashboard and command-line clients. The
dashboard, also known as <link
<para>As an OpenStack cloud administrative user, you can manage
tenants, known as <firstterm>projects</firstterm>, users,
services, images, flavors, and quotas. The examples in this
guide show you how to complete these tasks by using the
OpenStack dashboard and command-line clients.</para>
<para>The dashboard, also known as <link
xlink:href="https://github.com/openstack/horizon/"
>horizon</link>, is a Web-based graphical interface. The
command-line clients let you run simple commands to create and

113
doc/src/docbkx/openstack-admin-user/src/section_cli_manage_flavors.xml
View File

@ -4,5 +4,116 @@
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_manage_flavors">
<title>Manage flavors</title>
<para></para>
<para>In OpenStack, flavors define the compute, memory, and
storage capacity of nova computing instances. To put it
simply, a flavor is an available hardware configuration
for a server. It defines the <quote>size</quote> of a
virtual server that can be launched.</para>
<para>A flavor consists of the following parameters:</para>
<variablelist> <title>Flavor parameters</title>
<varlistentry>
<term>Flavor ID</term>
<listitem>
<para>Automatically generated by OpenStack.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Name</term>
<listitem>
<para>Name for the new flavor.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>VCPUs</term>
<listitem>
<para>Number of virtual CPUs to use.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Memory MB</term>
<listitem>
<para>Amount of RAM to use (in megabytes).</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Root Disk GB</term>
<listitem>
<para>Amount of disk space (in gigabytes) to use
for the root (/) partition.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Ephemeral Disk GB</term>
<listitem>
<para>Amount of disk space (in gigabytes) to use
for the ephemeral partition. If unspecified,
the value is 0 by default.</para>
<para>Ephemeral disks offer machine local disk
storage linked to the lifecycle of a VM
instance. When a VM is terminated, all data on
the ephemeral disk is lost. Ephemeral disks
are not included in any snapshots.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>Swap</term>
<listitem>
<para>Amount of swap space (in megabytes) to use.
If unspecified, the value is 0 by default.</para>
</listitem>
</varlistentry>
</variablelist>
<para>Default Flavors</para>
<itemizedlist>
<listitem>
<para>m1.tiny (1 VCPU/0 GB Disk/512 MB RAM)</para>
</listitem>
<listitem>
<para>m1.smaller (1 VCPU/0 GB Disk/1024 MB RAM)</para>
</listitem>
<listitem>
<para>m1.small (1 VCPU/10 GB Disk/2048 MB RAM)</para>
</listitem>
<listitem>
<para>m1.medium (2 VCPU/10 GB Disk/3072 MB RAM)</para>
</listitem>
<listitem>
<para>m1.large (4 VCPU/10 GB Disk/8192 MB RAM)</para>
</listitem>
<listitem>
<para>m1.xlarge (8 VCPU/10 GB Disk/8192 MB RAM)</para>
</listitem>
</itemizedlist>
<para>You can manage flavors with the nova
<command>flavor-*</command> commands provided by the
<filename>python-novaclient</filename> package.</para>
<procedure>
<title>To list flavors</title>
<step>
<para>When you list flavors, the list shows the ID and name,
the amount of memory, the amount of disk space
for the root partition and for the ephemeral
partition, the swap, and the number of virtual
CPUs for each flavor.</para>
<screen><prompt>$</prompt> <userinput>nova flavor-list</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create a flavor</title>
<step>
<para>When you create a flavor, you must specify
the flavor name, ID, RAM size, disk size, and the
number of VCPUs. For optional parameters, see nova
<command>help</command>
<command>flavor-create</command>.</para>
<screen><prompt>$</prompt> <userinput>nova flavor-create FLAVOR_NAME FLAVOR_ID RAM_IN_MB ROOT_DISK_IN_GB NUMBER_OF_VCPUS</userinput></screen>
</step>
</procedure>
<procedure>
<title>To delete a flavor</title>
<step>
<para>Delete a specified flavor, as follows:</para>
<screen><prompt>$</prompt> <userinput>nova flavor-delete FLAVOR_ID</userinput></screen>
</step>
</procedure>
</section>

181
doc/src/docbkx/openstack-admin-user/src/section_cli_manage_projects_users.xml
View File

@ -2,7 +2,184 @@
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="cli_manage_projects_users">
xml:id="admin_cli_manage_projects_users">
<title>Manage projects and users</title>
<para></para>
<para>In an OpenStack cloud, you can manage projects and users
independently from each other.</para>
<para>Projects represent different organizational units in the
cloud to which you can assign users.</para>
<para>Cloud admin users perform both project and user management
tasks.</para>
<para>During the basic system set up, the cloud operator must
define at least one project, user, and role. The operator
links the role to the user and the user to the project. Roles
define which actions users can perform.</para>
<para>The <filename>python-keystoneclient</filename> provides the
keystone command-line client, which you use to manage projects
and users from any machine outside the cloud. Before you can
run commands, you must download and source an OpenStack RC
file. See <xref linkend="cli_openrc"/>.</para>
<note>
<title>Administrator credentials</title>
<para>To administer projects and users, you must have
administrator credentials. Make sure to download and
source the OpenStack RC file as administrator before you
run keystone commands. Alternatively, export the
respective environment variables by using the token or
password authentication method. For details, see <link
xlink:href="http://docs.openstack.org/essex/openstack-compute/admin/content/adding-users-tenants-and-roles-with-python-keystoneclient.html"
>http://docs.openstack.org/essex/openstack-compute/admin/content/adding-users-tenants-and-roles-with-python-keystoneclient.html</link>.</para>
</note>
<section xml:id="admin_cli_projects">
<title>Create and manage projects</title>
<procedure>
<title>To list all projects</title>
<step>
<para>To list all projects with their ID, name, and
whether they are enabled or not, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create a project</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name PROJECT_NAME </userinput></screen>
<para>Creates a new project with the specified name.
</para>
</step>
</procedure>
<procedure>
<title>To temporarily disable a project</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone tenant-update PROJECT_ID --enabled false</userinput></screen>
<para>For the details of the impact, see <xref
linkend="dashboard_manage_projects_users"/>.
</para>
</step>
</procedure>
<procedure>
<title>To delete a project</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone tenant-delete PROJECT_ID </userinput></screen>
<para>Deletes the specified project.</para>
</step>
</procedure>
</section>
<section xml:id="admin_cli_user_accounts">
<title>Create and manage user accounts</title>
<procedure>
<title>To list all users</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
<para>Lists all user accounts with their ID, name,
e-mail address, and the information if they are
enabled or not.</para>
</step>
</procedure>
<procedure>
<title>To create a user account</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-create --name USER_NAME --tenant_id PROJECT_ID --pass PRELIM_PASSWD</userinput></screen>
<para>Creates a new user with the specified name.
While the only required argument is --name, at
least specify the optional parameters --tenant_id
and --pass. Otherwise the newly created user
cannot log in to the SUSE Cloud Dashboard.</para>
</step>
</procedure>
<procedure>
<title>To temporarily disable a user account</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-update USER_ID --enabled false</userinput></screen>
<para>If you disable a user account, the user can no
longer log in, but his data is kept so that the
account can be re-enabled at any time.</para>
</step>
</procedure>
<procedure>
<title>To delete a user account</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone user-delete USER_ID </userinput></screen>
<para>Deletes the specified user account.</para>
</step>
</procedure>
</section>
<section xml:id="admin_cli_roles">
<title>Create and manage roles</title>
<para>Roles define the actions that the user is allowed to
perform. Configure roles in OpenStack Identity (Keystone).
Actions are defined per OpenStack service in the
respective /etc/[SERVICE_CODENAME]/policy.json file, for
example in /etc/nova/policy.json for the Compute (Nova)
service.</para>
<procedure>
<title>To list all roles</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
<para>Lists all roles with their ID and name.</para>
</step>
</procedure>
<procedure>
<title>To create a role</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone role-create --name=ROLE_NAME </userinput></screen>
<para>Creates a role with the specified name.</para>
</step>
</procedure>
<procedure>
<title>To delete a role</title>
<step>
<screen><prompt>$</prompt> <userinput>keystone role-delete ROLE_ID </userinput></screen>
<para>Deletes the specified role.</para>
</step>
</procedure>
</section>
<section xml:id="admin_cli_modify_projects">
<title>Modify user assignments for a project</title>
<para>Whereas each user is assigned to a primary project when
his user account is created, users can be members of
multiple projects. The keystone client does not allow to
directly assign users to additional projects. Instead you
need to define a role and grant that role to a
user-project pair.</para>
<procedure>
<title>To modify user assignments for a project</title>
<step>
<para>On a shell, source the OpenStack RC file. For
details, refer to <link
xlink:href="https://www.suse.com/documentation/suse_cloud10/book_cloud_admin/data/sec_adm_cli_rc.html"
>OpenStack RC File</link>.</para>
</step>
<step>
<para>Check if there is already a member role defined:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
</step>
<step>
<para>If not, create it:</para>
<screen><prompt>$</prompt> <userinput>keystone role-create --name=member</userinput></screen>
</step>
<step>
<para>To grant the role to a user-project pair (and to
thus assign a user to this project), you need to
know the IDs of the role, the user, and the
project. You can look them up with keystone
role-list, keystone user-list, and keystone
tenant-list.</para>
</step>
<step>
<para>To grant the user membership of a project:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --role-id=ROLE_ID --tenant_id=TENANT_ID \
--user_id=USER_ID</userinput></screen>
</step>
<step>
<para>To assign the user to multiple projects, repeat
the last step.</para>
</step>
<step>
<para>To verify the assignments, use:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-list --user_id=USER_ID --tenant_id=TENANT_ID </userinput></screen>
</step>
</procedure>
</section>
</section>

299
doc/src/docbkx/openstack-admin-user/src/section_dashboard_manage_projects_users.xml
View File

@ -1,10 +1,301 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="dashboard_manage_projects_users">
<title>Manage projects and users</title>
<title>Projects and users</title>
<?dbhtml stop-chunking?>
<para>In an OpenStack cloud, you can manage projects and users
independently from each other.</para>
<para>Projects represent different organizational units in the
cloud to which you can assign users.</para>
<para>Cloud admin users perform both project and user management
tasks.</para>
<para>During the basic system set up, the cloud operator must
define at least one project, user, and role. The operator
links the role to the user and the user to the project. Roles
define which actions users can perform.</para>
<para>As an admin user, you can create additional projects and
users as needed.</para>
<para>Learn how to add, update, and delete projects and users,
assign users to one or more projects, and change or remove the
assignment. To enable or temporarily disable a project or
user, update that project or user.</para>
<section xml:id="dashboard_projects">
<title>Create and manage projects</title>
<para>You can create, temporarily disable, enable, and delete
projects.</para>
<procedure xml:id="dashboard_create_project"
xlink:href="#dashboard_create_project"
xlink:title="create a project">
<title>To create a project</title>
<step xmlns:raxm="http://docs.rackspace.com/api/metadata">
<para>Log in to the OpenStack dashboard.</para>
</step>
<step>
<para>In the <guilabel>CURRENT PROJECT</guilabel>
drop-down list on the <guilabel>Project</guilabel>
tab, select the <literal>admin</literal>
project.</para>
</step>
<step>
<para>On the <guilabel>Admin</guilabel> tab, click the
<guilabel>Projects</guilabel> category.</para>
</step>
<step>
<para>Click <guibutton>Create
Project</guibutton>.</para>
</step>
<step>
<para>In the <guilabel>Create Project</guilabel>
window, enter a name and description for the
project. By default, the project is enabled. See
<xref linkend="disable_project"/>. Click
<guibutton>Create Project</guibutton>.</para>
<para>The dashboard assigns an ID and shows the
project in the <guilabel>Projects</guilabel>
category.</para>
</step>
</procedure>
<procedure>
<title>To update a project</title>
<para>You can update a project to change its name or
description, and to enable or temporarily disable
it.</para>
<para>Disabling a project has the following consequences:</para>
<itemizedlist xml:id="disable_project">
<title>Consequences of disabling a project</title>
<listitem>
<para>In the dashboard, the project can no longer
be accessed from the <guilabel>CURRENT
PROJECT</guilabel> drop-down list on the
<guilabel>Project</guilabel> tab.</para>
</listitem>
<listitem>
<para>Users that are only members of the disabled
project can no longer log in.</para>
</listitem>
<listitem>
<para>It is impossible to launch new instances for
a disabled project. Instances already running
are not automatically terminated though—you
must stop them manually.</para>
</listitem>
<listitem>
<para>All data for a disabled project is kept so
that you can enable the project again at any
time.</para>
</listitem>
</itemizedlist>
<step>
<para>Select the project that you want to update.
</para>
</step>
<step>
<para>From the <guilabel>More</guilabel> drop-down
list, click <guilabel>Edit
Project</guilabel>.</para>
</step>
<step>
<para>Optionally, change the following attributes for
the project: <itemizedlist>
<listitem>
<para>Name.</para>
</listitem>
<listitem>
<para>Description.</para>
</listitem>
<listitem>
<para>To disable the project, clear the
<guilabel>Enabled</guilabel> check
box.</para>
<para>To enable the project, select the
<guilabel>Enabled</guilabel> check
box.</para>
</listitem>
</itemizedlist></para>
</step>
<step>
<para>Click <guibutton>Save</guibutton>.</para>
</step>
</procedure>
<procedure>
<title>To delete one or more projects</title>
<step>
<para>Select the projects that you want to delete.
</para>
</step>
<step>
<para>Click <guibutton>Delete Projects</guibutton> and
confirm your choice in the pop-up that
appears.</para>
<note>
<para>You cannot undo the delete action.</para>
</note>
</step>
</procedure>
</section>
<section xml:id="dashboard_users">
<title>Create and manage user accounts</title>
<para>Users are members of one or multiple projects.</para>
<para>You can add, update, and delete users. To enable or
temporarily disable a user, update that user.</para>
<para>When you create a user account, you must assign the
account to a primary project. Optionally, you can assign
the account to additional projects.</para>
<para>When you disable a user account, the user can no longer
log in, but the data is kept so that you can enable the
account again at any time.</para>
<para>Before you can delete a user account, you must remove
the user account from its primary project.</para>
<procedure>
<title>To create a user account</title>
<step xmlns:raxm="http://docs.rackspace.com/api/metadata">
<para>Log in to the OpenStack dashboard.</para>
</step>
<step>
<para>In the <guilabel>CURRENT PROJECT</guilabel>
drop-down list on the <guilabel>Project</guilabel>
tab, select the <literal>admin</literal>
project.</para>
</step>
<step>
<para>Click the <guilabel>Users</guilabel>
category.</para>
</step>
<step>
<para>On the <guilabel>Admin</guilabel> tab, select
the <guilabel>Users</guilabel> category.</para>
</step>
<para/>
<step>
<para>Click <guibutton>Create User</guibutton>.</para>
</step>
<step>
<para>In the <guilabel>Create User</guilabel> window,
enter a user name, email, and preliminary password
for the user.</para>
<para>Select a project from the <guilabel>Primary
Project</guilabel> drop-down list.</para>
<para>Choose a role for the user from the
<guilabel>Role</guilabel> drop-down list.
Default is <literal>Member</literal>.</para>
</step>
<step>
<para>Click <guibutton>Create User</guibutton> to
confirm your changes.</para>
<para>The dashboard assigns an ID and shows the user
account in the <guilabel>Users</guilabel>
category.</para>
</step>
</procedure>
<procedure>
<title>To temporarily deactivate a user account</title>
<step>
<para>Select the user, and from the Actions drop-down
list, select Disable.</para>
</step>
</procedure>
<procedure>
<title>To delete one or more users accounts</title>
<step>
<para>Activate the check boxes in front of the user
accounts that you want to delete.</para>
</step>
<step>
<para>Click Delete Users and confirm your choice in
the pop-up that appears.</para>
<para>A message on the Web page shows if the action
has been successful.</para>
<para><emphasis role="italic">NOTE: Remove User from
Primary Project</emphasis></para>
<para>If a user account cannot be deleted, it is
because it is still assigned to its primary
project.</para>
</step>
</procedure>
<procedure>
<title>To delete a user from a project</title>
<step>
<para>Edit the user data to view which Primary Project
he is assigned to.</para>
</step>
<step>
<para>Remove the user from his primary project as
described in <link
xlink:href="https://www.suse.com/documentation/suse_cloud10/book_cloud_admin/data/sec_adm_dash_projects_users.html#pro_adm_dash_user_assign"
>Modifying User Assignments for a
Project</link>, <link
xlink:href="https://www.suse.com/documentation/suse_cloud10/book_cloud_admin/data/sec_adm_dash_projects_users.html#step_adm_dash_user_remove_start"
/> to <link
xlink:href="https://www.suse.com/documentation/suse_cloud10/book_cloud_admin/data/sec_adm_dash_projects_users.html#step_adm_dash_user_remove_end"
/>.</para>
</step>
</procedure>
<section xml:id="dashboard_user_assignments">
<title>Modify user assignments for a project</title>
<para>When creating new users, you must assign them to a
primary project as described in <link
xlink:href="https://www.suse.com/documentation/suse_cloud10/book_cloud_admin/data/sec_adm_dash_projects_users.html#pro_adm_dash_user_create"
>Creating Or Deleting Users Accounts</link>. To
assign users to additional projects or to modify and
remove assignments, proceed as follows:</para>
<procedure>
<title>To modify user assignments for a
project</title>
<step>
<para>On the Admin tab, select the Projects
category.</para>
</step>
<step>
<para>Select the project for which to modify user
assignments.</para>
</step>
<step>
<para>From the Actions drop-down list for the
project, select Modify Users.</para>
<para>The Dashboard shows two lists of users:
Users For Project shows the users assigned to
the current project, Add New Users shows other
existing users, which can be assigned to the
current project.</para>
<mediaobject>
<imageobject>
<imagedata
fileref="https://www.suse.com/documentation/suse_cloud10/book_cloud_admin/graphics/cloud_dash_users_list.png"
/>
</imageobject>
</mediaobject>
</step>
<step>
<para>To remove users from the current project,
select one or multiple users and click Remove
User or Remove Users.</para>
</step>
</procedure>
<procedure>
<title>To assign a user to the current project</title>
<step>
<para>Select the user and click Add To
Project.</para>
</step>
<step>
<para>In the window that appears, set the user's
role with which to add him to the project and
click Add. Roles define the actions that the
user is allowed to perform. Roles are
configured by the cloud operator in OpenStack
Identity (Keystone). Actions are defined per
OpenStack service in the respective
/etc/[SERVICE_CODENAME]/policy.json file, for
example in /etc/nova/policy.json for the
Compute (Nova) service. For details, see
<link
xlink:href="http://docs.openstack.org/essex/openstack-compute/install/content/keystone-concepts.html"
>http://docs.openstack.org/essex/openstack-compute/install/content/keystone-concepts.html</link>.
</para>
</step>
</procedure>
</section>
</section>
</section>

493
doc/src/docbkx/openstack-admin-user/src/section_dashboard_set_quotas.xml
View File

@ -1,294 +1,217 @@
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE section [
<!-- Some useful entities borrowed from HTML -->
<!-- Some useful entities bortred from HTML -->
<!ENTITY ndash "&#x2013;">
<!ENTITY mdash "&#x2014;">
<!ENTITY hellip "&#x2026;">
<!ENTITY plusmn "&#xB1;">
]>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="dashboard_set_quotas">
<title>Set quotas</title>
<?dbhtml stop-chunking?>
<para>To prevent system capacities from being exhausted without
notification, you can set up quotas. Quotas are operational limits.
For example, the number of gigabytes allowed per tenant can be
controlled so that cloud resources are optimized.
Quotas are currently enforced at the tenant (or project) level,
rather than by user.
</para>
<para>Typically, default values are changed because a tenant requires
more than 10 volumes, or more than 1TB on a Compute node.
</para>
<para>
<table frame="all">
<title>Compute Quota Descriptions (listed in order of appearance)</title>
<tgroup align="left" cols="3" colsep="1" rowsep="1">
<colspec colname="c1" colwidth="20%"/>
<colspec colname="c2" colwidth="60%"/>
<colspec colname="c3" colwidth="20%"/>
<thead>
<row>
<entry>
Quota
</entry>
<entry>
Description
</entry>
<entry>
Service
</entry>
</row>
</thead>
<tbody>
<row>
<entry>
<para>
Metadata Items
</para>
</entry>
<entry>
<para>
Number of metadata items allowed per instance.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
VCPUs
</para>
</entry>
<entry>
<para>
Number of instance cores allowed per tenant.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Instances
</para>
</entry>
<entry>
<para>
Number of instances allowed per tenant.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Injected Files
</para>
</entry>
<entry>
<para>
Number of injected files allowed per tenant.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Injected File Content Bytes
</para>
</entry>
<entry>
<para>
Number of content bytes allowed per injected file.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Volumes
</para>
</entry>
<entry>
<para>
Number of volumes allowed per tenant.
</para>
</entry>
<entry>
<para>
<systemitem>Block Storage</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Gigabytes
</para>
</entry>
<entry>
<para>
Number of volume gigabtyes allowed per tenant.
</para>
</entry>
<entry>
<para>
<systemitem>Block Storage</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
RAM (MB)
</para>
</entry>
<entry>
<para>
Megabytes of ram allowed per instance.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Floating IPs
</para>
</entry>
<entry>
<para>
Number of floating IP addresses allowed per tenant.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Fixed IPs
</para>
</entry>
<entry>
<para>
Number of fixed IP addresses allowed per tenant. This number
must be equal to or greater than the number of allowed
instances.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Security Groups
</para>
</entry>
<entry>
<para>
Number of security groups allowed per tenant.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
<row>
<entry>
<para>
Security Group Rules
</para>
</entry>
<entry>
<para>
Number of rules per security group.
</para>
</entry>
<entry>
<para>
<systemitem>Compute</systemitem>
</para>
</entry>
</row>
</tbody>
</tgroup>
<section xmlns="http://docbook.org/ns/docbook" version="5.0"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
xml:id="dashboard_set_quotas">
<title>Set quotas</title>
<?dbhtml stop-chunking?>
<para>To prevent system capacities from being exhausted without
notification, you can set up quotas. Quotas are operational
limits. For example, to optimize cloud resources, you can control
the number of gigabytes allowed for each project, also known as a tenant. Quotas are
currently enforced at the project level rather than
at the user level.</para>
<para>Typically, you change default values because a project requires
more than 10 volumes, or more than 1 TB on a Compute node.</para>
<para>
<table rules="all" width="624">
<caption>Compute and Block Storage quotas</caption>
<col width="20%"/>
<col width="60%"/>
<col width="20%"/>
<thead>
<tr>
<th>Quota</th>
<th>Description</th>
<th>Service</th>
</tr>
</thead>
<tbody>
<tr>
<td>
<para>Metadata Items</para>
</td>
<td>
<para>Number of metadata items allowed per instance.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>VCPUs</para>
</td>
<td>
<para>Number of instance cores allowed per tenant.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Instances</para>
</td>
<td>
<para>Number of instances allowed per tenant.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Injected Files</para>
</td>
<td>
<para>Number of injected files allowed per tenant.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Injected File Content Bytes</para>
</td>
<td>
<para>Number of content bytes allowed per injected file.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Volumes</para>
</td>
<td>
<para>Number of volumes allowed per tenant.</para>
</td>
<td>
<para><systemitem class="service">Block Storage</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Gigabytes</para>
</td>
<td>
<para>Number of volume gigabtyes allowed per tenant.</para>
</td>
<td>
<para><systemitem class="service">Block Storage</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>RAM (MB)</para>
</td>
<td>
<para>Megabytes of ram allowed per instance.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Floating IPs</para>
</td>
<td>
<para>Number of floating IP addresses allowed per tenant.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Fixed IPs</para>
</td>
<td>
<para>Number of fixed IP addresses allowed per tenant.
This number must be equal to or greater than the number
of allowed instances.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Security Groups</para>
</td>
<td>
<para>Number of security groups allowed per tenant.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
<tr>
<td>
<para>Security Group Rules</para>
</td>
<td>
<para>Number of rules per security group.</para>
</td>
<td>
<para><systemitem class="service">Compute</systemitem></para>
</td>
</tr>
</tbody>
</table>
</para>
</para>
<section xml:id="dashboard_set_quotas_procedure">
<title>View and update quotas for a tenant (project)</title>
<para>
As an administrative user in the dashboard, you can view but not edit
the default quotas for a new tenant. However, quotas can be updated
for individual tenants after the tenant has been created.
</para>
<procedure>
<title>To view default quotas:</title>
<step><para>Click the <guilabel>Admin</guilabel> tab in the navigation sidebar,
then click the <guilabel>System Info</guilabel> category.
</para></step>
<step><para>Click the <guilabel>Default Quotas</guilabel> tab in the
main window.</para></step>
</procedure>
<procedure>
<title>To update quotas for an individual tenant (project) in the dashboard:</title>
<step><para>Click the <guilabel>Admin</guilabel> tab in the navigation
sidebar, then click the <guilabel>Projects</guilabel> category.
</para></step>
<step><para>Select the tenant for which to set or change quota
values.
</para></step>
<step><para>Click the tenant's <guibutton>More</guibutton> button,
and then select <guilabel>Modify Quotas</guilabel>. The
<guilabel>Edit Project</guilabel> window is displayed.
</para></step>
<step><para>Edit quota values on the <guilabel>Quota</guilabel> tab,
and click the <guibutton>Save</guibutton> button.
</para></step>
</procedure>
<note><para>
Not all possible project quotas are displayed in the dashboard. To obtain
and update the complete list for a service, use its command-line tools
(see <xref linkend="cli_set_quotas"/>).
</para>
</note>
</section>
</section>
<title>Project quotas</title>
<para>As an administrative user in the dashboard, you can set
quotas when you <xref linkend="dashboard_create_project"/> or update quotas for an
existing project.</para>
<procedure>
<title>To view default quotas</title>
<step>
<para>On the <guilabel>Admin</guilabel> tab in the navigation
sidebar, click the <guilabel>System Info</guilabel>
category.</para>
</step>
<step>
<para>Click the <guilabel>Default Quotas</guilabel> tab in the
main page.</para>
</step>
</procedure>
<procedure>
<title>To update project quotas</title>
<step>
<para>On the <guilabel>Admin</guilabel> tab in the navigation
sidebar, click the <guilabel>Projects</guilabel> category.</para>
</step>
<step>
<para>Select the project for which to change quota values.</para>
</step>
<step>
<para>From the <guilabel>More</guilabel> drop-down list, click
<guilabel>Modify Quotas</guilabel>.</para>
</step>
<step>
<para>On the <guilabel>Quota</guilabel> tab in the
<guilabel>Edit Project</guilabel> window, edit quota
values. Then, click <guibutton>Save</guibutton>.</para>
</step>
</procedure>
<note>
<para>Not all possible project quotas are displayed in the
dashboard. To obtain and update the complete list for a
service, use the keystone command-line client. See <xref
linkend="cli_set_quotas"/>.</para>
</note>
</section>
</section>

583
doc/src/docbkx/openstack-compute-admin/ch_identity_mgmt.xml
View File

@ -38,10 +38,10 @@
<xi:include href="../common/section_keystone-ssl-config.xml"/>
<section xml:id="user-crud">
<title>User CRUD</title>
<para>Keystone provides a user CRUD filter that can be added to
the public_api pipeline. This user crud filter allows users to
use a HTTP PATCH to change their own password. To enable this
extension you should define a
<para>The Identity Service provides a user CRUD filter that can be
added to the public_api pipeline. This user crud filter allows
users to use a HTTP PATCH to change their own password. To
enable this extension you should define a
<literal>user_crud_extension</literal> filter, insert it after
the <literal>*_body</literal> middleware and before the
<literal>public_service</literal> app in the public_api WSGI
@ -98,9 +98,7 @@ paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory</comp
auth_uri = http://127.0.0.1:5000/
admin_user = admin
admin_password = SuperSekretPassword
admin_tenant_name = service
</computeroutput>
</screen>
admin_tenant_name = service</computeroutput> </screen>
<note>
<para>Middleware parameters in paste config take priority. You
must remove these values in the
@ -138,8 +136,9 @@ pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</co
<xi:include href="../common/section_keystone_certificates-for-pki.xml"/>
<xi:include href="../common/section_keystone-sample-conf-files.xml"/>
<section xml:id="running-keystone">
<title>Running the Identity Service</title>
<para>To start Identity Service, run the following command:</para>
<title>Run the Identity Service</title>
<para>To start the Identity Service, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>keystone-all</userinput></screen>
<para>This command starts two wsgi.Server instances, configured by
the <filename>keystone.conf</filename> and
@ -150,11 +149,10 @@ pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</co
single process.</para>
</section>
<section xml:id="initializing-keystone">
<title>Initializing the Identity Service</title>
<para>
<command>keystone-manage</command> is designed to execute
<title>Initialize the Identity Service</title>
<para><command>keystone-manage</command> enables you to run
commands that cannot be administered through the normal REST
api. At the moment, the following calls are supported:</para>
API. The following calls are supported:</para>
<itemizedlist>
<listitem>
<para>
@ -172,434 +170,8 @@ pipeline = [...] json_body stats_reporting ec2_extension [...] admin_service</co
<para>Invoking keystone-manage by itself will give you additional
usage information.</para>
</section>
<section
xml:id="adding-users-tenants-and-roles-with-python-keystoneclient">
<?dbhtml stop-chunking?>
<title>Adding Users, Tenants, and Roles with
python-keystoneclient</title>
<para>Only users with admin credentials can administer users,
tenants and roles. You can configure the python-keystoneclient
with admin credentials through either the authentication token,
or the username and password method.</para>
<section xml:id="token-auth-method">
<title>Token Auth Method</title>
<para>To use keystone client using token auth, set the following
flags:</para>
<itemizedlist>
<listitem>
<para>
<literal>--endpoint SERVICE_ENDPOINT</literal>. The
keystone endpoint to communicate with. The default
endpoint is <link
xlink:href="http://localhost:35357/v2.0'"
>http://localhost:35357/v2.0'</link>.</para>
</listitem>
<listitem>
<para>
<literal>--token SERVICE_TOKEN</literal>. The
administrator service token.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="password-auth-method">
<title>Password Auth Method</title>
<itemizedlist>
<listitem>
<para>
<literal>--username OS_USERNAME</literal>. The
administrator username.</para>
</listitem>
<listitem>
<para>
<literal>--password OS_PASSWORD</literal>. The administrator
password</para>
</listitem>
<listitem>
<para>
<literal>--tenant_name OS_TENANT_NAME</literal>. The
tenant name.</para>
</listitem>
<listitem>
<para>
<literal>--auth_url OS_AUTH_URL</literal>. The URL of the
keystone auth server, for example <link
xlink:href="http://localhost:5000/v2.0'"
>http://localhost:5000/v2.0'</link>.</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="use-v3-instead-of-default-v2">
<title>Using API v3 instead of API v2.0</title>
<para>Use the following keystone parameters, in combination, to
specify the version of the API to use:</para>
<itemizedlist>
<listitem>
<para><parameter>--os-endpoint</parameter>. The
<literal>keystone</literal> client detects the version
of the API from this parameter.</para>
</listitem>
<listitem>
<para><parameter>--os-url</parameter>. Specifies the service
URL from the service catalog lookup.</para>
</listitem>
<listitem>
<para><parameter>--os-identity-api-version</parameter>.
Specifies the Identity Service API version.</para>
</listitem>
</itemizedlist>
<para>For example, the following parameters indicate the use of
API v3:</para>
<screen><userinput><parameter>--os-url</parameter> "http://15.253.57.115:35357/v3" <parameter>--os-identity-api-version</parameter> 3</userinput></screen>
<para>The following parameters indicate the use of API
v2.0:</para>
<screen><userinput><parameter>--os-url</parameter> "http://15.253.57.115:35357/v2.0" <parameter>--os-identity-api-version</parameter> 2.0</userinput></screen>
</section>
<section xml:id="example-usage">
<title>Example usage</title>
<para>The <literal>keystone</literal> client is set up to expect
commands in the general form of <literal>keystone</literal>
<literal>command</literal>
<literal>argument</literal>, followed by flag-like keyword
arguments to provide additional (often optional) information.
For example, the command <literal>user-list</literal> and
<literal>tenant-create</literal> can be invoked as follows:</para>
<screen># Using token auth env variables
export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/
export SERVICE_TOKEN=secrete_token
keystone user-list
keystone tenant-create --name=demo
# Using token auth flags
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ user-list
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ tenant-create --name=demo
# Using user + password + tenant_name env variables
export OS_USERNAME=admin
export OS_PASSWORD=secrete
export OS_TENANT_NAME=admin
keystone user-list
keystone tenant-create --name=demo
# Using user + password + tenant_name flags
keystone --username=admin --password=secrete --tenant_name=admin user-list
keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo</screen>
</section>
<section xml:id="tenants">
<title>Tenants</title>
<para>A tenant is a group of zero or more users. In nova, a
tenant owns virtual machines. In swift, a tenant owns
containers. Users can be associated with more than one tenant.
Each tenant and user pairing can have a role associated with
it.</para>
<section xml:id="tenant-create">
<title><literal>tenant-create</literal></title>
<para>keyword arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
<listitem>
<para>description (optional, defaults to None)</para>
</listitem>
<listitem>
<para>enabled (optional, defaults to True)</para>
</listitem>
</itemizedlist>
<para>The following command creates a tenant named
demo:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name=demo</userinput></screen>
</section>
<section xml:id="tenant-delete">
<title><literal>tenant-delete</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>tenant_id</para>
</listitem>
</itemizedlist>
<para>The following command deletes the tenant:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-delete f2b7b39c860840dfa47d9ee4adffa0b3</userinput></screen>
</section>
<section xml:id="tenant-get">
<title><literal>tenant-get</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>tenant_id</para>
</listitem>
</itemizedlist>
<para>To display details for the tenant, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-get f2b7b39c860840dfa47d9ee4adffa0b3</userinput></screen>
</section>
<section xml:id="tenant-list">
<title><literal>tenant-list</literal></title>
<para>To list all tenants, run the following command:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-list</userinput></screen>
</section>
<section xml:id="tenant-update">
<title><literal>tenant-update</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
<listitem>
<para>description</para>
</listitem>
<listitem>
<para>enabled</para>
</listitem>
</itemizedlist>
<para>To update the description and status for a tenant, run
the following command:</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-update --description newdemo --enabled false f2b7b39c860840dfa47d9ee4adffa0b3</userinput></screen>
</section>
</section>
<section xml:id="users">
<title>Users</title>
<section xml:id="user-create">
<title><literal>user-create</literal></title>
<para>keyword arguments:</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
<listitem>
<para>pass</para>
</listitem>
<listitem>
<para>email</para>
</listitem>
<listitem>
<para>tenant-id</para>
</listitem>
<listitem>
<para>enabled (optional, defaults to True)</para>
</listitem>
</itemizedlist>
<para>Here is an example:</para>
<screen><prompt>$</prompt><userinput>keystone user-create --tenant-id=f2b7b39c860840dfa47d9ee4adffa0b3 \
--name=admin --pass=secrete --email=admin@example.com</userinput></screen>
</section>
<section xml:id="user-delete">
<title><literal>user-delete</literal></title>
<para>keyword arguments:</para>
<itemizedlist>
<listitem>
<para>user</para>
</listitem>
</itemizedlist>
<para>Here is an example:</para>
<screen><prompt>$</prompt><userinput>keystone user-delete 354b53eeb10b445584ac5bf39a768740</userinput></screen>
</section>
<section xml:id="user-list">
<title><literal>user-list</literal></title>
<para>list users in the system, optionally by a specific
tenant (identified by tenant_id)</para>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>tenant_id (optional, lists all users if not
specified)</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput></screen>
</section>
<section xml:id="user-update">
<title><literal>user-update</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
<listitem>
<para>email</para>
</listitem>
<listitem>
<para>enable</para>
</listitem>
</itemizedlist>
<para>The following command upateds the user with new
email:</para>
<screen><prompt>$</prompt> <userinput>keystone user-update --email &quot;someone@somewhere.com&quot; 354b53eeb10b445584ac5bf39a768740</userinput></screen>
</section>
<section xml:id="user-get">
<title><literal>user-get</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>user_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-get 354b53eeb10b445584ac5bf39a768740</userinput></screen>
</section>
<section xml:id="user-password-update">
<title><literal>user-password-update</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>pass</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-password-update --pass foo 03c84b51574841ba9a0d8db7882ac645</userinput></screen>
</section>
</section>
<section xml:id="roles">
<title>Roles</title>
<section xml:id="role-create">
<title><literal>role-create</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen>
keystone role-create --name=demo
</screen>
</section>
<section xml:id="role-delete">
<title><literal>role-delete</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-delete 19d1d3344873464d819c45f521ff9890</userinput></screen>
</section>
<section xml:id="role-list">
<title><literal>role-list</literal></title>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
</section>
<section xml:id="role-get">
<title><literal>role-get</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone role-get 19d1d3344873464d819c45f521ff9890</userinput></screen>
</section>
<section xml:id="user-role-add">
<title><literal>user-role-add</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role or role_id</para>
</listitem>
<listitem>
<para>user or user_id</para>
</listitem>
<listitem>
<para>tenant or tenant_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --user 3a751f78ef4c412b827540b829e2d7dd \
--role 03c84b51574841ba9a0d8db7882ac645 --tenant 20601a7f1d94447daa4dff438cb1c209</userinput></screen>
</section>
<section xml:id="user-role-remove">
<title><literal>user-role-remove</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>role or role_id</para>
</listitem>
<listitem>
<para>user or user_id</para>
</listitem>
<listitem>
<para>tenant or tenant_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-remove --user 3a751f78ef4c412b827540b829e2d7dd \
--role 03c84b51574841ba9a0d8db7882ac645 --tenant 20601a7f1d94447daa4dff438cb1c209</userinput></screen>
</section>
<section xml:id="user-role-list">
<title><literal>user-role-list</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>user_id or user</para>
</listitem>
<listitem>
<para>tenant or tenant_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-list --user 3a751f78ef4c412b827540b829e2d7dd</userinput></screen>
</section>
</section>
<section xml:id="services">
<title>Services</title>
<section xml:id="service-create">
<title><literal>service-create</literal></title>
<para>keyword arguments</para>
<itemizedlist>
<listitem>
<para>name</para>
</listitem>
<listitem>
<para>type</para>
</listitem>
<listitem>
<para>description</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service create \
--name=nova \
--type=compute \
--description=&quot;Nova Compute Service&quot;</userinput></screen>
</section>
<section xml:id="service-list">
<title><literal>service-list</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-list</userinput></screen>
</section>
<section xml:id="service-get">
<title><literal>service-get</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-get 08741d8ed88242ca88d1f61484a0fe3b</userinput></screen>
</section>
<section xml:id="service-delete">
<title><literal>service-delete</literal></title>
<para>arguments</para>
<itemizedlist>
<listitem>
<para>service_id</para>
</listitem>
</itemizedlist>
<para>example:</para>
<screen><prompt>$</prompt> <userinput>keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b</userinput></screen>
</section>
</section>
</section>
<section xml:id="configuring-services-to-work-with-keystone">
<title>Configuring Services to work with Keystone</title>
<title>Configure services to work with the Identity Service</title>
<para>Once Keystone is installed and running, services need to be
configured to work with it. To do this, we primarily install and
configure middleware for the OpenStack service to handle
@ -622,125 +194,10 @@ keystone role-create --name=demo
</itemizedlist>
<para>The middleware will pass those data down to the service as
headers.</para>
<section xml:id="setting-up-credentials">
<?dbhtml stop-chunking?>
<title>Setting up credentials</title>
<para>To ensure services that you add to the catalog know about
the users, tenants, and roles, you must create an admin token
and create service users. These sections walk through those
requirements.</para>
<section xml:id="admin-token">
<title>Admin Token</title>
<para>For a default installation of Keystone, before you can
use the REST API, you need to define an authorization token.
This is configured in the <filename>keystone.conf</filename>
file under the section <literal>[DEFAULT]</literal>.</para>
<para>In the sample file provided with the keystone project,
the line defining this token is:</para>
<blockquote>
<para>[DEFAULT] admin_token = ADMIN</para>
</blockquote>
<para>This configured token is a &quot;shared secret&quot;
between keystone and other OpenStack services, and is used
by the client to communicate with the API to create tenants,
users, roles, etc.</para>
</section>
<section xml:id="setting-up-tenants-users-and-roles">
<title>Setting up tenants, users, and roles</title>
<para>You must minimally define a tenant, user, and role to
link the tenant and user as the most basic set of details to
get other services authenticating and authorizing with
keystone.</para>
<para>You will also want to create service users for Compute
(nova), Image (glance), Object Storage (swift), etc. to be
able to use to authenticate users against the Identity
service (keystone). The <literal>auth_token</literal>
middleware supports using either the shared secret described
above as `admin_token` or users for each service.</para>
<para>See the <link
linkend="adding-users-tenants-and-roles-with-python-keystoneclient"
>configuration section</link> for a walk through on how to
create tenants, users, and roles.</para>
</section>
</section>
<section xml:id="setting-up-services">
<title>Setting up services</title>
<?dbhtml stop-chunking?>
<section xml:id="creating-service-users">
<title>Creating Service Users</title>
<para>To configure the OpenStack services with service users,
we must create a tenant for all the services, and then users
for each of the services. We then assign those service users
an Admin role on the service tenant. This allows them to
validate tokens - and authenticate and authorize other user
requests.</para>
<para>Create a tenant for the services, typically named
'service' (however, the name can be whatever you choose):</para>
<screen><prompt>$</prompt> <userinput>keystone tenant-create --name=service</userinput></screen>
<para>This returns a UUID of the tenant - keep that, you'll
need it when creating the users and specifying the roles.</para>
<para>Create service users for nova, glance, swift, and
neutron (or whatever subset is relevant to your deployment):</para>
<screen><prompt>$</prompt> <userinput>keystone user-create --name=nova \
--pass=Sekr3tPass \
--tenant_id=[the uuid of the tenant] \
--email=nova@nothing.com</userinput></screen>
<para>Repeat this for each service you want to enable. Email
is a required field in keystone right now, but not used in
relation to the service accounts. Each of these commands
will also return a UUID of the user. Keep those to assign
the Admin role.</para>
<para>For adding the Admin role to the service accounts, you
need the UUID of the role you want to add. If you don't have
them handy, you can look it up quickly with:</para>
<screen><prompt>$</prompt> <userinput>keystone role-list</userinput></screen>
<para>Once you have it, assign the service users to the Admin
role. This is all assuming that you've already created the
basic roles and settings as described in the configuration
section:</para>
<screen><prompt>$</prompt> <userinput>keystone user-role-add --tenant_id=[uuid of the service tenant] \
--user=[uuid of the service account] \
--role=[uuid of the Admin role]</userinput></screen>
</section>
<section xml:id="defining-services">
<title>Defining Services</title>
<para>Keystone also acts as a service catalog to let other
OpenStack systems know where relevant API endpoints exist
for OpenStack Services. The OpenStack Dashboard, in
particular, uses this heavily - and this <emphasis
role="strong">must</emphasis> be configured for the
OpenStack Dashboard to properly function.</para>
<para>The endpoints for these services are defined in a
template, an example of which is in the project as the file
<literal>etc/default_catalog.templates</literal>. When
keystone uses a template file backend, then changes made to
the endpoints are kept in memory and don't persist if you
restart the service or reboot the machine. Use the SQL
backend when deploying a system for production.</para>
<para>Keystone supports two means of defining the services,
one is the catalog template, as described above - in which
case everything is detailed in that template.</para>
<para>The other is a SQL backend for the catalog service, in
which case after keystone is online, you must add the
services to the catalog:</para>
<screen><prompt>$</prompt> <userinput>keystone service-create --name=nova \
--type=compute \
--description=&quot;Nova Compute Service&quot;
keystone service-create --name=ec2 \
--type=ec2 \
--description=&quot;EC2 Compatibility Layer&quot;
keystone service-create --name=glance \
--type=image \
--description=&quot;Glance Image Service&quot;
keystone service-create --name=keystone \
--type=identity \
--description=&quot;Keystone Identity Service&quot;
keystone service-create --name=swift \
--type=object-store \
--description=&quot;Swift Service&quot;</userinput></screen>
</section>
<xi:include href="../common/section_cli_keystone_credentials.xml"/>
<xi:include href="../common/section_cli_keystone_apiv3.xml"/>
<xi:include href="../common/section_cli_keystone_example_usage.xml"/>
<xi:include href="../common/section_cli_keystone_users_tenants_roles.xml"/>
</section>
<section xml:id="setting-up-middleware">
<title>Setting Up Middleware</title>
@ -844,6 +301,7 @@ use = egg:swift#healthcheck</computeroutput>
<para>Here's an example:</para>
<screen><computeroutput>
[DEFAULT]
bind_port = 8080
user = &lt;user&gt;
@ -888,10 +346,9 @@ admin_token = ADMIN</computeroutput>
</screen>
</listitem>
<listitem>
<para>You can then access directly your Swift via the S3
<para>You can then access directly your Swift through the S3
API, here's an example with the `boto` library:</para>
<screen><computeroutput>
import boto
<screen><computeroutput>import boto
import boto.s3.connection
connection = boto.connect_s3(
@ -991,6 +448,7 @@ user_name_attribute = cn</computeroutput>
only read access, in such case the configuration is:</para>
<screen><computeroutput>
[ldap]
user_allow_create = False
user_allow_update = False
user_allow_delete = False
@ -1098,7 +556,6 @@ admin_password = keystone123</computeroutput>
granted access to the 'Admin' role on the 'admin' tenant.
</para>
</section>
</section>
</section>
<section xml:id="keystone-ssl">
<title>Configuring Keystone SSL support</title>

87
doc/src/docbkx/openstack-compute-admin/section_keystone_middleware.xml Normal file
View File

@ -0,0 +1,87 @@
<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="setting-up-middleware">
<title>Set up middleware for the Identity Service</title>
<?dbhtml stop-chunking?>
<section xml:id="keystone-auth-token-middleware">
<title>Keystone Auth-Token Middleware</title>
<para>The Keystone auth_token middleware is a WSGI component
that can be inserted in the WSGI pipeline to handle
authenticating tokens with Keystone.</para>
</section>
<section xml:id="configuring-nova-to-use-keystone">
<title>Configuring Nova to use Keystone</title>
<para>When configuring Nova, it is important to create a nova
user in the service tenant and include the nova user's login
information in /etc/nova/nova.conf</para>
</section>
<section xml:id="configuring-swift-to-use-keystone">
<title>Configuring Swift to use Keystone</title>
<para>Similar to Nova, swift can be configured to use Keystone
for authentication rather than its built in 'tempauth'.</para>
<orderedlist numeration="arabic">
<listitem>
<para>Add a service endpoint for Swift to Keystone</para>
</listitem>
<listitem>
<para>Configure the paste file for swift-proxy,
<filename>/etc/swift/proxy-server.conf</filename>.
</para>
</listitem>
<listitem>
<para>Reconfigure Swift's proxy server to use Keystone
instead of TempAuth. Here's an example
`/etc/swift/proxy-server.conf`:</para>
<screen>
[DEFAULT]
bind_port = 8888
user = &lt;user&gt;
[pipeline:main]
pipeline = catch_errors healthcheck cache authtoken keystone proxy-server
[app:proxy-server]
use = egg:swift#proxy
account_autocreate = true
[filter:keystone]
paste.filter_factory = keystoneclient.middleware.swift_auth:filter_factory
operator_roles = admin, swiftoperator
[filter:authtoken]
paste.filter_factory = keystoneclient.middleware.auth_token:filter_factory
# Delaying the auth decision is required to support token-less
# usage for anonymous referrers ('.r:*').
delay_auth_decision = true
service_port = 5000
service_host = 127.0.0.1
auth_port = 35357
auth_host = 127.0.0.1
auth_token = ADMIN
admin_token = ADMIN
cache = swift.cache
[filter:cache]
use = egg:swift#memcache
set log_name = cache
[filter:catch_errors]
use = egg:swift#catch_errors
[filter:healthcheck]
use = egg:swift#healthcheck
</screen></listitem>
<listitem>
<para>Restart swift services.</para>
</listitem>
<listitem>
<para>Verify that the Identity service, Keystone, is
providing authentication to Object Storage (Swift).</para>
<screen>
<prompt>$</prompt> <userinput>swift -V 2 -A http://localhost:5000/v2.0 -U admin:admin -K ADMIN stat</userinput>
</screen>
</listitem>
</orderedlist>
</section>
</section>

7
doc/src/docbkx/openstack-user/pom.xml
View File

@ -21,7 +21,6 @@
<groupId>com.rackspace.cloud.api</groupId>
<artifactId>clouddocs-maven-plugin</artifactId>
<version>1.8.0</version>
<executions>
<!-- Configuration for OpenStack End User Guide -->
<execution>
@ -32,8 +31,6 @@
<phase>generate-sources</phase>
<configuration>
<includes> bk-user-guide.xml</includes>
<chapterAutolabel>0</chapterAutolabel>
<security>external</security>
<generateToc>
appendix toc
article/appendix nop
@ -47,6 +44,9 @@ qandadiv toc
qandaset toc
reference toc,title
set toc,title </generateToc>
<profileOs>enduser</profileOs>
<chapterAutolabel>0</chapterAutolabel>
<security>external</security>
<tocSectionDepth>1</tocSectionDepth>
<targetDirectory>target/docbkx/webhelp/</targetDirectory>
<webhelpDirname>user-guide</webhelpDirname>
@ -55,6 +55,7 @@ set toc,title </generateToc>
</execution>
</executions>
<configuration>
<profileOs>enduser</profileOs>
<highlightSource>false</highlightSource>
<xincludeSupported>true</xincludeSupported>
<showXslMessages>true</showXslMessages>

11
doc/src/docbkx/openstack-user/src/ch_cli.xml
View File

@ -9,26 +9,15 @@
<info>
<title>OpenStack command-line clients</title>
</info>
<xi:include href="section_cli_overview.xml"/>
<xi:include href="section_cli_install.xml"/>
<xi:include href="section_cli_version.xml"/>
<xi:include href="section_cli_openrc.xml"/>
<xi:include href="../../common/section_glance_cli_manage_images.xml"/>
<xi:include href="section_cli_configure_instances.xml"/>
<xi:include href="../../common/section_nova_cli_boot.xml"/>
<xi:include href="section_cli_manage_instances.xml"/>
<xi:include href="../../common/section_neutron_cli_manage_networks.xml"/>
<xi:include href="section_cli_heat.xml"/>
<xi:include href="section_cli_manage_volumes.xml"/>
</chapter>

5
doc/src/docbkx/openstack-user/src/ch_dashboard.xml
View File

@ -11,14 +11,15 @@
</info>
<para>As a cloud end user, the OpenStack dashboard lets you to
provision your own resources within the limits set by
administrators. You can modify these examples to create other
administrators.</para><para>You can modify these examples to create other
types and sizes of server instances.</para>
<xi:include href="../../common/section_dashboard_access.xml"/>
<?hard-pagebreak?>
<xi:include href="../../common/section_dashboard_manage_images.xml"/>
<?hard-pagebreak?>
<!-- end user guide -->
<xi:include href="section_dashboard_access_and_security.xml"/>
<?hard-pagebreak?>
<?hard-pagebreak?>
<xi:include href="section_dashboard_launch_instances.xml"/>
<?hard-pagebreak?>
<xi:include href="section_dashboard_manage_instances.xml"/>

113
doc/src/docbkx/openstack-user/src/section_cli_configure_instances.xml
View File

@ -76,13 +76,13 @@
<section xml:id="create_import_keys">
<title>Add or import keypairs</title>
<procedure>
<title>To add or import keys</title>
<title>To add a key</title>
<para>You can generate a keypair or upload an existing
public key.</para>
<step>
<para>To generate a keypair, run the following
command:</para>
<screen><prompt>$</prompt> <userinput>nova keypair-add KEY_NAME > MY_KEY.pem</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova keypair-add <replaceable>KEY_NAME</replaceable> > <replaceable>MY_KEY</replaceable>.pem</userinput></screen>
<para>The command generates a keypair named
<replaceable>KEY_NAME</replaceable>, writes
the private key to the
@ -94,19 +94,19 @@
<para>To set the permissions of the
<filename><replaceable>MY_KEY</replaceable>.pem</filename>
file, run the following command:</para>
<screen><prompt>$</prompt> <userinput>chmod 600 MY_KEY.pem</userinput></screen>
<screen><prompt>$</prompt> <userinput>chmod 600 <replaceable>MY_KEY</replaceable>.pem</userinput></screen>
<para>The command changes the permissions of the
<filename><replaceable>MY_KEY</replaceable>.pem</filename>
file so that only you can read and write to
it.</para>
</step>
<step>
</step></procedure>
<procedure><title>To import a key</title> <step>
<para>If you have already generated a keypair with the
public key located at
<filename>~/.ssh/id_rsa.pub</filename>, run
the following command to upload the public
key:</para>
<screen><prompt>$</prompt> <userinput>nova keypair-add --pub_key ~/.ssh/id_rsa.pub KEY_NAME</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova keypair-add --pub_key ~/.ssh/id_rsa.pub <replaceable>KEY_NAME</replaceable></userinput></screen>
<para>The command registers the public key at the Nova
database and names the keypair
<literal><replaceable>KEY_NAME</replaceable></literal>.</para>
@ -117,36 +117,30 @@
<screen><prompt>$</prompt> <userinput>nova keypair-list</userinput></screen>
</step>
</procedure>
</section>
<section xml:id="configure_security_groups_rules">
<title>Configure security groups and rules</title>
<procedure>
<title>To list security groups</title>
<title>To configure security groups</title>
<step>
<para>To list all security groups for the current
project, including descriptions, enter the
following command:</para>
<title>To list all security groups</title>
<para>To list security groups for the current project,
including descriptions, enter the following
command:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-list</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create a security group</title>
<step>
<title>To create a security group</title>
<para>To create a security group with a specified name
and description, enter the following
command:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-create SEC_GROUP_NAME GROUP_DESCRIPTION</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova secgroup-create <replaceable>SEC_GROUP_NAME</replaceable> <replaceable>GROUP_DESCRIPTION</replaceable></userinput></screen>
</step>
</procedure>
<procedure>
<title>To delete a security group</title>
<step>
<title>To delete a security group</title>
<para>To delete a specified group, enter the following
command:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete SEC_GROUP_NAME</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete <replaceable>SEC_GROUP_NAME</replaceable> </userinput></screen>
<note>
<para>You cannot delete the default security group
for a project. Also, you cannot delete a
@ -164,89 +158,94 @@
details, see <xref linkend="cli_openrc"/>.</para>
</step>
<step>
<para>List the existing rules for a security group:
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules SEC_GROUP_NAME</userinput></screen></para>
<title>To list the rules for a security group</title>
<screen><prompt>$</prompt> <userinput>nova secgroup-list-rules <replaceable>SEC_GROUP_NAME</replaceable></userinput></screen>
</step>
<step>
<para>To allow SSH access to the instances, choose one
of the following sub-steps:</para>
<title>To allow SSH access to the instances</title>
<para>Choose one of the following sub-steps:</para>
<substeps>
<step xml:id="sec_group_rule_add">
<title>Add rule for all IP addresses</title>
<title wordsize="20">Add rule for all
IPs</title>
<para>Either from all IP addresses (specified
as IP subnet in CIDR notation as
0.0.0.0/0):</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule SEC_GROUP_NAME tcp 22 22 0.0.0.0/0</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule <replaceable>SEC_GROUP_NAME</replaceable> tcp 22 22 0.0.0.0/0</userinput></screen>
</step>
<step xml:id="sec_group_rule_add_alt">
<title>Add rule for other security
<title wordsize="20">Add rule for security
groups</title>
<para>Alternatively, you can allow only IP
addresses from other security groups
(source groups) to access the specified
port:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto tcp --from_port 22 \
--to_port 22 SEC_GROUP_NAME SOURCE_GROUP_NAME</userinput></screen>
--to_port 22 <replaceable>SEC_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
</step>
</substeps>
</step>
<step>
<para>To allow pinging the instances, choose from one
of the following sub-steps:</para>
<title>To allow pinging the instances</title>
<para>Choose one of the following sub-steps:</para>
<substeps>
<step>
<para>Either from all IP addresses (specified
as IP subnet in CIDR notation as
0.0.0.0/0):</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule SEC_GROUP_NAME icmp -1 -1 0.0.0.0/0</userinput></screen>
<para>This command allows access to all codes
and all types of ICMP traffic,
respectively.</para>
<title wordsize="20">To allow pinging from
IPs</title>
<para>Specify all IP addresses as IP subnet in
CIDR notation:
<literal>0.0.0.0/0</literal>. This
command allows access to all codes and all
types of ICMP traffic,
respectively:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule <replaceable>SEC_GROUP_NAME</replaceable> icmp -1 -1 0.0.0.0/0</userinput></screen>
</step>
<step>
<para>Alternatively, you can allow only
members of other security groups (source
groups) to ping instances:</para>
<title wordsize="20">To allow pinging from
other security groups</title>
<para>To allow only members of other security
groups (source groups) to ping
instances:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto icmp --from_port -1 \
--to_port -1 SEC_GROUP_NAME SOURCE_GROUP_NAME</userinput></screen>
--to_port -1 <replaceable>SEC_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
</step>
</substeps>
</step>
<step>
<para>To allow access through UDP port, such as
<title>To allow access through UDP port</title>
<para>To allow access through a UDP port, such as
allowing access to a DNS server that runs on a VM,
complete one of the following sub-steps:</para>
<substeps>
<step>
<para>Either from all IP addresses (specified
as IP subnet in CIDR notation as
0.0.0.0/0):
<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule SEC_GROUP_NAME udp 53 53 0.0.0.0/0</userinput></screen></para>
<title>To allow UDP access from IPs</title>
<para>Specify all IP addresses as IP subnet in
CIDR notation:
<literal>0.0.0.0/0</literal>.<screen><prompt>$</prompt> <userinput>nova secgroup-add-rule SEC_GROUP_NAME udp 53 53 0.0.0.0/0</userinput></screen></para>
</step>
<step>
<para>Alternatively, you can allow only IP
addresses from other security groups
(source groups) to access the specified
port:
<title>To allow UDP access</title>
<para>To allow only IP addresses from other
security groups (source groups) to access
the specified port:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-add-group-rule --ip_proto udp --from_port 53 \
--to_port 53 SEC_GROUP_NAME SOURCE_GROUP_NAME</userinput></screen></para>
--to_port 53 <replaceable>SEC_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
</step>
</substeps>
</step>
<step>
<para>To delete security group rules, you must specify
the same arguments that you used to create the
<para>To delete a security group rule, specify the
same arguments that you used to create the
rule.</para>
<para>To delete the security rule that you created in
<xref linkend="sec_group_rule_add"/>:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete-rule SEC_GROUP_NAME tcp 22 22 0.0.0.0/0</userinput></screen>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete-rule <replaceable>SEC_GROUP_NAME</replaceable> tcp 22 22 0.0.0.0/0</userinput></screen>
<para>To delete the security rule that you created in
<xref linkend="sec_group_rule_add_alt"
/>:</para>
<screen><prompt>$</prompt> <userinput>nova secgroup-delete-group-rule --ip_proto tcp --from_port 22 \
--to_port 22 SEC_GROUP_NAME SOURCE_GROUP_NAME</userinput></screen>
--to_port 22 <replaceable>SEC_GROUP_NAME</replaceable> <replaceable>SOURCE_GROUP_NAME</replaceable></userinput></screen>
</step>
</procedure>
</section>
</section>