Add instructions for "normal" user creation

Added instructions for adding a "normal" user named "demo" with access to the dashboard but no administrative functions. Restructured the section into procedures to support this and make the task split clearer. Change-Id: Iebfec133e44447fad2149ea815c749468b57c763 Closes-Bug: #1266391
2014-03-08 15:47:36 -05:00 · 2014-03-08 15:47:36 -05:00 · 4d9e25e91c
commit 4d9e25e91c
parent 90e0d73187
1 changed files with 121 additions and 36 deletions
--- a/doc/install-guide/section_keystone-users.xml
+++ b/doc/install-guide/section_keystone-users.xml
@ -26,41 +26,126 @@
        <userinput><replaceable>ADMIN_TOKEN</replaceable></userinput>
    with your authorization token.</para>

-  <screen><prompt>#</prompt> <userinput>export OS_SERVICE_TOKEN=<replaceable>ADMIN_TOKEN</replaceable></userinput>
-<prompt>#</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0</userinput></screen>
-
-  <para>First, create a tenant for an administrative user and a tenant
-  for other OpenStack services to use.</para>
-
-  <screen><prompt>#</prompt> <userinput>keystone tenant-create --name=admin --description="Admin Tenant"</userinput>
-<prompt>#</prompt> <userinput>keystone tenant-create --name=service --description="Service Tenant"</userinput></screen>
-
-  <para>Next, create an administrative user called <literal>admin</literal>.
-  Choose a password for the <literal>admin</literal> user and specify an
-  email address for the account.</para>
-
-  <screen><prompt>#</prompt> <userinput>keystone user-create --name=admin --pass=<replaceable>ADMIN_PASS</replaceable> \
-   --email=<replaceable>admin@example.com</replaceable></userinput></screen>
-
-  <para>Create a role for administrative tasks called <literal>admin</literal>.
-  Any roles you create should map to roles specified in the
-  <filename>policy.json</filename> files of the various OpenStack services.
-  The default policy files use the <literal>admin</literal> role to allow
-  access to most services.</para>
-
-  <screen><prompt>#</prompt> <userinput>keystone role-create --name=admin</userinput></screen>
-
-  <para>Now, you have to add roles to users. Users always log in with
-  a tenant, and roles are assigned to users within tenants. Add the
-  <literal>admin</literal> role to the <literal>admin</literal> user when
-  logging in with the <literal>admin</literal> tenant.</para>
-
-  <screen><prompt>#</prompt> <userinput>keystone user-role-add --user=admin --tenant=admin --role=admin</userinput></screen>
-
-  <para>
-    Add the <literal>_member_</literal> role to the <literal>admin</literal>
-    user. This is a special role that grants access to the OpenStack Dashboard.
-  </para>
-  <screen><prompt>#</prompt> <userinput>keystone user-role-add --user=admin --tenant=admin --role=_member_</userinput></screen>
+  <screen><prompt>$</prompt> <userinput>export OS_SERVICE_TOKEN=<replaceable>ADMIN_TOKEN</replaceable></userinput>
+<prompt>$</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0</userinput></screen>

+  <procedure>
+    <title>Create an administrative user</title>
+    <para>
+      Follow these steps to create an administrative user, role, and
+      tenant. You will use this account for administrative interaction
+      with the OpenStack cloud.
+    </para>
+    <para>
+      By default, the Identity Service creates a special
+      <literal>_member_</literal> role. The OpenStack dashboard
+      automatically grants access to users with this role. You will
+      give the <literal>admin</literal> user access to this role in
+      addition to the <literal>admin</literal> role.
+    </para>
+    <note>
+      <para>
+        Any role that you create must map to roles specified in the
+        <filename>policy.json</filename> file included with each OpenStack
+        service. The default policy file for most services grants
+        administrative access to the <literal>admin</literal> role.
+      </para>
+    </note>
+    <step>
+      <para>
+        Create the <literal>admin</literal> user:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone user-create --name=admin --pass=<replaceable>ADMIN_PASS</replaceable> --email=<replaceable>ADMIN_EMAIL</replaceable></userinput></screen>
+      <para>
+        Replace <replaceable>ADMIN_PASS</replaceable> with a secure password
+        and replace <replaceable>ADMIN_EMAIL</replaceable> with an email
+        address to associate with the account.
+      </para>
+    </step>
+    <step>
+      <para>
+        Create the <literal>admin</literal> role:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone role-create --name=admin</userinput></screen>
+    </step>
+    <step>
+      <para>
+        Create the <literal>admin</literal> tenant:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone tenant-create --name=admin --description="Admin Tenant"</userinput></screen>
+    </step>
+    <step>
+      <para>
+        You must now link the <literal>admin</literal> user,
+        <literal>admin</literal> role, and <literal>admin</literal> tenant
+        together using the <option>user-role-add</option> option:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone user-role-add --user=admin --tenant=admin --role=admin</userinput></screen>
+    </step>
+    <step>
+      <para>
+        Link the <literal>admin</literal> user,
+        <literal>_member_</literal> role, and <literal>admin</literal> tenant:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone user-role-add --user=admin --role=_member_ --tenant=admin</userinput></screen>
+    </step>
+  </procedure>
+  <procedure>
+    <title>Create a normal user</title>
+    <para>
+      Follow these steps to create a normal user and tenant, and link
+      them to the special <literal>_member_</literal> role. You will
+      use this account for daily non-administrative interaction with
+      the OpenStack cloud. You can also repeat this procedure to create
+      additional cloud users with different usernames and passwords.
+      Skip the tenant creation step when creating these users.
+    </para>
+    <step>
+      <para>
+        Create the <literal>demo</literal> user:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone user-create --name=demo --pass=<replaceable>DEMO_PASS</replaceable> --email=<replaceable>DEMO_EMAIL</replaceable></userinput></screen>
+      <para>
+        Replace <replaceable>DEMO_PASS</replaceable> with a secure password
+        and replace <replaceable>DEMO_EMAIL</replaceable> with an email
+        address to associate with the account.
+      </para>
+    </step>
+    <step>
+      <para>
+        Create the <literal>demo</literal> tenant:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone tenant-create --name=demo --description="Demo Tenant"</userinput></screen>
+      <note>
+        <para>
+          Do not repeat this step when adding additional users.
+        </para>
+      </note>
+    </step>
+    <step>
+      <para>
+        Link the <literal>demo</literal> user, <literal>_member_</literal> role,
+        and <literal>demo</literal> tenant:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone user-role-add --user=demo --role=_member_ --tenant=demo</userinput></screen>
+    </step>
+  </procedure>
+  <procedure>
+    <title>Create a <literal>service</literal> tenant</title>
+    <para>
+      OpenStack services also require a username, tenant, and role to access
+      other OpenStack services. In a basic installation, OpenStack services
+      typically share a single tenant named <literal>service</literal>.
+    </para>
+    <para>
+      You will create additional usernames and roles under this tenant as you
+      install and configure each service.
+    </para>
+    <step>
+      <para>
+        Create the <literal>service</literal> tenant:
+      </para>
+      <screen><prompt>$</prompt> <userinput>keystone tenant-create --name=service --description="Service Tenant"</userinput></screen>
+    </step>
+  </procedure>
 </section>