From 4d9e25e91cd38ab26952ec09067d799ff2154ffd Mon Sep 17 00:00:00 2001 From: Stephen Gordon Date: Sat, 8 Mar 2014 15:47:36 -0500 Subject: [PATCH] Add instructions for "normal" user creation Added instructions for adding a "normal" user named "demo" with access to the dashboard but no administrative functions. Restructured the section into procedures to support this and make the task split clearer. Change-Id: Iebfec133e44447fad2149ea815c749468b57c763 Closes-Bug: #1266391 --- doc/install-guide/section_keystone-users.xml | 157 ++++++++++++++----- 1 file changed, 121 insertions(+), 36 deletions(-) diff --git a/doc/install-guide/section_keystone-users.xml b/doc/install-guide/section_keystone-users.xml index b5c19ae905..3d4a95d815 100644 --- a/doc/install-guide/section_keystone-users.xml +++ b/doc/install-guide/section_keystone-users.xml @@ -26,41 +26,126 @@ ADMIN_TOKEN with your authorization token. - # export OS_SERVICE_TOKEN=ADMIN_TOKEN -# export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 - - First, create a tenant for an administrative user and a tenant - for other OpenStack services to use. - - # keystone tenant-create --name=admin --description="Admin Tenant" -# keystone tenant-create --name=service --description="Service Tenant" - - Next, create an administrative user called admin. - Choose a password for the admin user and specify an - email address for the account. - - # keystone user-create --name=admin --pass=ADMIN_PASS \ - --email=admin@example.com - - Create a role for administrative tasks called admin. - Any roles you create should map to roles specified in the - policy.json files of the various OpenStack services. - The default policy files use the admin role to allow - access to most services. - - # keystone role-create --name=admin - - Now, you have to add roles to users. Users always log in with - a tenant, and roles are assigned to users within tenants. Add the - admin role to the admin user when - logging in with the admin tenant. - - # keystone user-role-add --user=admin --tenant=admin --role=admin - - - Add the _member_ role to the admin - user. This is a special role that grants access to the OpenStack Dashboard. - - # keystone user-role-add --user=admin --tenant=admin --role=_member_ + $ export OS_SERVICE_TOKEN=ADMIN_TOKEN +$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 + + Create an administrative user + + Follow these steps to create an administrative user, role, and + tenant. You will use this account for administrative interaction + with the OpenStack cloud. + + + By default, the Identity Service creates a special + _member_ role. The OpenStack dashboard + automatically grants access to users with this role. You will + give the admin user access to this role in + addition to the admin role. + + + + Any role that you create must map to roles specified in the + policy.json file included with each OpenStack + service. The default policy file for most services grants + administrative access to the admin role. + + + + + Create the admin user: + + $ keystone user-create --name=admin --pass=ADMIN_PASS --email=ADMIN_EMAIL + + Replace ADMIN_PASS with a secure password + and replace ADMIN_EMAIL with an email + address to associate with the account. + + + + + Create the admin role: + + $ keystone role-create --name=admin + + + + Create the admin tenant: + + $ keystone tenant-create --name=admin --description="Admin Tenant" + + + + You must now link the admin user, + admin role, and admin tenant + together using the option: + + $ keystone user-role-add --user=admin --tenant=admin --role=admin + + + + Link the admin user, + _member_ role, and admin tenant: + + $ keystone user-role-add --user=admin --role=_member_ --tenant=admin + + + + Create a normal user + + Follow these steps to create a normal user and tenant, and link + them to the special _member_ role. You will + use this account for daily non-administrative interaction with + the OpenStack cloud. You can also repeat this procedure to create + additional cloud users with different usernames and passwords. + Skip the tenant creation step when creating these users. + + + + Create the demo user: + + $ keystone user-create --name=demo --pass=DEMO_PASS --email=DEMO_EMAIL + + Replace DEMO_PASS with a secure password + and replace DEMO_EMAIL with an email + address to associate with the account. + + + + + Create the demo tenant: + + $ keystone tenant-create --name=demo --description="Demo Tenant" + + + Do not repeat this step when adding additional users. + + + + + + Link the demo user, _member_ role, + and demo tenant: + + $ keystone user-role-add --user=demo --role=_member_ --tenant=demo + + + + Create a <literal>service</literal> tenant + + OpenStack services also require a username, tenant, and role to access + other OpenStack services. In a basic installation, OpenStack services + typically share a single tenant named service. + + + You will create additional usernames and roles under this tenant as you + install and configure each service. + + + + Create the service tenant: + + $ keystone tenant-create --name=service --description="Service Tenant" + +