openstack/openstack-manuals
Code Issues Proposed changes

Merge "[install-guide] convert keystone chapter to RST"

Browse Source
This commit is contained in:
Jenkins 2015-07-16 13:28:12 +00:00 committed by Gerrit Code Review
commit 686f096829
6 changed files with 280 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
doc/install-guide-rst/source/keystone-install.rst Normal file
View File

@ -0,0 +1,3 @@
=====================
Install and configure
=====================

80
doc/install-guide-rst/source/keystone-openrc.rst Normal file
View File

@ -0,0 +1,80 @@
===========================================
Create OpenStack client environment scripts
===========================================
The previous section used a combination of environment variables and
command options to interact with the Identity service via the
:command:`openstack` client. To increase efficiency of client
operations, OpenStack supports simple client environment scripts also
known as OpenRC files. These scripts typically contain common options for
all clients, but also support unique options. For more information, see the
`OpenStack User Guide <http://docs.openstack.org/user-guide/common/
cli_set_environment_variables_using_openstack_rc.html>`__.
To create the scripts
~~~~~~~~~~~~~~~~~~~~~
Create client environment scripts for the ``admin`` and ``demo``
projects and users. Future portions of this guide reference these
scripts to load appropriate credentials for client operations.
#. Edit the :file:`admin-openrc.sh` file and add the following content:
.. code-block:: bash
:linenos:
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
Replace ``ADMIN_PASS`` with the password you chose
for the ``admin`` user in the Identity service.
#. Edit the :file:`demo-openrc.sh` file and add the following content:
.. code-block:: bash
:linenos:
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
Replace ``DEMO_PASS`` with the password you chose
for the ``demo`` user in the Identity service.
To load client environment scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To run clients as a specific project and user, you can simply load
the associated client environment script prior to running them.
For example:
#. Load the :file:`admin-openrc.sh` file to populate
environment variables with the location of the Identity service
and the ``admin`` project and user credentials:
.. code-block:: console
$ source admin-openrc.sh
#. Request an authentication token:
.. code-block:: console
$ openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-25T01:45:49.950092Z |
| id | cd4110152ac24bdeaa82e1443c910c36 |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+

3
doc/install-guide-rst/source/keystone-services.rst Normal file
View File

@ -0,0 +1,3 @@
==========================================
Create the service entity and API endpoint
==========================================

3
doc/install-guide-rst/source/keystone-users.rst Normal file
View File

@ -0,0 +1,3 @@
=================================
Create projects, users, and roles
=================================

182
doc/install-guide-rst/source/keystone-verify.rst Normal file
View File

@ -0,0 +1,182 @@
================
Verify operation
================
Verify operation of the Identity service before installing other
services.
.. only:: obs or ubuntu
1. For security reasons, disable the temporary authentication
token mechanism:
Edit the :file:`/etc/keystone/keystone-paste.ini`
file and remove ``admin_token_auth`` from the
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
and ``[pipeline:api_v3]`` sections.
.. only:: rdo
1. For security reasons, disable the temporary authentication
token mechanism:
Edit the :file:`/usr/share/keystone/keystone-dist-paste.ini`
file and remove ``admin_token_auth`` from the
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
and ``[pipeline:api_v3]`` sections.
2. Unset the temporary ``OS_TOKEN`` and ``OS_URL`` environment variables:
.. code-block:: console
$ unset OS_TOKEN OS_URL
3. As the ``admin`` user, request an authentication token from
the Identity version 2.0 API:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin \
--os-auth-type password token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+
.. note::
This command uses the password for the ``admin`` user.
4. The Identity version 3 API adds support for domains that contain
projects and users. Projects and users can use the same names in
different domains. Therefore, in order to use the version 3 API,
requests must also explicitly contain at least the ``default``
domain or use IDs. For simplicity, this guide explicitly uses
the ``default`` domain so examples can use names instead of IDs.
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+
.. note::
This command uses the password for the ``admin`` user.
5. As the ``admin`` user, list projects to verify that the
``admin`` user can execute admin-only CLI commands and
that the Identity service contains the projects that you
created in :doc:`keystone-users`:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin \
--os-auth-type password project list
Password:
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 55cbd79c0c014c8a95534ebd16213ca1 | service |
| ab8ea576c0574b6092bb99150449b2d3 | demo |
| cf12a15c5ea84b019aec3dc45580896b | admin |
+----------------------------------+---------+
.. note::
This command uses the password for the ``admin`` user.
6. As the ``admin`` user, list users to verify that the Identity service
contains the users that you created in :doc:`keystone-users`:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin \
--os-auth-type password user list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4d411f2291f34941b30eef9bd797505a | admin |
| 3a81e6c8103b46709ef8d141308d4c72 | demo |
+----------------------------------+-------+
.. note::
This command uses the password for the ``admin`` user.
7. As the ``admin`` user, list roles to verify that the Identity service
contains the role that you created in :doc:`keystone-users`:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin \
--os-auth-type password role list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 9fe2ff9ee4384b1894a90878d3e92bab | user |
| cd2cb9a39e874ea69e5d4b896eb16128 | admin |
+----------------------------------+-------+
.. note::
This command uses the password for the ``admin`` user.
8. As the ``demo`` user, request an authentication token from
the Identity version 3 API:
.. code-block:: console
$ openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue
Password:
+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| expires | 2014-10-10T12:51:33Z |
| id | 1b87ceae9e08411ba4a16e4dada04802 |
| project_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
| user_id | 7004dfa0dda84d63aef81cf7f100af01 |
+------------+----------------------------------+
.. note::
This command uses the password for the ``demo``
user and API port 5000 which only allows regular (non-admin)
access to the Identity service API.
9. As the ``demo`` user, attempt to list users
to verify that it cannot execute admin-only CLI commands:
.. code-block:: console
$ openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo \
--os-auth-type password user list
Password:
ERROR: openstack You are not authorized to perform the
requested action, admin_required. (HTTP 403)

9
doc/install-guide-rst/source/keystone.rst
View File

@ -1,3 +1,12 @@
========================
Add the Identity service
========================
.. toctree::
common/get_started_identity.rst
keystone-install.rst
keystone-services.rst
keystone-users.rst
keystone-verify.rst
keystone-openrc.rst