[install-guide] add keystone-users section

Just an rst conversion
section_keystone-users.xml

Updated to correct syntax errors
Second update to correct additional syntax errors
Third update to correct syntax errors
Fourth update in response to reviewer comment;
additional formatting tweaks
Reverting a heading 2 entry to comply with standards
Added glossary tags to four terms, corrected spacing

Change-Id: I203790b309daf6253d171f793327ff574b4b63fa
Implements: blueprint installguide-liberty
This commit is contained in:
Harry Sutton 2015-07-24 11:08:03 -04:00
parent 0be7a36f05
commit c0b15a04c1

View File

@ -1,3 +1,179 @@
=================================
Create projects, users, and roles
=================================
The Identity service provides authentication services for each OpenStack
service. The authentication service uses a combination of :term:`domains
<domain>`, :term:`projects<project>` (tenants), :term:`users<user>`, and
:term:`roles<role>`.
.. note::
For simplicity, this guide implicitly uses the ``default`` domain.
.. only:: debian
.. note::
The packages can automatically create the service entity and API
endpoint.
To create tenants, users, and roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#. Create an administrative project, user, and role for administrative
operations in your environment:
a. Create the ``admin`` project:
.. code-block:: console
$ openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| enabled | True |
| id | cf12a15c5ea84b019aec3dc45580896b |
| name | admin |
+-------------+----------------------------------+
.. note::
OpenStack generates IDs dynamically, so you will see different
values in the example command output.
b. Create the ``admin`` user:
.. code-block:: console
$ openstack user create --password-prompt admin
User Password:
Repeat User Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| email | None |
| enabled | True |
| id | 4d411f2291f34941b30eef9bd797505a |
| name | admin |
| username | admin |
+------------+----------------------------------+
c. Create the ``admin`` role:
.. code-block:: console
$ openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+
d. Add the ``admin`` role to the ``admin`` project and user:
.. code-block:: console
$ openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+
.. note::
Any roles that you create must map to roles specified in the
:file:`policy.json` file in the configuration file directory of each
OpenStack service. The default policy for most services grants
administrative access to the ``admin`` role. For more information,
see the `Operations Guide - Managing Projects and
Users <http://docs.openstack.org/openstack-ops/content/projects_users.html>`__.
#. This guide uses a service project that contains a unique user for each
service that you add to your environment.
a. Create the ``service`` project:
.. code-block:: console
$ openstack project create --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| enabled | True |
| id | 55cbd79c0c014c8a95534ebd16213ca1 |
| name | service |
+-------------+----------------------------------+
#. Regular (non-admin) tasks should use an unprivileged project and user.
As an example, this guide creates the ``demo`` project and user.
a. Create the ``demo`` project:
.. code-block:: console
$ openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| enabled | True |
| id | ab8ea576c0574b6092bb99150449b2d3 |
| name | demo |
+-------------+----------------------------------+
.. note::
Do not repeat this step when creating additional users for this
project.
b. Create the ``demo`` user:
.. code-block:: console
$ openstack user create --password-prompt demo
User Password:
Repeat User Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| email | None |
| enabled | True |
| id | 3a81e6c8103b46709ef8d141308d4c72 |
| name | demo |
| username | demo |
+------------+----------------------------------+
c. Create the ``user`` role:
.. code-block:: console
$ openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
| name | user |
+-------+----------------------------------+
d. Add the ``user`` role to the ``demo`` project and user:
.. code-block:: console
$ openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
| name | user |
+-------+----------------------------------+
.. note::
You can repeat this procedure to create additional projects and
users.