diff --git a/doc/common/get-started-identity.rst b/doc/common/get-started-identity.rst index c901bf3a7a..a1d13ea925 100644 --- a/doc/common/get-started-identity.rst +++ b/doc/common/get-started-identity.rst @@ -3,16 +3,34 @@ Identity service overview ========================= The OpenStack :term:`Identity service` provides a single point of -integration for managing authentication, authorization, and service catalog -services. Other OpenStack services use the Identity service as a common -unified API. Additionally, services that provide information about users -but that are not included in OpenStack (such as LDAP services) can be -integrated into a pre-existing infrastructure. +integration for managing authentication, authorization, and a catalog of +services. -In order to benefit from the Identity service, other OpenStack services need to -collaborate with it. When an OpenStack service receives a request from a user, -it checks with the Identity service whether the user is authorized to make the -request. +The Identity service is typically the first service a user interacts with. Once +authenticated, an end user can use their identity to access other OpenStack +services. Likewise, other OpenStack services leverage the Identity service to +ensure users are who they say they are and discover where other services are +within the deployment. The Identity service can also integrate with some +external user management systems (such as LDAP). + +Users and services can locate other services by using the service catalog, +which is managed by the Identity service. As the name implies, a service +catalog is a collection of available services in an OpenStack deployment. Each +service can have one or many endpoints and each endpoint can be one of three +types: admin, internal, and public. In a production environment, different +endpoint types might reside on separate networks exposed to different types of +users for security reasons. For instance, the public API network might be +visible from the Internet so customers can manage their clouds. The admin API +network might be restricted to operators within the organization that manages +cloud infrastructure. The internal API network might be restricted to the hosts +that contain OpenStack services. Also, OpenStack supports multiple regions for +scalability. For simplicity, this guide uses the management network for all +endpoint types and the default ``RegionOne`` region. Together, regions, +services, and endpoints created within the Identity service comprise the +service catalog for a deployment. Each OpenStack service in your deployment +needs a service entry with corresponding endpoints stored in the Identity +service. This can all be done after the Identity service has been installed and +configured. The Identity service contains these components: @@ -34,8 +52,3 @@ Modules to the centralized server for authorization. The integration between the middleware modules and OpenStack components uses the Python Web Server Gateway Interface. - -When installing OpenStack Identity service, you must register each -service in your OpenStack installation. Identity service can then track -which OpenStack services are installed, and where they are located on -the network. diff --git a/doc/install-guide-debconf/source/keystone-services.rst b/doc/install-guide-debconf/source/keystone-services.rst deleted file mode 120000 index 8f8328e05e..0000000000 --- a/doc/install-guide-debconf/source/keystone-services.rst +++ /dev/null @@ -1 +0,0 @@ -../../install-guide/source/keystone-services.rst \ No newline at end of file diff --git a/doc/install-guide/source/keystone-install.rst b/doc/install-guide/source/keystone-install.rst index 3b6068e279..1e461dd680 100644 --- a/doc/install-guide/source/keystone-install.rst +++ b/doc/install-guide/source/keystone-install.rst @@ -335,3 +335,21 @@ Install and configure components # systemctl enable apache2.service # systemctl start apache2.service + +6. Configure the administrative account + + .. code-block:: console + + $ export OS_USERNAME=admin + $ export OS_PASSWORD=ADMIN_PASSWORD + $ export OS_PROJECT_NAME=admin + $ export OS_USER_DOMAIN_NAME=Default + $ export OS_PROJECT_DOMAIN_NAME=Default + $ export OS_AUTH_URL=http://controller:35357/v3 + $ export OS_IDENTITY_API_VERSION=3 + + .. only:: obs or rdo or ubuntu + + Replace ``ADMIN_PASSWORD`` with the password used in the + ``keystone-manage bootstrap`` command from the section called + :ref:`keystone-install`. diff --git a/doc/install-guide/source/keystone-services.rst b/doc/install-guide/source/keystone-services.rst deleted file mode 100644 index 87fbab5aad..0000000000 --- a/doc/install-guide/source/keystone-services.rst +++ /dev/null @@ -1,176 +0,0 @@ -Create the service entity and API endpoints -~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ - -The Identity service provides a catalog of services and their locations. -Each service that you add to your OpenStack environment requires a -:term:`service` entity and several :term:`API endpoints` -in the catalog. - -Prerequisites -------------- - -.. only:: obs or rdo or ubuntu - - By default, the Identity service database contains no information to - support conventional authentication and catalog services. You must use a - temporary authentication token that you created in the section called - :doc:`keystone-install` to initialize the service entity and API endpoint - for the Identity service. - -.. only:: debian - - .. note:: - - The packages can automatically create the service entity and API - endpoints. - -You must pass the value of the authentication token to the :command:`openstack` -command with the ``--os-token`` parameter or set the OS_TOKEN -environment variable. Similarly, you must also pass the value of the -Identity service URL to the :command:`openstack` command with the ``--os-url`` -parameter or set the OS_URL environment variable. This guide uses -environment variables to reduce command length. - -.. warning:: - - For security reasons, do not use the temporary authentication token - for longer than necessary to initialize the Identity service. - -#. Configure the authentication token: - - .. code-block:: console - - $ export OS_TOKEN=ADMIN_TOKEN - - .. only:: obs or rdo or ubuntu - - Replace ``ADMIN_TOKEN`` with the authentication token that you - generated in the section called :doc:`keystone-install`. - For example: - - .. code-block:: console - - $ export OS_TOKEN=294a4c8a8a475f9b9836 - -#. Configure the endpoint URL: - - .. code-block:: console - - $ export OS_URL=http://controller:35357/v3 - - .. only:: debian - - .. note:: - - The packages can automatically create the service entity and API - endpoint. - -#. Configure the Identity API version: - - .. code-block:: console - - $ export OS_IDENTITY_API_VERSION=3 - -Create the service entity and API endpoints -------------------------------------------- - -#. The Identity service manages a catalog of services in your OpenStack - environment. Services use this catalog to determine the other services - available in your environment. - - Create the service entity for the Identity service: - - .. code-block:: console - - $ openstack service create \ - --name keystone --description "OpenStack Identity" identity - +-------------+----------------------------------+ - | Field | Value | - +-------------+----------------------------------+ - | description | OpenStack Identity | - | enabled | True | - | id | 4ddaae90388b4ebc9d252ec2252d8d10 | - | name | keystone | - | type | identity | - +-------------+----------------------------------+ - - .. note:: - - OpenStack generates IDs dynamically, so you will see different - values in the example command output. - -#. The Identity service manages a catalog of API endpoints associated with - the services in your OpenStack environment. Services use this catalog to - determine how to communicate with other services in your environment. - - OpenStack uses three API endpoint variants for each service: admin, - internal, and public. The admin API endpoint allows modifying users and - projects by default, while the public and internal APIs do not allow these - operations. In a production environment, the variants might reside on - separate networks that service different types of users for security - reasons. For instance, the public API network might be visible from the - Internet so customers can manage their clouds. The admin API network - might be restricted to operators within the organization that manages - cloud infrastructure. The internal API network might be restricted to - the hosts that contain OpenStack services. Also, OpenStack supports - multiple regions for scalability. For simplicity, this guide uses the - management network for all endpoint variations and the default - ``RegionOne`` region. - - Create the Identity service API endpoints: - - .. code-block:: console - - $ openstack endpoint create --region RegionOne \ - identity public http://controller:5000/v3 - +--------------+----------------------------------+ - | Field | Value | - +--------------+----------------------------------+ - | enabled | True | - | id | 30fff543e7dc4b7d9a0fb13791b78bf4 | - | interface | public | - | region | RegionOne | - | region_id | RegionOne | - | service_id | 4ddaae90388b4ebc9d252ec2252d8d10 | - | service_name | keystone | - | service_type | identity | - | url | http://controller:5000/v3 | - +--------------+----------------------------------+ - - $ openstack endpoint create --region RegionOne \ - identity internal http://controller:5000/v3 - +--------------+----------------------------------+ - | Field | Value | - +--------------+----------------------------------+ - | enabled | True | - | id | 57cfa543e7dc4b712c0ab137911bc4fe | - | interface | internal | - | region | RegionOne | - | region_id | RegionOne | - | service_id | 4ddaae90388b4ebc9d252ec2252d8d10 | - | service_name | keystone | - | service_type | identity | - | url | http://controller:5000/v3 | - +--------------+----------------------------------+ - - $ openstack endpoint create --region RegionOne \ - identity admin http://controller:35357/v3 - +--------------+----------------------------------+ - | Field | Value | - +--------------+----------------------------------+ - | enabled | True | - | id | 78c3dfa3e7dc44c98ab1b1379122ecb1 | - | interface | admin | - | region | RegionOne | - | region_id | RegionOne | - | service_id | 4ddaae90388b4ebc9d252ec2252d8d10 | - | service_name | keystone | - | service_type | identity | - | url | http://controller:35357/v3 | - +--------------+----------------------------------+ - - .. note:: - - Each service that you add to your OpenStack environment requires one - or more service entities and three API endpoint variants in the Identity - service. diff --git a/doc/install-guide/source/keystone.rst b/doc/install-guide/source/keystone.rst index f926e2b485..e76dd46d0c 100644 --- a/doc/install-guide/source/keystone.rst +++ b/doc/install-guide/source/keystone.rst @@ -6,7 +6,6 @@ Identity service common/get-started-identity.rst keystone-install.rst - keystone-services.rst keystone-users.rst keystone-verify.rst keystone-openrc.rst