From cd89eca969786c3004367cad4f2d9ea8ae22ce55 Mon Sep 17 00:00:00 2001 From: Matthew Kassawara Date: Tue, 24 Mar 2015 20:39:39 -0500 Subject: [PATCH] Modify keystone content for Kilo Modify keystone content for Kilo as follows: 1) Replace default eventlet front-end with Apache front-end to provide a more production-style deployment. * Disable keystone service from starting up automatically because it creates port conflicts with Apache. * Use the Apache virtual host configuration template from the keystone source repository. * Use the WSGI components from the keystone source repository because the packages don't include them. * Will update source repository links after release. 2) Replace SQL back-end with Memcache back-end for tokens to provide a more production-style deployment. * Remove cron job that deletes expired tokens from the SQL database. 3) Enable version 3 API. * Change "tenant" to "project" to align with v3 API terminology. * Include tests to verify operation. 4) Replace python-keystoneclient with python-openstackclient. * Update openrc files to work with python-openstackclient. 5) Replace password entry on CLI with prompts. 6) Move service and endpoint creation section before user and project creation section to improve flow. 7) Add note about adding sections and options to default configuration files. 8) Disable temporary authentication token mechanism prior to service verification. Many of these changes stem from keystone deprecations and recommendations from the keystone PTL. Also, this patch only addresses Ubuntu. For other distributions, please submit additional patches rather than modifying this patch. Implements: blueprint installguide-kilo Change-Id: I9a2e53f14d6ed41df0085256c20904760a58ea25 --- doc/glossary/glossary-terms.xml | 12 +- doc/install-guide/ch_keystone.xml | 2 +- .../section_keystone-install.xml | 144 +++++++++-- doc/install-guide/section_keystone-openrc.xml | 44 ++-- .../section_keystone-services.xml | 118 +++++---- doc/install-guide/section_keystone-users.xml | 236 ++++++++---------- doc/install-guide/section_keystone-verify.xml | 228 ++++++++++------- .../section_launch-instance-neutron.xml | 16 +- 8 files changed, 482 insertions(+), 318 deletions(-) diff --git a/doc/glossary/glossary-terms.xml b/doc/glossary/glossary-terms.xml index f092614100..2da803db28 100644 --- a/doc/glossary/glossary-terms.xml +++ b/doc/glossary/glossary-terms.xml @@ -2667,11 +2667,13 @@ - Separates a website from other sites. Often, the domain name has - two or more parts that are separated by dots. For example, yahoo.com, - usa.gov, harvard.edu, or mail.yahoo.com. - - A domain is an entity or container of all DNS-related + In the Identity service, provides isolation between projects + and users. + On the Internet, separates a website from other sites. Often, + the domain name has two or more parts that are separated by dots. + For example, yahoo.com, usa.gov, harvard.edu, or + mail.yahoo.com. + Also, a domain is an entity or container of all DNS-related information containing one or more records. diff --git a/doc/install-guide/ch_keystone.xml b/doc/install-guide/ch_keystone.xml index ccdfac68a2..1aa57e3743 100644 --- a/doc/install-guide/ch_keystone.xml +++ b/doc/install-guide/ch_keystone.xml @@ -7,8 +7,8 @@ Add the Identity service - + diff --git a/doc/install-guide/section_keystone-install.xml b/doc/install-guide/section_keystone-install.xml index 43fbf86891..cd459730dc 100644 --- a/doc/install-guide/section_keystone-install.xml +++ b/doc/install-guide/section_keystone-install.xml @@ -10,7 +10,10 @@ xml:id="keystone-install"> Install and configure This section describes how to install and configure the OpenStack - Identity service on the controller node. + Identity service, code-named keystone, on the controller node. For + performance, this configuration deploys the Apache HTTP server to + handle requests and Memcached to store tokens instead of a SQL + database. To configure prerequisites Before you configure the OpenStack Identity service, you must create @@ -49,10 +52,26 @@ - To install and configure the components + To install and configure the Identity service components + + Default configuration files vary by distribution. You might need + to add these sections and options rather than modifying existing + sections and options. Also, an ellipsis (...) in the configuration + snippets indicates potential default configuration options that you + should retain. + + + By default, the keystone + service listens on ports 5000 and 35357. However, this guide + configures the Apache HTTP server to listen on those ports. To avoid + port conflicts, disable the + keystone service from starting + automatically after installation: + # echo "manual" > /etc/init/keystone.override + Run the following command to install the packages: - # apt-get install keystone python-keystoneclient + # apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient @@ -78,13 +97,20 @@ connection = mysql://keystone:KEYSTONE_DBPASS@Replace KEYSTONE_DBPASS with the password you chose for the database. + + In the [memcache] section, configure + the Memcache service: + [memcache] +... +servers = localhost:11211 + In the [token] section, configure the UUID - token provider and SQL driver: + token provider and Memcached driver: [token] ... provider = keystone.token.providers.uuid.Provider -driver = keystone.token.persistence.backends.sql.Token +driver = keystone.token.persistence.backends.memcache.Token In the [revoke] section, configure @@ -92,6 +118,13 @@ driver = keystone.token.persistence.backends.sql.Token [revoke] ... driver = keystone.contrib.revoke.backends.sql.Revoke + + + In the [DEFAULT] section, configure the + log directory: + [DEFAULT] +... +log_dir = /var/log/keystone (Optional) To assist with troubleshooting, @@ -231,11 +264,81 @@ admin_token = ADMIN_TOKEN + + To configure the Apache HTTP server + + Edit the /etc/apache2/apache2.conf file and + configure the ServerName option to reference the + controller node: + ServerName controller + + + Create the + /etc/apache2/sites-available/wsgi-keystone.conf + file with the following content: + Listen 5000 +Listen 35357 + +<VirtualHost *:5000> + WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP} + WSGIProcessGroup keystone-public + WSGIScriptAlias / /var/www/cgi-bin/keystone/main + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + <IfVersion >= 2.4> + ErrorLogFormat "%{cu}t %M" + </IfVersion> + LogLevel info + ErrorLog /var/log/apache2/keystone-error.log + CustomLog /var/log/apache2/keystone-access.log combined +</VirtualHost> + +<VirtualHost *:35357> + WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP} + WSGIProcessGroup keystone-admin + WSGIScriptAlias / /var/www/cgi-bin/keystone/admin + WSGIApplicationGroup %{GLOBAL} + WSGIPassAuthorization On + <IfVersion >= 2.4> + ErrorLogFormat "%{cu}t %M" + </IfVersion> + LogLevel info + ErrorLog /var/log/apache2/keystone-error.log + CustomLog /var/log/apache2/keystone-access.log combined +</VirtualHost> + + + Disable the default virtual host: + # rm /etc/apache2/sites-enabled/000-default.conf + + + Enable the Identity service virtual hosts: + # ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled + + + Create the directory structure for the WSGI components: + # mkdir -p /var/www/cgi-bin/keystone + + + Copy the WSGI components from the upstream repository into this + directory: + # curl https://raw.githubusercontent.com/openstack/keystone/master/httpd/keystone.py \ + > /var/www/cgi-bin/keystone/main +# curl https://raw.githubusercontent.com/openstack/keystone/master/httpd/keystone.py \ + > /var/www/cgi-bin/keystone/admin + + + Adjust ownership and permissions on this directory and the files + in it: + # chown -R keystone:keystone /var/www/cgi-bin/keystone +# chmod 755 /var/www/cgi-bin/keystone/* + + To finalize installation - Restart the Identity service: - # service keystone restart + Restart the Apache HTTP server: + # service apache2 restart Start the Identity service and configure it to start when the @@ -255,27 +358,18 @@ admin_token = ADMIN_TOKEN remove the SQLite database file: # rm -f /var/lib/keystone/keystone.db - - By default, the Identity service stores expired tokens in the - database indefinitely. The accumulation of expired tokens considerably - increases the database size and might degrade service performance, - particularly in environments with limited resources. - The Keystone package already contains a cron job + + By default, the Identity service stores expired tokens in the + SQL database indefinitely. The accumulation of expired tokens + considerably increases the database size and degrades performance + over time, particularly in environments with limited resources. + The packages already contain a cron job under /etc/cron.hourly/keystone, so it is not - necessary to manually configure a periodic task that purges expired tokens - hourly. You can however have a look at (and eventually customize) the already - configured script. - The Keystone package already contains a cron job - under /etc/cron.hourly/openstack-keystone, so it is not - necessary to manually configure a periodic task that purges expired tokens - hourly. You can however have a look at (and eventually customize) the already - configured script. - We recommend that you use + necessary to manually configure a periodic task that purges expired + tokens. + We recommend that you use cron to configure a periodic task that purges expired tokens hourly: - # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ - echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \ - >> /var/spool/cron/crontabs/keystone # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \ >> /var/spool/cron/keystone diff --git a/doc/install-guide/section_keystone-openrc.xml b/doc/install-guide/section_keystone-openrc.xml index a027e4b425..a701af84b5 100644 --- a/doc/install-guide/section_keystone-openrc.xml +++ b/doc/install-guide/section_keystone-openrc.xml @@ -7,7 +7,7 @@ Create OpenStack client environment scripts The previous section used a combination of environment variables and command options to interact with the Identity service via the - keystone client. To increase efficiency of client + openstack client. To increase efficiency of client operations, OpenStack supports simple client environment scripts also known as OpenRC files. These scripts typically contain common options for all clients, but also support unique options. For more information, see the @@ -15,42 +15,58 @@ To create the scripts Create client environment scripts for the admin - and demo tenants and users. Future portions of this + and demo projects and users. Future portions of this guide reference these scripts to load appropriate credentials for client operations. Edit the admin-openrc.sh file and add the following content: - export OS_TENANT_NAME=admin + export OS_PROJECT_DOMAIN_ID=default +export OS_USER_DOMAIN_ID=default +export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS -export OS_AUTH_URL=http://controller:35357/v2.0 +export OS_AUTH_URL=http://controller:35357 +export OS_IMAGE_API_VERSION=2 Replace ADMIN_PASS with the password you chose for the admin user in the Identity service. Edit the demo-openrc.sh file and add the following content: - export OS_TENANT_NAME=demo + export OS_PROJECT_DOMAIN_ID=default +export OS_USER_DOMAIN_ID=default +export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=DEMO_PASS -export OS_AUTH_URL=http://controller:5000/v2.0 +export OS_AUTH_URL=http://controller:5000 +export OS_IMAGE_API_VERSION=2 Replace DEMO_PASS with the password you chose for the demo user in the Identity service. - Identity ports - Note the two different ports used above. Port 35357 is used for - administrative functions only. Port 5000 is for normal user -functions and is the most commonly used. To load client environment scripts + To run clients as a specific project and user, you can simply load + the associated client environment script prior to running them. For + example: - To run clients as a certain tenant and user, you can simply load - the associated client environment script prior to running them. For - example, to load the location of the Identity service and - admin tenant and user credentials: + Load the admin-openrc.sh file to populate + environment variables with the location of the Identity service + and the admin project and user credentials: $ source admin-openrc.sh + + Request an authentication token: + $ openstack token issue ++------------+----------------------------------+ +| Field | Value | ++------------+----------------------------------+ +| expires | 2015-03-25T01:45:49.950092Z | +| id | cd4110152ac24bdeaa82e1443c910c36 | +| project_id | cf12a15c5ea84b019aec3dc45580896b | +| user_id | 4d411f2291f34941b30eef9bd797505a | ++------------+----------------------------------+ + diff --git a/doc/install-guide/section_keystone-services.xml b/doc/install-guide/section_keystone-services.xml index 21d34cd935..dcbf43f7e3 100644 --- a/doc/install-guide/section_keystone-services.xml +++ b/doc/install-guide/section_keystone-services.xml @@ -3,42 +3,72 @@ xmlns:xi="http://www.w3.org/2001/XInclude" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" - xml:id="keystone-services" - os="ubuntu;rhel;centos;fedora;sles;opensuse"> - Create the service entity and API endpoint - After you create tenants, users, and roles, you must create the - service entity and - API endpoints for the - Identity service. + xml:id="keystone-services"> + Create the service entity and API endpoints + The Identity service provides a catalog of services and their + locations. Each service that you add to your OpenStack environment + requires a service entity and several + API endpoints in the + catalog. To configure prerequisites + By default, the Identity service database contains no information + to support conventional authentication and catalog services. You must + use a temporary authentication token that you created in + to initialize the service entity + and API endpoints for the Identity service. + You must pass the value of the authentication token to the + openstack command with the + --os-token parameter or set the + OS_TOKEN environment variable. Similarly, you + must also pass the value of the Identity service URL to the + openstack command with the + --os-url parameter or set the + OS_URL environment variable. This guide + uses environment variables to reduce command length. + + For security reasons, do not use the temporary authentication + token for longer than necessary to initialize the Identity + service. + - Set the OS_SERVICE_TOKEN and - OS_SERVICE_ENDPOINT environment variables, as described - in . + Configure the authentication token: + $ export OS_TOKEN=ADMIN_TOKEN + Replace ADMIN_TOKEN with the + authentication token that you generated in + . For example: + $ export OS_TOKEN=294a4c8a8a475f9b9836 + + + Configure the endpoint URL: + $ export OS_URL=http://controller:35357/v2.0 To create the service entity and API endpoints + + The packages can automatically create the service entity and + API endpoints. + The Identity service manages a catalog of services in your - OpenStack environment. Services use this catalog to locate other - services in your environment. + OpenStack environment. Services use this catalog to determine + the other services available in your environment. Create the service entity for the Identity service: - $ keystone service-create --name keystone --type identity \ - --description "OpenStack Identity" + $ openstack service create --type identity \ + --description "OpenStack Identity" keystone +-------------+----------------------------------+ -| Property | Value | +| Field | Value | +-------------+----------------------------------+ -| description | OpenStack Identity | -| enabled | True | -| id | 15c11a23667e427e91bc31335b45f4bd | -| name | keystone | -| type | identity | +| description | OpenStack Identity | +| enabled | True | +| id | 4ddaae90388b4ebc9d252ec2252d8d10 | +| name | keystone | +| type | identity | +-------------+----------------------------------+ - Because OpenStack generates IDs dynamically, you will see - different values from this example command output. + OpenStack generates IDs dynamically, so you will see + different values in the example command output. @@ -46,7 +76,7 @@ with the services in your OpenStack environment. Services use this catalog to determine how to communicate with other services in your environment. - OpenStack provides three API endpoint variations for each service: + OpenStack uses three API endpoint variants for each service: admin, internal, and public. The admin API endpoint allows modifying users and tenants by default, while the public and internal APIs do not. In a production environment, the variants might reside on @@ -55,35 +85,33 @@ outside the cloud for management tools, the admin API network might be protected, while the internal API network is connected to each host. Also, OpenStack supports multiple regions for scalability. For - simplicity, this configuration uses the management network for all - endpoint variations and the regionOne region. + simplicity, this guide uses the management network for all + endpoint variations and the default regionOne + region. Create the Identity service API endpoints: - $ keystone endpoint-create \ - --service-id $(keystone service-list | awk '/ identity / {print $2}') \ + $ openstack endpoint create \ --publicurl http://controller:5000/v2.0 \ --internalurl http://controller:5000/v2.0 \ --adminurl http://controller:35357/v2.0 \ - --region regionOne -+-------------+----------------------------------+ -| Property | Value | -+-------------+----------------------------------+ -| adminurl | http://controller:35357/v2.0 | -| id | 11f9c625a3b94a3f8e66bf4e5de2679f | -| internalurl | http://controller:5000/v2.0 | -| publicurl | http://controller:5000/v2.0 | -| region | regionOne | -| service_id | 15c11a23667e427e91bc31335b45f4bd | -+-------------+----------------------------------+ - - This command references the ID of the service that you created - in the previous step. - + --region regionOne \ + identity ++--------------+----------------------------------+ +| Field | Value | ++--------------+----------------------------------+ +| adminurl | http://controller:35357/v2.0 | +| id | 4a9ffc04b8eb4848a49625a3df0170e5 | +| internalurl | http://controller:5000/v2.0 | +| publicurl | http://controller:5000/v2.0 | +| region | regionOne | +| service_id | 4ddaae90388b4ebc9d252ec2252d8d10 | +| service_name | keystone | +| service_type | identity | ++--------------+----------------------------------+ Each service that you add to your OpenStack environment requires - adding information such as API endpoints to the Identity service. The - sections of this guide that cover service installation include steps - to add the appropriate information to the Identity service. + one or more service entities and API endpoints in the Identity + service. diff --git a/doc/install-guide/section_keystone-users.xml b/doc/install-guide/section_keystone-users.xml index d41e3800a6..dd9f56dfa8 100644 --- a/doc/install-guide/section_keystone-users.xml +++ b/doc/install-guide/section_keystone-users.xml @@ -4,179 +4,161 @@ xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="keystone-users"> - Create tenants, users, and roles - After you install the Identity service, create - tenants (projects), + Create projects, users, and roles + The Identity service provides authentication services for each + OpenStack service. The authentication service uses a combination of + domains, + projects (tenants), users, and - roles for your environment. You - must use the temporary administration token that you created in - and manually configure the location - (endpoint) of the Identity service before you run - keystone commands. - You can pass the value of the administration token to the - keystone command with the --os-token - option or set the temporary OS_SERVICE_TOKEN environment - variable. Similarly, you can pass the location of the Identity service - to the keystone command with the - --os-endpoint option or set the temporary - OS_SERVICE_ENDPOINT environment variable. This guide - uses environment variables to reduce command length. - For more information, see the - Operations Guide - Managing Project and Users. - - To configure prerequisites - In Debian, the admin tenant, user and roles can be - created automatically when installing the Keystone package. You - must manually create the demo tenant and user however. - - - Configure the administration token: - $ export OS_SERVICE_TOKEN=ADMIN_TOKEN - Replace ADMIN_TOKEN with the - administration token that you generated in - . For example: - $ export OS_SERVICE_TOKEN=294a4c8a8a475f9b9836 - - - Configure the endpoint: - $ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 - - + roles. + + For simplicity, this guide implicitly uses the + default domain. + To create tenants, users, and roles + + The packages can automatically create the service entity and + API endpoints. + - Create an administrative tenant, user, and role for + Create an administrative project, user, and role for administrative operations in your environment: - Create the admin tenant: - $ keystone tenant-create --name admin --description "Admin Tenant" + Create the admin project: + $ openstack project create --description "Admin Project" admin +-------------+----------------------------------+ -| Property | Value | +| Field | Value | +-------------+----------------------------------+ -| description | Admin Tenant | -| enabled | True | -| id | 6f4c1e4cbfef4d5a8a1345882fbca110 | -| name | admin | +| description | Admin Project | +| enabled | True | +| id | cf12a15c5ea84b019aec3dc45580896b | +| name | admin | +-------------+----------------------------------+ OpenStack generates IDs dynamically, so you will see - different values from the example command output. + different values in the example command output. Create the admin user: - $ keystone user-create --name admin --pass ADMIN_PASS --email EMAIL_ADDRESS -+----------+----------------------------------+ -| Property | Value | -+----------+----------------------------------+ -| email | admin@example.com | -| enabled | True | -| id | ea8c352d253443118041c9c8b8416040 | -| name | admin | -| username | admin | -+----------+----------------------------------+ - Replace ADMIN_PASS with a - suitable password and EMAIL_ADDRESS - with a suitable e-mail address. + $ openstack user create --password-prompt admin +User Password: +Repeat User Password: ++------------+----------------------------------+ +| Field | Value | ++------------+----------------------------------+ +| email | None | +| enabled | True | +| id | 4d411f2291f34941b30eef9bd797505a | +| name | admin | +| username | admin | ++------------+----------------------------------+ Create the admin role: - $ keystone role-create --name admin -+----------+----------------------------------+ -| Property | Value | -+----------+----------------------------------+ -| id | bff3a6083b714fa29c9344bf8930d199 | -| name | admin | -+----------+----------------------------------+ + $ openstack role create admin ++-------+----------------------------------+ +| Field | Value | ++-------+----------------------------------+ +| id | cd2cb9a39e874ea69e5d4b896eb16128 | +| name | admin | ++-------+----------------------------------+ Add the admin role to the - admin tenant and user: - $ keystone user-role-add --user admin --tenant admin --role admin - - This command provides no output. - + admin project and user: + $ openstack role add --project admin --user admin admin ++-------+----------------------------------+ +| Field | Value | ++-------+----------------------------------+ +| id | cd2cb9a39e874ea69e5d4b896eb16128 | +| name | admin | ++-------+----------------------------------+ Any roles that you create must map to roles specified in the - policy.json file included with each OpenStack - service. The default policy for most services grants administrative - access to the admin role. For more information, + policy.json file in the configuration file + directory of each OpenStack service. The default policy for most + services grants administrative access to the + admin role. For more information, see the Operations Guide - Managing Projects and Users. - Create a demo tenant and user for typical operations in your - environment: + This guide uses a service project that contains a unique + user for each service that you add to your environment. - Create the demo tenant: - $ keystone tenant-create --name demo --description "Demo Tenant" + Create the service project: + $ openstack project create --description "Service Project" service +-------------+----------------------------------+ -| Property | Value | +| Field | Value | +-------------+----------------------------------+ -| description | Demo Tenant | -| enabled | True | -| id | 4aa51bb942be4dd0ac0555d7591f80a6 | -| name | demo | +| description | Service Project | +| enabled | True | +| id | 55cbd79c0c014c8a95534ebd16213ca1 | +| name | service | ++-------------+----------------------------------+ + + + + + Regular (non-admin) tasks should use an unprivileged project + and user. As an example, this guide creates the + demo project and user. + + + Create the demo project: + $ openstack project create --description "Demo Project" demo ++-------------+----------------------------------+ +| Field | Value | ++-------------+----------------------------------+ +| description | Demo Project | +| enabled | True | +| id | ab8ea576c0574b6092bb99150449b2d3 | +| name | demo | +-------------+----------------------------------+ Do not repeat this step when creating additional - users for this tenant. + users for this project. - Create the demo user under the - demo tenant: - $ keystone user-create --name demo --tenant demo --pass DEMO_PASS --email EMAIL_ADDRESS -+----------+----------------------------------+ -| Property | Value | -+----------+----------------------------------+ -| email | demo@example.com | -| enabled | True | -| id | 7004dfa0dda84d63aef81cf7f100af01 | -| name | demo | -| tenantId | 4aa51bb942be4dd0ac0555d7591f80a6 | -| username | demo | -+----------+----------------------------------+ - Replace DEMO_PASS with a suitable - password and EMAIL_ADDRESS with a - suitable e-mail address. - - Using the --tenant option - automatically assigns the _member_ role - to a user. This option will also create the - _member_ role if it does not exist. - + Create the demo user: + $ openstack user create --password-prompt demo +User Password: +Repeat User Password: ++------------+----------------------------------+ +| Field | Value | ++------------+----------------------------------+ +| email | None | +| enabled | True | +| id | 3a81e6c8103b46709ef8d141308d4c72 | +| name | demo | +| project_id | ab8ea576c0574b6092bb99150449b2d3 | +| username | demo | ++------------+----------------------------------+ + + + Add the _member_ role to the + demo project and user: + $ openstack role add --project demo --user demo _member_ ++-------+----------------------------------+ +| Field | Value | ++-------+----------------------------------+ +| id | 9fe2ff9ee4384b1894a90878d3e92bab | +| name | _member_ | ++-------+----------------------------------+ - You can repeat this procedure to create additional tenants + You can repeat this procedure to create additional projects and users. - - OpenStack services also require a tenant, user, and role to - interact with other services. Each service typically requires - creating one or more unique users with the admin - role under the service tenant. - - - Create the service tenant: - $ keystone tenant-create --name service --description "Service Tenant" -+-------------+----------------------------------+ -| Property | Value | -+-------------+----------------------------------+ -| description | Service Tenant | -| enabled | True | -| id | 6b69202e1bf846a4ae50d65bc4789122 | -| name | service | -+-------------+----------------------------------+ - - - diff --git a/doc/install-guide/section_keystone-verify.xml b/doc/install-guide/section_keystone-verify.xml index faf97601d9..abd0cdc7bd 100644 --- a/doc/install-guide/section_keystone-verify.xml +++ b/doc/install-guide/section_keystone-verify.xml @@ -5,96 +5,150 @@ version="5.0" xml:id="keystone-verify"> Verify operation - This section describes how to verify operation of the Identity - service. + Verify operation of the Identity service before installing other + services. - Unset the temporary OS_SERVICE_TOKEN and - OS_SERVICE_ENDPOINT environment variables: - $ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT + For security reasons, disable the temporary authentication + token mechanism: + Edit the /etc/keystone/keystone-paste.ini file + and remove admin_token_auth from the + [pipeline:public_api], + [pipeline:admin_api], and + [pipeline:api_v3] sections. - As the admin tenant and user, request an - authentication token: - $ keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \ - --os-auth-url http://controller:35357/v2.0 token-get -+-----------+----------------------------------+ -| Property | Value | -+-----------+----------------------------------+ -| expires | 2014-10-10T12:50:12Z | -| id | 8963eb5ccd864769a894ec316ef8f7d4 | -| tenant_id | 6f4c1e4cbfef4d5a8a1345882fbca110 | -| user_id | ea8c352d253443118041c9c8b8416040 | -+-----------+----------------------------------+ - Replace ADMIN_PASS with the password - you chose for the admin user in the Identity - service. You might need to use single quotes (') around your password - if it includes special characters. + Unset the temporary OS_TOKEN and + OS_URL environment variables: + $ unset OS_TOKEN OS_URL - As the - admin tenant and user, list tenants to verify - that the admin tenant and user can execute - admin-only CLI commands and that the Identity service contains the - tenants that you created in : - As the admin tenant and user, list - tenants to verify that the admin tenant and user - can execute admin-only CLI commands and that the Identity service - contains the tenants created by the configuration tool: - $ keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \ - --os-auth-url http://controller:35357/v2.0 tenant-list -+----------------------------------+----------+---------+ -| id | name | enabled | -+----------------------------------+----------+---------+ -| 6f4c1e4cbfef4d5a8a1345882fbca110 | admin | True | -| 4aa51bb942be4dd0ac0555d7591f80a6 | demo | True | -| 6b69202e1bf846a4ae50d65bc4789122 | service | True | -+----------------------------------+----------+---------+ + As the admin user, request an authentication + token from the Identity version 2.0 API: + $ openstack --os-auth-url http://controller:35357 \ + --os-project-name admin --os-username admin --os-auth-type password \ + token issue +Password: ++------------+----------------------------------+ +| Field | Value | ++------------+----------------------------------+ +| expires | 2015-03-24T18:55:01Z | +| id | ff5ed908984c4a4190f584d826d75fed | +| project_id | cf12a15c5ea84b019aec3dc45580896b | +| user_id | 4d411f2291f34941b30eef9bd797505a | ++------------+----------------------------------+ - Because OpenStack generates IDs dynamically, you will see - different values from this example command output. + This command uses the password for the admin + user. + + + + The Identity version 3 API adds support for domains that contain + projects and users. Projects and users can use the same names in + different domains. Therefore, in order to use the version 3 API, + requests must also explicitly contain at least the + default domain or use IDs. For simplicity, this + guide explicitly uses the default domain + so examples can use names instead of IDs. + $ openstack --os-auth-url http://controller:35357 \ + --os-project-domain-id default --os-user-domain-id default \ + --os-project-name admin --os-username admin --os-auth-type password \ + token issue +Password: ++------------+----------------------------------+ +| Field | Value | ++------------+----------------------------------+ +| expires | 2015-03-24T18:55:01Z | +| id | ff5ed908984c4a4190f584d826d75fed | +| project_id | cf12a15c5ea84b019aec3dc45580896b | +| user_id | 4d411f2291f34941b30eef9bd797505a | ++------------+----------------------------------+ + + This command uses the password for the admin + user. As the - admin tenant and user, list users to verify - that the Identity service contains the users that you created - in : - As the admin tenant and user, list - users to verify that the Identity service contains the users + admin user, list projects to verify that the + admin user can execute admin-only CLI commands + and that the Identity service contains the projects that you + created in : + As the admin user, list projects + to verify that the admin user can execute + CLI commands and that the Identity service contains the projects created by the configuration tool: - $ keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \ - --os-auth-url http://controller:35357/v2.0 user-list -+----------------------------------+---------+---------+---------------------+ -| id | name | enabled | email | -+----------------------------------+---------+---------+---------------------+ -| ea8c352d253443118041c9c8b8416040 | admin | True | admin@example.com | -| 7004dfa0dda84d63aef81cf7f100af01 | demo | True | demo@example.com | -+----------------------------------+---------+---------+---------------------+ + $ openstack --os-auth-url http://controller:35357 \ + --os-project-name admin --os-username admin --os-auth-type password \ + project list +Password: ++----------------------------------+---------+ +| ID | Name | ++----------------------------------+---------+ +| 55cbd79c0c014c8a95534ebd16213ca1 | service | +| ab8ea576c0574b6092bb99150449b2d3 | demo | +| cf12a15c5ea84b019aec3dc45580896b | admin | ++----------------------------------+---------+ + + This command uses the password for the admin + user. + As the - admin tenant and user, list roles to verify - that the Identity service contains the role that you created - in : - As the admin tenant and user, list - roles to verify that the Identity service contains the role - created by the configuration tool: - $ keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \ - --os-auth-url http://controller:35357/v2.0 role-list -+----------------------------------+----------+ -| id | name | -+----------------------------------+----------+ -| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | -| bff3a6083b714fa29c9344bf8930d199 | admin | -+----------------------------------+----------+ + admin user, list users to verify that the + Identity service contains the users that you created in + : + As the admin user, list users to + verify that the Identity service contains the users created by + the configuration tool: + $ openstack --os-auth-url http://controller:35357 \ + --os-project-name admin --os-username admin --os-auth-type password \ + user list +Password: ++----------------------------------+-------+ +| ID | Name | ++----------------------------------+-------+ +| 4d411f2291f34941b30eef9bd797505a | admin | +| 3a81e6c8103b46709ef8d141308d4c72 | demo | ++----------------------------------+-------+ + + This command uses the password for the admin + user. + - As the demo tenant and user, request an - authentication token: - $ keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS \ - --os-auth-url http://controller:35357/v2.0 token-get -+-----------+----------------------------------+ + As the + admin user, list roles to verify that the + Identity service contains the role that you created in + : + As the admin user, list roles to + verify that the Identity service contains the role created by the + configuration tool: + $ openstack --os-auth-url http://controller:35357 \ + --os-project-name admin --os-username admin --os-auth-type password \ + role list +Password: ++----------------------------------+----------+ +| ID | Name | ++----------------------------------+----------+ +| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | +| cd2cb9a39e874ea69e5d4b896eb16128 | admin | ++----------------------------------+----------+ + + This command uses the password for the admin + user. + + + + As the demo user, request an authentication + token from the Identity version 3 API: + $ openstack --os-auth-url http://controller:5000 \ + --os-project-domain-id default --os-user-domain-id default \ + --os-project-name demo --os-username demo --os-auth-type password \ + token issue +Password: ++-----------+----------------------------------+ | Property | Value | +-----------+----------------------------------+ | expires | 2014-10-10T12:51:33Z | @@ -102,24 +156,20 @@ | tenant_id | 4aa51bb942be4dd0ac0555d7591f80a6 | | user_id | 7004dfa0dda84d63aef81cf7f100af01 | +-----------+----------------------------------+ - Replace DEMO_PASS with the password - you chose for the demo user in the Identity - service. + + This command uses the password for the demo + user and API port 5000 which only allows regular (non-admin) + access to the Identity service API. + - As the demo tenant and user, attempt to list - users to verify that you cannot execute admin-only CLI - commands: - $ keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS \ - --os-auth-url http://controller:35357/v2.0 user-list -You are not authorized to perform the requested action, admin_required. (HTTP 403) - - Each OpenStack service references a - policy.json file to determine the operations - available to a particular tenant, user, or role. For more - information, see the - Operations Guide - Managing Projects and Users. - + As the demo user, attempt to list users + to verify that it cannot execute admin-only CLI commands: + $ openstack --os-auth-url http://controller:5000 \ + --os-project-domain-id default --os-user-domain-id default \ + --os-project-name demo --os-username demo --os-auth-type password \ + user list +ERROR: openstack You are not authorized to perform the requested action, admin_required. (HTTP 403) diff --git a/doc/install-guide/section_launch-instance-neutron.xml b/doc/install-guide/section_launch-instance-neutron.xml index 188e1d2f6c..53b7d8b719 100644 --- a/doc/install-guide/section_launch-instance-neutron.xml +++ b/doc/install-guide/section_launch-instance-neutron.xml @@ -10,25 +10,17 @@ Most cloud images support public key authentication rather than conventional user name/password authentication. Before launching an instance, you must - generate a public/private key pair using ssh-keygen - and add the public key to your OpenStack environment. + generate a public/private key pair. Source the demo tenant credentials: $ source demo-openrc.sh - Generate a key pair: - $ ssh-keygen + Generate and add a key pair: + $ nova keypair-add demo-key - Add the public key to your OpenStack environment: - $ nova keypair-add --pub-key ~/.ssh/id_rsa.pub demo-key - - This command provides no output. - - - - Verify addition of the public key: + Verify addition of the key pair: $ nova keypair-list +----------+-------------------------------------------------+ | Name | Fingerprint |