Defining Roles and Users in the Identity Service (Keystone)
Before you begin, ensure that the OpenStack Compute and Image
services are installed and connect all databases prior to
configuring the Identity Service endpoints.
Next you add the default tenant, an administrator, roles,
and users to get a working installation started. The initial
tenant, username, and password is openstackdemo, admin, and
secretword.
First, add two tenants, one named openstackDemo, one named
adminTenant.
sudo keystone-manage tenant add openstackDemo
sudo keystone-manage tenant add adminTenant
In return for these commands, you should see a SUCCESS
message, such as:
SUCCESS: Tenant openstackDemo created.
Now, add users and assign their passwords.
sudo keystone-manage user add adminUser secretword
sudo keystone-manage user add demoUser secretword
Now add an invented token (any combination of numbers and
letters will do) to the admin user for the openstackdemo
tenant and ensure there's an expiration date assigned. This
one expires in about four years.
sudo keystone-manage token add 11121314151617181920 adminUser adminTenant 2015-02-05T00:0
If you see an error like "Creating a token requires a token
id, user, tenant, and expiration" it's possible you're missing
the expiration date.
Create the Admin role and the Member role.
sudo keystone-manage role add Admin
sudo keystone-manage role add Member
Grant the Admin role to the admin user and then grant the Member
role to the demo user.
sudo keystone-manage role grant Admin adminUser
sudo keystone-manage role grant Member demoUser
Grant the Admin role to the adminUser user for the openstackDemo
and adminTenant tenant. Grant the Member role to the demoUser
for the openstackDemo tenant.
sudo keystone-manage role grant Admin adminUser openstackDemo
sudo keystone-manage role grant Admin adminUser adminTenant
sudo keystone-manage role grant Member demoUser openstackDemo
Define Services and Endpoints
Now that all your starter tenants, users, and roles have
been created, let's move on to endpoints.
First add all the services you want to have the Identity
service connected with. Here's an example using all the
available services in this example. You may see an
IntegrityError error when using the Manage IT packages and
issuing these
commands.sudo keystone-manage service add nova compute "Nova Compute Service"
sudo keystone-manage service add glance image "Glance Image Service"
sudo keystone-manage service add keystone identity "Keystone Identity Service"
Now add endpoint templates each of these now-named services,
which put together the IP addresses, port values, and API
version number to make an entire endpoint.
sudo keystone-manage endpointTemplates add RegionOne nova http://192.168.206.130:8774/v1.1/%tenant_id% http://192.168.206.130:8774/v1.1/%tenant_id% http://192.168.206.130:8774/v1.1/%tenant_id% 1 1
sudo keystone-manage endpointTemplates add RegionOne glance http://192.168.206.130:9292/v1 http://192.168.206.130:9292/v1 http://192.168.206.130:9292/v1 1 1
sudo keystone-manage endpointTemplates add RegionOne keystone http://192.168.206.130:5000/v2.0 http://192.168.206.130:35357/v2.0 http://192.168.206.130:5000/v2.0 1 1
Optionally, you can add EC2 credentials to the Identity Service for any commands you may want to use euca2ools for.
sudo keystone-manage credentials add adminUser EC2 'secretword' adminTenant
sudo keystone-manage credentials add demoUser EC2 'secretword' openstackDemo
The Identity Service, Keystone, is now configured and ready
to accept requests.