Define users, tenants, and rolesAfter you install the Identity Service, set up
users,
tenants, and
roles to authenticate
against. These are used to allow access to
services and endpoints, described
in the next section.Typically, you would indicate a user and password to
authenticate with the Identity Service. At this point, however, we
have not created any users, so we have to use the authorization
token created in an earlier step, see
for further details. You can pass this with the
option to the
keystone command or set the
OS_SERVICE_TOKEN environment variable. We'll set
OS_SERVICE_TOKEN, as well as
OS_SERVICE_ENDPOINT to specify where the Identity
Service is running. Replace
ADMIN_TOKEN
with your authorization token.#export OS_SERVICE_TOKEN=ADMIN_TOKEN#export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0First, create a tenant for an administrative user and a tenant
for other OpenStack services to use.#keystone tenant-create --name=admin --description="Admin Tenant"#keystone tenant-create --name=service --description="Service Tenant"Next, create an administrative user called admin.
Choose a password for the admin user and specify an
email address for the account.#keystone user-create --name=admin --pass=ADMIN_PASS \
--email=admin@example.comCreate a role for administrative tasks called admin.
Any roles you create should map to roles specified in the
policy.json files of the various OpenStack services.
The default policy files use the admin role to allow
access to most services.#keystone role-create --name=adminNow, you have to add roles to users. Users always log in with
a tenant, and roles are assigned to users within tenants. Add the
admin role to the admin user when
logging in with the admin tenant.#keystone user-role-add --user=admin --tenant=admin --role=admin
Add the _member_ role to the admin
user. This is a special role that grants access to the OpenStack Dashboard.
#keystone user-role-add --user=admin --tenant=admin --role=_member_