Create tenants, users, and roles

Create tenants, users, and roles After you install the Identity service, create tenants (projects), users, and roles for your environment. You must use the temporary administration token that you created in and manually configure the location (endpoint) of the Identity service before you run keystone commands. You can pass the value of the administration token to the keystone command with the --os-token option or set the temporary OS_SERVICE_TOKEN environment variable. Similarly, you can pass the location of the Identity service to the keystone command with the --os-endpoint option or set the temporary OS_SERVICE_ENDPOINT environment variable. This guide uses environment variables to reduce command length. For more information, see the Operations Guide - Managing Project and Users. To configure prerequisites Configure the administration token: $ export OS_SERVICE_TOKEN=ADMIN_TOKEN Replace ADMIN_TOKEN with the administration token that you generated in . For example: $ export OS_SERVICE_TOKEN=294a4c8a8a475f9b9836 Configure the endpoint: $ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 To create tenants, users, and roles Create an administrative tenant, user, and role for administrative operations in your environment: Create the admin tenant: $ keystone tenant-create --name admin --description "Admin Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 6f4c1e4cbfef4d5a8a1345882fbca110 | | name | admin | +-------------+----------------------------------+ OpenStack generates IDs dynamically, so you will see different values from the example command output. Create the admin user: $ keystone user-create --name admin --pass ADMIN_PASS --email EMAIL_ADDRESS +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | admin@example.com | | enabled | True | | id | ea8c352d253443118041c9c8b8416040 | | name | admin | | username | admin | +----------+----------------------------------+ Replace ADMIN_PASS with a suitable password and EMAIL_ADDRESS with a suitable e-mail address. Create the admin role: $ keystone role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | bff3a6083b714fa29c9344bf8930d199 | | name | admin | +----------+----------------------------------+ Add the admin role to the admin tenant and user: $ keystone user-role-add --user admin --tenant admin --role admin This command provides no output. Any roles that you create must map to roles specified in the policy.json file included with each OpenStack service. The default policy for most services grants administrative access to the admin role. For more information, see the Operations Guide - Managing Projects and Users. Create a demo tenant and user for typical operations in your environment: Create the demo tenant: $ keystone tenant-create --name demo --description "Demo Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Demo Tenant | | enabled | True | | id | 4aa51bb942be4dd0ac0555d7591f80a6 | | name | demo | +-------------+----------------------------------+ Do not repeat this step when creating additional users for this tenant. Create the demo user under the demo tenant: $ keystone user-create --name demo --tenant demo --pass DEMO_PASS --email EMAIL_ADDRESS +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | demo@example.com | | enabled | True | | id | 7004dfa0dda84d63aef81cf7f100af01 | | name | demo | | tenantId | 4aa51bb942be4dd0ac0555d7591f80a6 | | username | demo | +----------+----------------------------------+ Replace DEMO_PASS with a suitable password and EMAIL_ADDRESS with a suitable e-mail address. Using the --tenant option automatically assigns the _member_ role to a user. This option will also create the _member_ role if it does not exist. You can repeat this procedure to create additional tenants and users. OpenStack services also require a tenant, user, and role to interact with other services. Each service typically requires creating one or more unique users with the admin role under the service tenant. Create the service tenant: $ keystone tenant-create --name service --description "Service Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 6b69202e1bf846a4ae50d65bc4789122 | | name | service | +-------------+----------------------------------+