Create tenants, users, and roles

Create tenants, users, and roles After you install the Identity service, create tenants (projects), users, and roles for your environment. You must use the temporary administration token that you created in and manually configure the location (endpoint) of the Identity service before you run keystone commands. You can pass the value of the administration token to the keystone command with the option or set the temporary OS_SERVICE_TOKEN environment variable. Similarly, you can pass the location of the Identity service to the keystone command with the option or set the temporary OS_SERVICE_ENDPOINT environment variable. This guide uses environment variables to reduce command length. For more information, see the Operations Guide - Managing Project and Users. To configure prerequisites Configure the administration token: $ export OS_SERVICE_TOKEN=ADMIN_TOKEN Replace ADMIN_TOKEN with the administration token that you generated in . For example: $ export OS_SERVICE_TOKEN=294a4c8a8a475f9b9836 Configure the endpoint: $ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 To create tenants, users, and roles Create an administrative tenant, user, and role for administrative operations in your environment: Create the admin tenant: $ keystone tenant-create --name admin --description "Admin Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 6f4c1e4cbfef4d5a8a1345882fbca110 | | name | admin | +-------------+----------------------------------+ Because OpenStack generates IDs dynamically, you will see different values from this example command output. Create the admin user: $ keystone user-create --name admin --pass ADMIN_PASS --email EMAIL_ADDRESS +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | admin@example.com | | enabled | True | | id | ea8c352d253443118041c9c8b8416040 | | name | admin | | username | admin | +----------+----------------------------------+ Replace ADMIN_PASS with a suitable password and EMAIL_ADDRESS with a suitable e-mail address. Create the admin role: $ keystone role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | bff3a6083b714fa29c9344bf8930d199 | | name | admin | +----------+----------------------------------+ Add the admin tenant and user to the admin role: $ keystone user-role-add --tenant admin --user admin --role admin This command provides no output. By default, the Identity service creates a special _member_ role. The OpenStack dashboard automatically grants access to users with this role. You must give the admin user access to this role in addition to the admin role. Add the admin tenant and user to the _member_ role: $ keystone user-role-add --tenant admin --user admin --role _member_ This command provides no output. Any roles that you create must map to roles specified in the policy.json file included with each OpenStack service. The default policy for most services grants administrative access to the admin role. For more information, see the Operations Guide - Managing Projects and Users. Create a demo tenant and user for typical operations in your environment: Create the demo tenant: $ keystone tenant-create --name demo --description "Demo Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Demo Tenant | | enabled | True | | id | 4aa51bb942be4dd0ac0555d7591f80a6 | | name | demo | +-------------+----------------------------------+ Do not repeat this step when creating additional users for this tenant. Create the demo user: $ keystone user-create --name demo --pass DEMO_PASS --email EMAIL_ADDRESS +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | demo@example.com | | enabled | True | | id | 7004dfa0dda84d63aef81cf7f100af01 | | name | demo | | username | demo | +----------+----------------------------------+ Replace DEMO_PASS with a suitable password and EMAIL_ADDRESS with a suitable e-mail address. Add the demo tenant and user to the _member_ role: $ keystone user-role-add --tenant demo --user demo --role _member_ This command provides no output. You can repeat this procedure to create additional tenants and users. OpenStack services also require a tenant, user, and role to interact with other services. You will create a user in the service tenant for each service that you install. Create the service tenant: $ keystone tenant-create --name service --description "Service Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 6b69202e1bf846a4ae50d65bc4789122 | | name | service | +-------------+----------------------------------+