openstack/openstack-manuals
Code Issues Proposed changes
081c009b9e
openstack-manuals/doc/install-guide/section_keystone-verify.xml
Matthew Kassawara cd89eca969 Modify keystone content for Kilo 
Modify keystone content for Kilo as follows:

1) Replace default eventlet front-end with Apache front-end
   to provide a more production-style deployment.

   * Disable keystone service from starting up automatically
     because it creates port conflicts with Apache.
   * Use the Apache virtual host configuration template from
     the keystone source repository.
   * Use the WSGI components from the keystone source
     repository because the packages don't include them.
   * Will update source repository links after release.

2) Replace SQL back-end with Memcache back-end for tokens to
   provide a more production-style deployment.

   * Remove cron job that deletes expired tokens from the SQL
     database.

3) Enable version 3 API.

   * Change "tenant" to "project" to align with v3 API
     terminology.
   * Include tests to verify operation.

4) Replace python-keystoneclient with python-openstackclient.

   * Update openrc files to work with python-openstackclient.

5) Replace password entry on CLI with prompts.

6) Move service and endpoint creation section before user and
   project creation section to improve flow.

7) Add note about adding sections and options to default
   configuration files.

8) Disable temporary authentication token mechanism prior to
   service verification.

Many of these changes stem from keystone deprecations and
recommendations from the keystone PTL. Also, this patch only
addresses Ubuntu. For other distributions, please submit
additional patches rather than modifying this patch.

Implements: blueprint installguide-kilo
Change-Id: I9a2e53f14d6ed41df0085256c20904760a58ea25
2015-04-03 09:16:41 -05:00

176 lines
8.3 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-verify">
<title>Verify operation</title>
<para>Verify operation of the Identity service before installing other
services.</para>
<procedure>
<step>
<para>For security reasons, disable the temporary authentication
token mechanism:</para>
<para>Edit the <filename>/etc/keystone/keystone-paste.ini</filename> file
and remove <literal>admin_token_auth</literal> from the
<literal>[pipeline:public_api]</literal>,
<literal>[pipeline:admin_api]</literal>, and
<literal>[pipeline:api_v3]</literal> sections.</para>
</step>
<step>
<para>Unset the temporary <envar>OS_TOKEN</envar> and
<envar>OS_URL</envar> environment variables:</para>
<screen><prompt>$</prompt> <userinput>unset OS_TOKEN OS_URL</userinput></screen>
</step>
<step>
<para>As the <literal>admin</literal> user, request an authentication
token from the Identity version 2.0 API:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
token issue</userinput>
<computeroutput>Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para>The Identity version 3 API adds support for domains that contain
projects and users. Projects and users can use the same names in
different domains. Therefore, in order to use the version 3 API,
requests must also explicitly contain at least the
<literal>default</literal> domain or use IDs. For simplicity, this
guide explicitly uses the <literal>default</literal> domain
so examples can use names instead of IDs.</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue</userinput>
<computeroutput>Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> user, list projects to verify that the
<literal>admin</literal> user can execute admin-only CLI commands
and that the Identity service contains the projects that you
created in <xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> user, list projects
to verify that the <literal>admin</literal> user can execute
CLI commands and that the Identity service contains the projects
created by the configuration tool:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
project list</userinput>
<computeroutput>Password:
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 55cbd79c0c014c8a95534ebd16213ca1 | service |
| ab8ea576c0574b6092bb99150449b2d3 | demo |
| cf12a15c5ea84b019aec3dc45580896b | admin |
+----------------------------------+---------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> user, list users to verify that the
Identity service contains the users that you created in
<xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> user, list users to
verify that the Identity service contains the users created by
the configuration tool:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
user list</userinput>
<computeroutput>Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4d411f2291f34941b30eef9bd797505a | admin |
| 3a81e6c8103b46709ef8d141308d4c72 | demo |
+----------------------------------+-------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> user, list roles to verify that the
Identity service contains the role that you created in
<xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> user, list roles to
verify that the Identity service contains the role created by the
configuration tool:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
role list</userinput>
<computeroutput>Password:
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| cd2cb9a39e874ea69e5d4b896eb16128 | admin |
+----------------------------------+----------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para>As the <literal>demo</literal> user, request an authentication
token from the Identity version 3 API:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue</userinput>
<computeroutput>Password:
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2014-10-10T12:51:33Z |
| id | 1b87ceae9e08411ba4a16e4dada04802 |
| tenant_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
| user_id | 7004dfa0dda84d63aef81cf7f100af01 |
+-----------+----------------------------------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>demo</literal>
user and API port 5000 which only allows regular (non-admin)
access to the Identity service API.</para>
</note>
</step>
<step>
<para>As the <literal>demo</literal> user, attempt to list users
to verify that it cannot execute admin-only CLI commands:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
user list</userinput>
<computeroutput>ERROR: openstack You are not authorized to perform the requested action, admin_required. (HTTP 403)</computeroutput></screen>
</step>
</procedure>
</section>
View Git Blame Copy Permalink