openstack-manuals/doc/src/docbkx/openstack-install/identity-config-keystone.xml

<?xml version="1.0" encoding="UTF-8"?>
<section xml:id="identity-configure-keystone"
    xmlns="http://docbook.org/ns/docbook"
    xmlns:xi="http://www.w3.org/2001/XInclude"
    xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"><title>Defining Roles and Users in the Identity Service (Keystone)</title>
<para>Before you begin, ensure that the OpenStack Compute and Image
        services are installed and connect all databases prior to
        configuring the Identity Service endpoints. </para>
    <para>Next you add the default tenant, an administrator, roles,
        and users to get a working installation started. The initial
        tenant, username, and password is openstackdemo, admin, and
        secretword.</para>
<para>First, add two tenants, one named openstackDemo, one named
        adminTenant.</para>
<literallayout class="monospaced">sudo keystone-manage tenant add openstackDemo
sudo keystone-manage tenant add adminTenant</literallayout>
    <para>In return for these commands, you should see a SUCCESS
        message, such as:</para>
    <para>
        <literallayout class="monospaced">SUCCESS: Tenant openstackDemo created.</literallayout>
    </para>
<para>Now, add users and assign their passwords.</para>
<literallayout class="monospaced">sudo keystone-manage user add adminUser secretword
sudo keystone-manage user add demoUser secretword</literallayout>
<para>Now add an invented token (any combination of numbers and
        letters will do) to the admin user for the openstackdemo
        tenant and ensure there's an expiration date assigned. This
        one expires in about four years.</para>
<literallayout class="monospaced">sudo keystone-manage token add 11121314151617181920 adminUser adminTenant 2015-02-05T00:0 </literallayout>
    <para>If you see an error like "Creating a token requires a token
        id, user, tenant, and expiration" it's possible you're missing
        the expiration date. </para>
<para>Create the Admin role and the Member role.</para>
<literallayout class="monospaced">sudo keystone-manage role add Admin
sudo keystone-manage role add Member</literallayout> 
<para>Grant the Admin role to the admin user and then grant the Member
        role to the demo user.</para>
<literallayout class="monospaced">sudo keystone-manage role grant Admin adminUser
sudo keystone-manage role grant Member demoUser</literallayout>
<para>Grant the Admin role to the adminUser user for the openstackDemo
        and adminTenant tenant. Grant the Member role to the demoUser
        for the openstackDemo tenant.</para>
<literallayout class="monospaced">sudo keystone-manage role grant Admin adminUser openstackDemo
sudo keystone-manage role grant Admin adminUser adminTenant
sudo keystone-manage role grant Member demoUser openstackDemo</literallayout> 

<section xml:id="identity-define-services-endpoints">
   <title>Define Services and Endpoints</title>
    <para>Now that all your starter tenants, users, and roles have
            been created, let's move on to endpoints. </para>
    <para>First add all the services you want to have the Identity
            service connected with. Here's an example using all the
            available services in this example. You may see an
            IntegrityError error when using the Manage IT packages and
            issuing these
            commands.<literallayout class="monospaced">sudo keystone-manage service add nova compute "Nova Compute Service"
sudo keystone-manage service add glance image "Glance Image Service"
sudo keystone-manage service add keystone identity "Keystone Identity Service"<!--sudo keystone-manage service add swift object-store "Swift Object Storage Service"--></literallayout></para>
    <para>Now add endpoint templates each of these now-named services,
            which put together the IP addresses, port values, and API
            version number to make an entire endpoint.
            <literallayout class="monospaced">sudo keystone-manage endpointTemplates add RegionOne nova http://192.168.206.130:8774/v1.1/%tenant_id% http://192.168.206.130:8774/v1.1/%tenant_id% http://192.168.206.130:8774/v1.1/%tenant_id% 1 1
sudo keystone-manage endpointTemplates add RegionOne glance http://192.168.206.130:9292/v1 http://192.168.206.130:9292/v1 http://192.168.206.130:9292/v1 1 1
sudo keystone-manage endpointTemplates add RegionOne keystone http://192.168.206.130:5000/v2.0 http://192.168.206.130:35357/v2.0 http://192.168.206.130:5000/v2.0 1 1<!--sudo keystone-manage endpointTemplates add RegionOne glance http://192.168.206.130:9292/v1.1/%tenant_id% http://192.168.206.130:9292/v1.1/%tenant_id% http://192.168.206.130:9292/v1.1/%tenant_id% 1 1               --><!--sudo keystone-manage endpointTemplates add RegionOne swift http://192.168.206.130:8080/v1/AUTH_%tenant_id% http://192.168.206.130:8080/ http://192.168.206.130:8080/v1/AUTH_%tenant_id% 1 1--></literallayout></para>

<para>Optionally, you can add EC2 credentials to the Identity Service for any commands you may want to use euca2ools for.</para>
    <literallayout class="monospaced">sudo keystone-manage credentials add adminUser EC2 'secretword' adminTenant
sudo keystone-manage credentials add demoUser EC2 'secretword' openstackDemo</literallayout>
    <para>The Identity Service, Keystone, is now configured and ready
            to accept requests.</para>
</section>
    
</section>