openstack/openstack-manuals
Code Issues Proposed changes
1a23ae9cd7
openstack-manuals/doc/install-guide/section_keystone-verify.xml
Harry Sutton d1e9823be1 Add a missing password prompt for Demo user in an example 
A password prompt was missing from the last example in this section;
this patch adds the required text.

Change-Id: Ic69ace7e2998a9584c44c7a37502b1c3e0a846e6
Closes-bug: #1464337
Backport: Kilo
2015-06-12 08:38:51 -04:00

179 lines
8.4 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-verify">
<title>Verify operation</title>
<para>Verify operation of the Identity service before installing other
services.</para>
<procedure>
<step>
<para>For security reasons, disable the temporary authentication
token mechanism:</para>
<para>Edit the
<filename os="ubuntu;sles;opensuse">/etc/keystone/keystone-paste.ini</filename>
<filename os="rhel;centos;fedora">/usr/share/keystone/keystone-dist-paste.ini</filename>
file and remove <literal>admin_token_auth</literal> from the
<literal>[pipeline:public_api]</literal>,
<literal>[pipeline:admin_api]</literal>, and
<literal>[pipeline:api_v3]</literal> sections.</para>
</step>
<step>
<para>Unset the temporary <envar>OS_TOKEN</envar> and
<envar>OS_URL</envar> environment variables:</para>
<screen><prompt>$</prompt> <userinput>unset OS_TOKEN OS_URL</userinput></screen>
</step>
<step>
<para>As the <literal>admin</literal> user, request an authentication
token from the Identity version 2.0 API:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
token issue</userinput>
<computeroutput>Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para>The Identity version 3 API adds support for domains that contain
projects and users. Projects and users can use the same names in
different domains. Therefore, in order to use the version 3 API,
requests must also explicitly contain at least the
<literal>default</literal> domain or use IDs. For simplicity, this
guide explicitly uses the <literal>default</literal> domain
so examples can use names instead of IDs.</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \
token issue</userinput>
<computeroutput>Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> user, list projects to verify that the
<literal>admin</literal> user can execute admin-only CLI commands
and that the Identity service contains the projects that you
created in <xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> user, list projects
to verify that the <literal>admin</literal> user can execute
CLI commands and that the Identity service contains the projects
created by the configuration tool:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
project list</userinput>
<computeroutput>Password:
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 55cbd79c0c014c8a95534ebd16213ca1 | service |
| ab8ea576c0574b6092bb99150449b2d3 | demo |
| cf12a15c5ea84b019aec3dc45580896b | admin |
+----------------------------------+---------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> user, list users to verify that the
Identity service contains the users that you created in
<xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> user, list users to
verify that the Identity service contains the users created by
the configuration tool:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
user list</userinput>
<computeroutput>Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4d411f2291f34941b30eef9bd797505a | admin |
| 3a81e6c8103b46709ef8d141308d4c72 | demo |
+----------------------------------+-------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
<literal>admin</literal> user, list roles to verify that the
Identity service contains the role that you created in
<xref linkend="keystone-users"/>:</para>
<para os="debian">As the <literal>admin</literal> user, list roles to
verify that the Identity service contains the role created by the
configuration tool:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin --os-auth-type password \
role list</userinput>
<computeroutput>Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 9fe2ff9ee4384b1894a90878d3e92bab | user |
| cd2cb9a39e874ea69e5d4b896eb16128 | admin |
+----------------------------------+-------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>admin</literal>
user.</para>
</note>
</step>
<step>
<para>As the <literal>demo</literal> user, request an authentication
token from the Identity version 3 API:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue</userinput>
<computeroutput>Password:
+------------+----------------------------------+
| Property | Value |
+------------+----------------------------------+
| expires | 2014-10-10T12:51:33Z |
| id | 1b87ceae9e08411ba4a16e4dada04802 |
| project_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
| user_id | 7004dfa0dda84d63aef81cf7f100af01 |
+------------+----------------------------------+</computeroutput></screen>
<note>
<para>This command uses the password for the <literal>demo</literal>
user and API port 5000 which only allows regular (non-admin)
access to the Identity service API.</para>
</note>
</step>
<step>
<para>As the <literal>demo</literal> user, attempt to list users
to verify that it cannot execute admin-only CLI commands:</para>
<screen><prompt>$</prompt> <userinput>openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
user list</userinput>
<computeroutput>Password:
ERROR: openstack You are not authorized to perform the requested action, admin_required. (HTTP 403)</computeroutput></screen>
</step>
</procedure>
</section>
View Git Blame Copy Permalink