openstack-manuals/doc/install-guide/section_keystone-verify.xml

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
  xmlns:xi="http://www.w3.org/2001/XInclude"
  xmlns:xlink="http://www.w3.org/1999/xlink"
  version="5.0"
  xml:id="keystone-verify">
  <title>Verify operation</title>
  <para>This section describes how to verify operation of the Identity
    service.</para>
  <procedure>
    <step>
      <para>Unset the temporary <envar>OS_SERVICE_TOKEN</envar> and
      <envar>OS_SERVICE_ENDPOINT</envar> environment variables:</para>
      <screen><prompt>$</prompt> <userinput>unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT</userinput></screen>
    </step>
    <step>
      <para>As the <literal>admin</literal> tenant and user, request an
        authentication token:</para>
      <screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
  --os-auth-url http://controller:35357/v2.0 token-get</userinput></screen>
      <para>Replace <replaceable>ADMIN_PASS</replaceable> with the password
        you chose for the <literal>admin</literal> user in the Identity
        service. You might need to use single quotes (') around your password
        if it includes special characters.</para>
      <para>Lengthy output that includes a token value verifies operation
        for the <literal>admin</literal> tenant and user.</para>
    </step>
    <step>
      <para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
        <literal>admin</literal> tenant and user, list tenants to verify
        that the <literal>admin</literal> tenant and user can execute
        admin-only CLI commands and that the Identity service contains the
        tenants that you created in <xref linkend="keystone-users"/>:</para>
      <para os="debian">As the <literal>admin</literal> tenant and user, list
        tenants to verify that the <literal>admin</literal> tenant and user
        can execute admin-only CLI commands and that the Identity service
        contains the tenants created by the configuration tool:</para>
      <screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
  --os-auth-url http://controller:35357/v2.0 tenant-list</userinput>
<computeroutput>+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 6f4c1e4cbfef4d5a8a1345882fbca110 |  admin   |   True  |
| 4aa51bb942be4dd0ac0555d7591f80a6 |   demo   |   True  |
| 6b69202e1bf846a4ae50d65bc4789122 | service  |   True  |
+----------------------------------+----------+---------+</computeroutput></screen>
      <note>
        <para>Because OpenStack generates IDs dynamically, you will see
          different values from this example command output.</para>
      </note>
    </step>
    <step>
      <para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
        <literal>admin</literal> tenant and user, list users to verify
        that the Identity service contains the users that you created
        in <xref linkend="keystone-users"/>:</para>
      <para os="debian">As the <literal>admin</literal> tenant and user, list
        users to verify that the Identity service contains the users
        created by the configuration tool:</para>
      <screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
  --os-auth-url http://controller:35357/v2.0 user-list</userinput>
<computeroutput>+----------------------------------+---------+---------+---------------------+
|                id                |   name  | enabled |        email        |
+----------------------------------+---------+---------+---------------------+
| ea8c352d253443118041c9c8b8416040 |  admin  |   True  |  admin@example.com  |
| 7004dfa0dda84d63aef81cf7f100af01 |   demo  |   True  |  demo@example.com   |
+----------------------------------+---------+---------+---------------------+</computeroutput></screen>
    </step>
    <step>
      <para os="ubuntu;rhel;centos;fedora;sles;opensuse">As the
        <literal>admin</literal> tenant and user, list roles to verify
        that the Identity service contains the role that you created
        in <xref linkend="keystone-users"/>:</para>
      <para os="debian">As the <literal>admin</literal> tenant and user, list
        roles to verify that the Identity service contains the role
        created by the configuration tool:</para>
      <screen><prompt>$</prompt> <userinput>keystone --os-tenant-name admin --os-username admin --os-password <replaceable>ADMIN_PASS</replaceable> \
  --os-auth-url http://controller:35357/v2.0 role-list</userinput>
<computeroutput>+----------------------------------+----------+
|                id                |   name   |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| bff3a6083b714fa29c9344bf8930d199 |  admin   |
+----------------------------------+----------+</computeroutput></screen>
    </step>
    <step>
      <para>As the <literal>demo</literal> tenant and user, request an
        authentication token:</para>
      <screen><prompt>$</prompt> <userinput>keystone --os-tenant-name demo --os-username demo --os-password <replaceable>DEMO_PASS</replaceable> \
  --os-auth-url http://controller:35357/v2.0 token-get</userinput>
<computeroutput>+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2014-10-10T12:51:33Z       |
|     id    | 1b87ceae9e08411ba4a16e4dada04802 |
| tenant_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
|  user_id  | 7004dfa0dda84d63aef81cf7f100af01 |
+-----------+----------------------------------+</computeroutput></screen>
      <para>Replace <replaceable>DEMO_PASS</replaceable> with the password
        you chose for the <literal>demo</literal> user in the Identity
        service.</para>
    </step>
    <step>
      <para>As the <literal>demo</literal> tenant and user, attempt to list
        users to verify that you cannot execute admin-only CLI
        commands:</para>
      <screen><prompt>$</prompt> <userinput>keystone --os-tenant-name demo --os-username demo --os-password <replaceable>DEMO_PASS</replaceable> \
  --os-auth-url http://controller:35357/v2.0 user-list</userinput>
<computeroutput>You are not authorized to perform the requested action, admin_required. (HTTP 403)</computeroutput></screen>
      <note>
        <para>Each OpenStack service references a
          <filename>policy.json</filename> file to determine the operations
          available to a particular tenant, user, or role. For more
          information, see the
          <link xlink:href="http://docs.openstack.org/openstack-ops/content/projects_users.html">Operations Guide - Managing Projects and Users</link>.</para>
      </note>
    </step>
  </procedure>
</section>