openstack/openstack-manuals
Code Issues Proposed changes
30d3d29eea
openstack-manuals/doc/install-guide/section_keystone-users.xml
Matthew Kassawara cd89eca969 Modify keystone content for Kilo 
Modify keystone content for Kilo as follows:

1) Replace default eventlet front-end with Apache front-end
   to provide a more production-style deployment.

   * Disable keystone service from starting up automatically
     because it creates port conflicts with Apache.
   * Use the Apache virtual host configuration template from
     the keystone source repository.
   * Use the WSGI components from the keystone source
     repository because the packages don't include them.
   * Will update source repository links after release.

2) Replace SQL back-end with Memcache back-end for tokens to
   provide a more production-style deployment.

   * Remove cron job that deletes expired tokens from the SQL
     database.

3) Enable version 3 API.

   * Change "tenant" to "project" to align with v3 API
     terminology.
   * Include tests to verify operation.

4) Replace python-keystoneclient with python-openstackclient.

   * Update openrc files to work with python-openstackclient.

5) Replace password entry on CLI with prompts.

6) Move service and endpoint creation section before user and
   project creation section to improve flow.

7) Add note about adding sections and options to default
   configuration files.

8) Disable temporary authentication token mechanism prior to
   service verification.

Many of these changes stem from keystone deprecations and
recommendations from the keystone PTL. Also, this patch only
addresses Ubuntu. For other distributions, please submit
additional patches rather than modifying this patch.

Implements: blueprint installguide-kilo
Change-Id: I9a2e53f14d6ed41df0085256c20904760a58ea25
2015-04-03 09:16:41 -05:00

165 lines
7.6 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-users">
<title>Create projects, users, and roles</title>
<para>The Identity service provides authentication services for each
OpenStack service. The authentication service uses a combination of
<glossterm baseform="domain">domains</glossterm>,
<glossterm baseform="project">projects</glossterm> (tenants),
<glossterm baseform="user">users</glossterm>, and
<glossterm baseform="role">roles</glossterm>.</para>
<note>
<para>For simplicity, this guide implicitly uses the
<literal>default</literal> domain.</para>
</note>
<procedure>
<title>To create tenants, users, and roles</title>
<note os="debian">
<para>The packages can automatically create the service entity and
API endpoints.</para>
</note>
<step>
<para>Create an administrative project, user, and role for
administrative operations in your environment:</para>
<substeps>
<step>
<para>Create the <literal>admin</literal> project:</para>
<screen><prompt>$</prompt> <userinput>openstack project create --description "Admin Project" admin</userinput>
<computeroutput>+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| enabled | True |
| id | cf12a15c5ea84b019aec3dc45580896b |
| name | admin |
+-------------+----------------------------------+</computeroutput></screen>
<note>
<para>OpenStack generates IDs dynamically, so you will see
different values in the example command output.</para>
</note>
</step>
<step>
<para>Create the <literal>admin</literal> user:</para>
<screen><prompt>$</prompt> <userinput>openstack user create --password-prompt admin</userinput>
<computeroutput>User Password:
Repeat User Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| email | None |
| enabled | True |
| id | 4d411f2291f34941b30eef9bd797505a |
| name | admin |
| username | admin |
+------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create the <literal>admin</literal> role:</para>
<screen><prompt>$</prompt> <userinput>openstack role create admin</userinput>
<computeroutput>+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Add the <literal>admin</literal> role to the
<literal>admin</literal> project and user:</para>
<screen><prompt>$</prompt> <userinput>openstack role add --project admin --user admin admin</userinput>
<computeroutput>+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+</computeroutput></screen>
</step>
</substeps>
<note>
<para>Any roles that you create must map to roles specified in the
<filename>policy.json</filename> file in the configuration file
directory of each OpenStack service. The default policy for most
services grants administrative access to the
<literal>admin</literal> role. For more information,
see the
<link xlink:href="http://docs.openstack.org/openstack-ops/content/projects_users.html">Operations Guide - Managing Projects and Users</link>.</para>
</note>
</step>
<step>
<para>This guide uses a service project that contains a unique
user for each service that you add to your environment.</para>
<substeps>
<step>
<para>Create the <literal>service</literal> project:</para>
<screen><prompt>$</prompt> <userinput>openstack project create --description "Service Project" service</userinput>
<computeroutput>+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| enabled | True |
| id | 55cbd79c0c014c8a95534ebd16213ca1 |
| name | service |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</substeps>
</step>
<step>
<para>Regular (non-admin) tasks should use an unprivileged project
and user. As an example, this guide creates the
<literal>demo</literal> project and user.</para>
<substeps>
<step>
<para>Create the <literal>demo</literal> project:</para>
<screen><prompt>$</prompt> <userinput>openstack project create --description "Demo Project" demo</userinput>
<computeroutput>+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| enabled | True |
| id | ab8ea576c0574b6092bb99150449b2d3 |
| name | demo |
+-------------+----------------------------------+</computeroutput></screen>
<note>
<para>Do not repeat this step when creating additional
users for this project.</para>
</note>
</step>
<step>
<para>Create the <literal>demo</literal> user:</para>
<screen><prompt>$</prompt> <userinput>openstack user create --password-prompt demo</userinput>
<computeroutput>User Password:
Repeat User Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| email | None |
| enabled | True |
| id | 3a81e6c8103b46709ef8d141308d4c72 |
| name | demo |
| project_id | ab8ea576c0574b6092bb99150449b2d3 |
| username | demo |
+------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Add the <literal>_member_</literal> role to the
<literal>demo</literal> project and user:</para>
<screen><prompt>$</prompt> <userinput>openstack role add --project demo --user demo _member_</userinput>
<computeroutput>+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
| name | _member_ |
+-------+----------------------------------+</computeroutput></screen>
</step>
</substeps>
<note>
<para>You can repeat this procedure to create additional projects
and users.</para>
</note>
</step>
</procedure>
</section>
View Git Blame Copy Permalink