88d007d6f7
The example command of user-role-list in keystone verify section is wrong, which should add required parameters --user and --tenant. Change-Id: I2447d1574536f7575297d1664861a7c8c0b1a25c Closes-Bug: #1304546
104 lines
5.6 KiB
XML
104 lines
5.6 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xml:id="keystone-verify"
|
|
xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0">
|
|
<title>Verify the Identity Service installation</title>
|
|
<procedure>
|
|
<step>
|
|
<para>To verify that the Identity Service is installed and
|
|
configured correctly, clear the values in the
|
|
<envar>OS_SERVICE_TOKEN</envar> and
|
|
<envar>OS_SERVICE_ENDPOINT</envar> environment
|
|
variables:</para>
|
|
<screen><prompt>$</prompt> <userinput>unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT</userinput></screen>
|
|
<para>These variables, which were used to bootstrap the
|
|
administrative user and register the Identity Service, are no
|
|
longer needed.</para>
|
|
</step>
|
|
<step>
|
|
<para>You can now use regular user name-based
|
|
authentication.</para>
|
|
<para>Request a authentication token by using the
|
|
<literal>admin</literal> user and the password you chose for
|
|
that user:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone --os-username=admin --os-password=<replaceable>ADMIN_PASS</replaceable> \
|
|
--os-auth-url=http://controller:35357/v2.0 token-get</userinput></screen>
|
|
<para>In response, you receive a token paired with your user ID.
|
|
This verifies that the Identity Service is running on the
|
|
expected endpoint and that your user account is established
|
|
with the expected credentials.</para>
|
|
</step>
|
|
<step>
|
|
<para>Verify that authorization behaves as expected. To do so,
|
|
request authorization on a tenant:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone --os-username=admin --os-password=<replaceable>ADMIN_PASS</replaceable> \
|
|
--os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 \
|
|
token-get</userinput></screen>
|
|
<para>In response, you receive a token that includes the ID of
|
|
the tenant that you specified. This verifies that your user
|
|
account has an explicitly defined role on the specified tenant
|
|
and the tenant exists as expected.</para>
|
|
</step>
|
|
<step>
|
|
<para>You can also set your <literal>--os-*</literal> variables
|
|
in your environment to simplify command-line usage. Set up a
|
|
<filename>openrc.sh</filename> file with the admin
|
|
credentials and admin endpoint:</para>
|
|
<programlisting language="bash">export OS_USERNAME=admin
|
|
export OS_PASSWORD=<replaceable>ADMIN_PASS</replaceable>
|
|
export OS_TENANT_NAME=admin
|
|
export OS_AUTH_URL=http://controller:35357/v2.0</programlisting>
|
|
</step>
|
|
<step>
|
|
<para>Source this file to read in the environment
|
|
variables:</para>
|
|
<screen><prompt>$</prompt> <userinput>source openrc.sh</userinput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Verify that your <filename>openrc.sh</filename> file is
|
|
configured correctly. Run the same command without the
|
|
<literal>--os-*</literal> arguments:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone token-get</userinput></screen>
|
|
<para>The command returns a token and the ID of the specified
|
|
tenant. This verifies that you have configured your
|
|
environment variables correctly.</para>
|
|
</step>
|
|
<step>
|
|
<para>Verify that your admin account has authorization to
|
|
perform administrative commands:</para>
|
|
<screen><prompt>$</prompt> <userinput>keystone user-list</userinput>
|
|
<computeroutput>+----------------------------------+-------+---------+-------------------+
|
|
| id | name | enabled | email |
|
|
+----------------------------------+-------+---------+-------------------+
|
|
| afea5bde3be9413dbd60e479fddf9228 | admin | True | admin@example.com |
|
|
| 32aca1f9a47540c29d6988091f76c934 | demo | True | demo@example.com |
|
|
+----------------------------------+-------+---------+-------------------+
|
|
</computeroutput></screen>
|
|
<screen><prompt>$</prompt> <userinput>keystone user-role-list --user admin --tenant admin</userinput>
|
|
<computeroutput>+----------------------------------+----------+----------------------------------+----------------------------------+
|
|
| id | name | user_id | tenant_id |
|
|
+----------------------------------+----------+----------------------------------+----------------------------------+
|
|
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | a4c2d43f80a549a19864c89d759bb3fe | e519b772cb43474582fa303da62559e5 |
|
|
| 5d3b60b66f1f438b80eaae41a77b5951 | admin | a4c2d43f80a549a19864c89d759bb3fe | e519b772cb43474582fa303da62559e5 |
|
|
+----------------------------------+----------+----------------------------------+----------------------------------+</computeroutput></screen>
|
|
<para>Seeing that the <literal>id</literal> in the output
|
|
from the <command>keystone user-list</command>
|
|
command matches the <literal>user_id</literal> in the
|
|
<command>keystone user-role-list</command> command,
|
|
and that the admin role is listed for that user, for the
|
|
related tenant, this verifies that your user account has the
|
|
<literal>admin</literal> role, which matches the role
|
|
used in the Identity Service <filename>policy.json</filename>
|
|
file.</para>
|
|
<note>
|
|
<para>As long as you define your credentials and the Identity
|
|
Service endpoint through the command line or environment
|
|
variables, you can run all OpenStack client commands from
|
|
any machine. For details, see <xref linkend="ch_clients"
|
|
/>.</para>
|
|
</note>
|
|
</step>
|
|
</procedure>
|
|
</section>
|