openstack-manuals/doc/install-guide/source/keystone-users.rst
venkatamahesh 7718456078 Update the ops-guide reference links with new ones
Change-Id: Iac6dc9e9a0b92dfc03456a099096bd59a9255fc1
2016-06-06 12:58:30 +09:00

188 lines
7.1 KiB
ReStructuredText

Create a domain, projects, users, and roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Identity service provides authentication services for each OpenStack
service. The authentication service uses a combination of :term:`domains
<domain>`, :term:`projects<project>` (tenants), :term:`users<user>`, and
:term:`roles<role>`.
#. Create the ``default`` domain:
.. code-block:: console
$ openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | e0353a670a9e496da891347c589539e9 |
| name | default |
+-------------+----------------------------------+
#. Create an administrative project, user, and role for administrative
operations in your environment:
* Create the ``admin`` project:
.. code-block:: console
$ openstack project create --domain default \
--description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled | True |
| id | 343d245e850143a096806dfaefa9afdc |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
.. note::
OpenStack generates IDs dynamically, so you will see different
values in the example command output.
* Create the ``admin`` user:
.. code-block:: console
$ openstack user create --domain default \
--password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled | True |
| id | ac3377633149401296f6c0d92d79dc16 |
| name | admin |
+-----------+----------------------------------+
* Create the ``admin`` role:
.. code-block:: console
$ openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-----------+----------------------------------+
* Add the ``admin`` role to the ``admin`` project and user:
.. code-block:: console
$ openstack role add --project admin --user admin admin
.. note::
This command provides no output.
.. note::
Any roles that you create must map to roles specified in the
``policy.json`` file in the configuration file directory of each
OpenStack service. The default policy for most services grants
administrative access to the ``admin`` role. For more information,
see the `OpenStack Operations Guide - Managing Projects and
Users <http://docs.openstack.org/ops-guide/ops_projects_users.html>`__.
#. This guide uses a service project that contains a unique user for each
service that you add to your environment. Create the ``service``
project:
.. code-block:: console
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled | True |
| id | 894cdfa366d34e9d835d3de01e752262 |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
#. Regular (non-admin) tasks should use an unprivileged project and user.
As an example, this guide creates the ``demo`` project and user.
* Create the ``demo`` project:
.. code-block:: console
$ openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled | True |
| id | ed0b60bf607743088218b0a533d5943f |
| is_domain | False |
| name | demo |
| parent_id | None |
+-------------+----------------------------------+
.. note::
Do not repeat this step when creating additional users for this
project.
* Create the ``demo`` user:
.. code-block:: console
$ openstack user create --domain default \
--password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled | True |
| id | 58126687cbcc4888bfa9ab73a2256f27 |
| name | demo |
+-----------+----------------------------------+
* Create the ``user`` role:
.. code-block:: console
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
* Add the ``user`` role to the ``demo`` project and user:
.. code-block:: console
$ openstack role add --project demo --user demo user
.. note::
This command provides no output.
.. note::
You can repeat this procedure to create additional projects and
users.