openstack/openstack-manuals
Code Issues Proposed changes
ae6dd0ffb3
openstack-manuals/doc/install-guide/source/keystone-users.rst
Andreas Jaeger 25d1b7d617 Remove DocBook XML files for Install Guide 
Remove DocBook XML files and rename directory from install-guide-rst to
install-guide.

Adjust everything so that publishing works.
Update README to remove DocBook XML Install Guide specific instructions.

Implements: blueprint installguide-liberty
Change-Id: If723c44c3c0383dc8ab8e53798d82e7f0ee2cc57
2015-08-19 16:35:31 +02:00

6.7 KiB
Raw Blame History

Create projects, users, and roles

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains <domain>, projects<project> (tenants), users<user>, and roles<role>.

Note

For simplicity, this guide implicitly uses the default domain.

debian

Note

The packages can automatically create the service entity and API endpoint.

To create tenants, users, and roles

  1. Create an administrative project, user, and role for administrative operations in your environment:

    1. Create the admin project:

      $ openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| enabled     | True                             |
| id          | cf12a15c5ea84b019aec3dc45580896b |
| name        | admin                            |
+-------------+----------------------------------+

      Note

      OpenStack generates IDs dynamically, so you will see different values in the example command output.

    2. Create the admin user:

      $ openstack user create --password-prompt admin
User Password:
Repeat User Password:
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| email      | None                             |
| enabled    | True                             |
| id         | 4d411f2291f34941b30eef9bd797505a |
| name       | admin                            |
| username   | admin                            |
+------------+----------------------------------+

    3. Create the admin role:

      $ openstack role create admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | cd2cb9a39e874ea69e5d4b896eb16128 |
| name  | admin                            |
+-------+----------------------------------+

    4. Add the admin role to the admin project and user:

      $ openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | cd2cb9a39e874ea69e5d4b896eb16128 |
| name  | admin                            |
+-------+----------------------------------+

      Note

      Any roles that you create must map to roles specified in the policy.json file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the admin role. For more information, see the Operations Guide - Managing Projects and Users.

  2. This guide uses a service project that contains a unique user for each service that you add to your environment.

    1. Create the service project:

      $ openstack project create --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| enabled     | True                             |
| id          | 55cbd79c0c014c8a95534ebd16213ca1 |
| name        | service                          |
+-------------+----------------------------------+
  3. Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the demo project and user.

    1. Create the demo project:

      $ openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| enabled     | True                             |
| id          | ab8ea576c0574b6092bb99150449b2d3 |
| name        | demo                             |
+-------------+----------------------------------+

      Note

      Do not repeat this step when creating additional users for this project.

    2. Create the demo user:

      $ openstack user create --password-prompt demo
User Password:
Repeat User Password:
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| email      | None                             |
| enabled    | True                             |
| id         | 3a81e6c8103b46709ef8d141308d4c72 |
| name       | demo                             |
| username   | demo                             |
+------------+----------------------------------+

    3. Create the user role:

      $ openstack role create user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 9fe2ff9ee4384b1894a90878d3e92bab |
| name  | user                             |
+-------+----------------------------------+

    4. Add the user role to the demo project and user:

      $ openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 9fe2ff9ee4384b1894a90878d3e92bab |
| name  | user                             |
+-------+----------------------------------+

Note

You can repeat this procedure to create additional projects and users.