openstack/openstack-manuals

Andreas Jaeger 25d1b7d617 Remove DocBook XML files for Install Guide

Remove DocBook XML files and rename directory from install-guide-rst to
install-guide.

Adjust everything so that publishing works.
Update README to remove DocBook XML Install Guide specific instructions.

Implements: blueprint installguide-liberty
Change-Id: If723c44c3c0383dc8ab8e53798d82e7f0ee2cc57

2015-08-19 16:35:31 +02:00

6.5 KiB

Raw Blame History

Verify operation

Verify operation of the Identity service before installing other services.

obs or ubuntu

For security reasons, disable the temporary authentication token mechanism:

Edit the /etc/keystone/keystone-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.

rdo

For security reasons, disable the temporary authentication token mechanism:

Edit the /usr/share/keystone/keystone-dist-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.

Unset the temporary OS_TOKEN and OS_URL environment variables:
```
$ unset OS_TOKEN OS_URL
```

As the admin user, request an authentication token from the Identity version 2.0 API:

$ openstack --os-auth-url http://controller:35357 \
  --os-project-name admin --os-username admin \
  --os-auth-type password token issue
Password:
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2015-03-24T18:55:01Z             |
| id         | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id    | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+

Note

This command uses the password for the admin user.

The Identity version 3 API adds support for domains that contain projects and users. Projects and users can use the same names in different domains. Therefore, in order to use the version 3 API, requests must also explicitly contain at least the default domain or use IDs. For simplicity, this guide explicitly uses the default domain so examples can use names instead of IDs.

$ openstack --os-auth-url http://controller:35357 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name admin --os-username admin --os-auth-type password \
  token issue
Password:
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2015-03-24T18:55:01Z             |
| id         | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id    | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+

Note

This command uses the password for the admin user.

As the admin user, list projects to verify that the admin user can execute admin-only CLI commands and that the Identity service contains the projects that you created in keystone-users:

$ openstack --os-auth-url http://controller:35357 \
  --os-project-name admin --os-username admin \
  --os-auth-type password project list
Password:
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 55cbd79c0c014c8a95534ebd16213ca1 | service |
| ab8ea576c0574b6092bb99150449b2d3 | demo    |
| cf12a15c5ea84b019aec3dc45580896b | admin   |
+----------------------------------+---------+

Note

This command uses the password for the admin user.

As the admin user, list users to verify that the Identity service contains the users that you created in keystone-users:

$ openstack --os-auth-url http://controller:35357 \
  --os-project-name admin --os-username admin \
  --os-auth-type password user list
Password:
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 4d411f2291f34941b30eef9bd797505a | admin |
| 3a81e6c8103b46709ef8d141308d4c72 | demo  |
+----------------------------------+-------+

Note

This command uses the password for the admin user.

As the admin user, list roles to verify that the Identity service contains the role that you created in keystone-users:

$ openstack --os-auth-url http://controller:35357 \
  --os-project-name admin --os-username admin \
  --os-auth-type password role list
Password:
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 9fe2ff9ee4384b1894a90878d3e92bab | user  |
| cd2cb9a39e874ea69e5d4b896eb16128 | admin |
+----------------------------------+-------+

Note

This command uses the password for the admin user.

As the demo user, request an authentication token from the Identity version 3 API:

$ openstack --os-auth-url http://controller:5000 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name demo --os-username demo --os-auth-type password \
  token issue
Password:
+------------+----------------------------------+
|  Property  |              Value               |
+------------+----------------------------------+
|   expires  |       2014-10-10T12:51:33Z       |
|     id     | 1b87ceae9e08411ba4a16e4dada04802 |
| project_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
|  user_id   | 7004dfa0dda84d63aef81cf7f100af01 |
+------------+----------------------------------+

Note

This command uses the password for the demo user and API port 5000 which only allows regular (non-admin) access to the Identity service API.

As the demo user, attempt to list users to verify that it cannot execute admin-only CLI commands:

$ openstack --os-auth-url http://controller:5000 \
  --os-project-domain-id default --os-user-domain-id default \
  --os-project-name demo --os-username demo \
  --os-auth-type password user list
Password:
ERROR: openstack You are not authorized to perform the
requested action, admin_required. (HTTP 403)