f368a64810
Full outline finished. Keystone, Glance, and most of Nova complete Changes to Common: * Separate "Getting Started" content into separate files, so they can be included individually where needed in the install guide * separated "Keystone Concepts" so that a smaller subset of that can be used in the install guide Change-Id: I583349443685e3022f4c4c1893c2c07d1d2af1d5
53 lines
2.8 KiB
XML
53 lines
2.8 KiB
XML
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
xml:id="keystone-users">
|
|
<title>Defining Users, Tenants, and Roles</title>
|
|
|
|
<para>Once Keystone is installed and running, you set up users, tenants,
|
|
and roles to authenticate against. These are used to allow access to
|
|
services and endpoints, described in the next section.</para>
|
|
|
|
<para>Typically, you would use a username and password to authenticate
|
|
with the Identity service. At this point, however, we have not created
|
|
any users, so we have to use the authorization token created in the
|
|
previous section. You can pass this with the <option>--token</option>
|
|
option to the <command>keystone</command> command or set the
|
|
<envar>OS_SERVICE_TOKEN</envar> environment variable. We'll set
|
|
<envar>OS_SERVICE_TOKEN</envar>, as well as
|
|
<envar>OS_SERVICE_ENDPOINT</envar> to specify where the Identity
|
|
Service is running. Replace
|
|
<userinput><replaceable>FCAF3E...</replaceable></userinput>
|
|
with your authorization token.</para>
|
|
|
|
<screen><prompt>#</prompt> <userinput>export OS_SERVICE_TOKEN=<replaceable>FCAF3E...</replaceable></userinput>
|
|
<prompt>#</prompt> <userinput>export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0</userinput></screen>
|
|
|
|
<para>First, create a tenant for an administrative user and a tenant
|
|
for other OpenStack services to use.</para>
|
|
|
|
<screen><prompt>#</prompt> <userinput>keystone tenant-create --name=admin --description="Admin Tenant"</userinput>
|
|
<prompt>#</prompt> <userinput>keystone tenant-create --name=service --description="Service Tenant"</userinput></screen>
|
|
|
|
<para>Next, create an administrative user called <literal>admin</literal>.
|
|
Choose a password for the <literal>admin</literal> user and specify an
|
|
email address for the account.</para>
|
|
|
|
<screen><prompt>#</prompt> <userinput>keystone user-create --name=admin --pass=<replaceable>ADMIN_PASS</replaceable> --email=<replaceable>admin@example.com</replaceable></userinput></screen>
|
|
|
|
<para>Create a role for administrative tasks called <literal>admin</literal>.
|
|
Any roles you create should map to roles specified in the
|
|
<filename>policy.json</filename> files of the various OpenStack services.
|
|
The default policy files use the <literal>admin</literal> role to allow
|
|
access to most services.</para>
|
|
|
|
<screen><prompt>#</prompt> <userinput>keystone role-create --name=admin</userinput></screen>
|
|
|
|
<para>Finally, you have to add roles to users. Users always log in with
|
|
a tenant, and roles are assigned to users within roles. Add the
|
|
<literal>admin</literal> role to the <literal>admin</literal> user when
|
|
logging in with the <literal>admin</literal> tenant.</para>
|
|
|
|
<screen><prompt>#</prompt> <userinput>keystone user-role-add --user=admin --tenant=admin --role=admin</userinput></screen>
|
|
|
|
</section>
|