openstack-manuals/doc/install-guide/section_keystone-users.xml

175 lines
8.1 KiB
XML

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-users">
<title>Create projects, users, and roles</title>
<para>The Identity service provides authentication services for each
OpenStack service. The authentication service uses a combination of
<glossterm baseform="domain">domains</glossterm>,
<glossterm baseform="project">projects</glossterm> (tenants),
<glossterm baseform="user">users</glossterm>, and
<glossterm baseform="role">roles</glossterm>.</para>
<note>
<para>For simplicity, this guide implicitly uses the
<literal>default</literal> domain.</para>
</note>
<procedure>
<title>To create tenants, users, and roles</title>
<note os="debian">
<para>The packages can automatically create the service entity and
API endpoint.</para>
</note>
<step>
<para>Create an administrative project, user, and role for
administrative operations in your environment:</para>
<substeps>
<step>
<para>Create the <literal>admin</literal> project:</para>
<screen><prompt>$</prompt> <userinput>openstack project create --description "Admin Project" admin</userinput>
<computeroutput>+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| enabled | True |
| id | cf12a15c5ea84b019aec3dc45580896b |
| name | admin |
+-------------+----------------------------------+</computeroutput></screen>
<note>
<para>OpenStack generates IDs dynamically, so you will see
different values in the example command output.</para>
</note>
</step>
<step>
<para>Create the <literal>admin</literal> user:</para>
<screen><prompt>$</prompt> <userinput>openstack user create --password-prompt admin</userinput>
<computeroutput>User Password:
Repeat User Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| email | None |
| enabled | True |
| id | 4d411f2291f34941b30eef9bd797505a |
| name | admin |
| username | admin |
+------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create the <literal>admin</literal> role:</para>
<screen><prompt>$</prompt> <userinput>openstack role create admin</userinput>
<computeroutput>+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Add the <literal>admin</literal> role to the
<literal>admin</literal> project and user:</para>
<screen><prompt>$</prompt> <userinput>openstack role add --project admin --user admin admin</userinput>
<computeroutput>+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+</computeroutput></screen>
</step>
</substeps>
<note>
<para>Any roles that you create must map to roles specified in the
<filename>policy.json</filename> file in the configuration file
directory of each OpenStack service. The default policy for most
services grants administrative access to the
<literal>admin</literal> role. For more information,
see the
<link xlink:href="http://docs.openstack.org/openstack-ops/content/projects_users.html">Operations Guide - Managing Projects and Users</link>.</para>
</note>
</step>
<step>
<para>This guide uses a service project that contains a unique
user for each service that you add to your environment.</para>
<substeps>
<step>
<para>Create the <literal>service</literal> project:</para>
<screen><prompt>$</prompt> <userinput>openstack project create --description "Service Project" service</userinput>
<computeroutput>+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| enabled | True |
| id | 55cbd79c0c014c8a95534ebd16213ca1 |
| name | service |
+-------------+----------------------------------+</computeroutput></screen>
</step>
</substeps>
</step>
<step>
<para>Regular (non-admin) tasks should use an unprivileged project
and user. As an example, this guide creates the
<literal>demo</literal> project and user.</para>
<substeps>
<step>
<para>Create the <literal>demo</literal> project:</para>
<screen><prompt>$</prompt> <userinput>openstack project create --description "Demo Project" demo</userinput>
<computeroutput>+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| enabled | True |
| id | ab8ea576c0574b6092bb99150449b2d3 |
| name | demo |
+-------------+----------------------------------+</computeroutput></screen>
<note>
<para>Do not repeat this step when creating additional
users for this project.</para>
</note>
</step>
<step>
<para>Create the <literal>demo</literal> user:</para>
<screen><prompt>$</prompt> <userinput>openstack user create --password-prompt demo</userinput>
<computeroutput>User Password:
Repeat User Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| email | None |
| enabled | True |
| id | 3a81e6c8103b46709ef8d141308d4c72 |
| name | demo |
| project_id | ab8ea576c0574b6092bb99150449b2d3 |
| username | demo |
+------------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Create the <literal>_member_</literal> role:</para>
<screen><prompt>$</prompt> <userinput>openstack role create _member_</userinput>
<computeroutput>+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | _member_ |
+-------+----------------------------------+</computeroutput></screen>
</step>
<step>
<para>Add the <literal>_member_</literal> role to the
<literal>demo</literal> project and user:</para>
<screen><prompt>$</prompt> <userinput>openstack role add --project demo --user demo _member_</userinput>
<computeroutput>+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
| name | _member_ |
+-------+----------------------------------+</computeroutput></screen>
</step>
</substeps>
</step>
</procedure>
<note>
<para>You can repeat this procedure to create additional projects
and users.</para>
</note>
</section>