175 lines
8.1 KiB
XML
175 lines
8.1 KiB
XML
<?xml version="1.0" encoding="UTF-8"?>
|
|
<section xmlns="http://docbook.org/ns/docbook"
|
|
xmlns:xi="http://www.w3.org/2001/XInclude"
|
|
xmlns:xlink="http://www.w3.org/1999/xlink"
|
|
version="5.0"
|
|
xml:id="keystone-users">
|
|
<title>Create projects, users, and roles</title>
|
|
<para>The Identity service provides authentication services for each
|
|
OpenStack service. The authentication service uses a combination of
|
|
<glossterm baseform="domain">domains</glossterm>,
|
|
<glossterm baseform="project">projects</glossterm> (tenants),
|
|
<glossterm baseform="user">users</glossterm>, and
|
|
<glossterm baseform="role">roles</glossterm>.</para>
|
|
<note>
|
|
<para>For simplicity, this guide implicitly uses the
|
|
<literal>default</literal> domain.</para>
|
|
</note>
|
|
<procedure>
|
|
<title>To create tenants, users, and roles</title>
|
|
<note os="debian">
|
|
<para>The packages can automatically create the service entity and
|
|
API endpoint.</para>
|
|
</note>
|
|
<step>
|
|
<para>Create an administrative project, user, and role for
|
|
administrative operations in your environment:</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Create the <literal>admin</literal> project:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack project create --description "Admin Project" admin</userinput>
|
|
<computeroutput>+-------------+----------------------------------+
|
|
| Field | Value |
|
|
+-------------+----------------------------------+
|
|
| description | Admin Project |
|
|
| enabled | True |
|
|
| id | cf12a15c5ea84b019aec3dc45580896b |
|
|
| name | admin |
|
|
+-------------+----------------------------------+</computeroutput></screen>
|
|
<note>
|
|
<para>OpenStack generates IDs dynamically, so you will see
|
|
different values in the example command output.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Create the <literal>admin</literal> user:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack user create --password-prompt admin</userinput>
|
|
<computeroutput>User Password:
|
|
Repeat User Password:
|
|
+------------+----------------------------------+
|
|
| Field | Value |
|
|
+------------+----------------------------------+
|
|
| email | None |
|
|
| enabled | True |
|
|
| id | 4d411f2291f34941b30eef9bd797505a |
|
|
| name | admin |
|
|
| username | admin |
|
|
+------------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the <literal>admin</literal> role:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack role create admin</userinput>
|
|
<computeroutput>+-------+----------------------------------+
|
|
| Field | Value |
|
|
+-------+----------------------------------+
|
|
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
|
|
| name | admin |
|
|
+-------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Add the <literal>admin</literal> role to the
|
|
<literal>admin</literal> project and user:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack role add --project admin --user admin admin</userinput>
|
|
<computeroutput>+-------+----------------------------------+
|
|
| Field | Value |
|
|
+-------+----------------------------------+
|
|
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
|
|
| name | admin |
|
|
+-------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</substeps>
|
|
<note>
|
|
<para>Any roles that you create must map to roles specified in the
|
|
<filename>policy.json</filename> file in the configuration file
|
|
directory of each OpenStack service. The default policy for most
|
|
services grants administrative access to the
|
|
<literal>admin</literal> role. For more information,
|
|
see the
|
|
<link xlink:href="http://docs.openstack.org/openstack-ops/content/projects_users.html">Operations Guide - Managing Projects and Users</link>.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>This guide uses a service project that contains a unique
|
|
user for each service that you add to your environment.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Create the <literal>service</literal> project:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack project create --description "Service Project" service</userinput>
|
|
<computeroutput>+-------------+----------------------------------+
|
|
| Field | Value |
|
|
+-------------+----------------------------------+
|
|
| description | Service Project |
|
|
| enabled | True |
|
|
| id | 55cbd79c0c014c8a95534ebd16213ca1 |
|
|
| name | service |
|
|
+-------------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
<step>
|
|
<para>Regular (non-admin) tasks should use an unprivileged project
|
|
and user. As an example, this guide creates the
|
|
<literal>demo</literal> project and user.</para>
|
|
<substeps>
|
|
<step>
|
|
<para>Create the <literal>demo</literal> project:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack project create --description "Demo Project" demo</userinput>
|
|
<computeroutput>+-------------+----------------------------------+
|
|
| Field | Value |
|
|
+-------------+----------------------------------+
|
|
| description | Demo Project |
|
|
| enabled | True |
|
|
| id | ab8ea576c0574b6092bb99150449b2d3 |
|
|
| name | demo |
|
|
+-------------+----------------------------------+</computeroutput></screen>
|
|
<note>
|
|
<para>Do not repeat this step when creating additional
|
|
users for this project.</para>
|
|
</note>
|
|
</step>
|
|
<step>
|
|
<para>Create the <literal>demo</literal> user:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack user create --password-prompt demo</userinput>
|
|
<computeroutput>User Password:
|
|
Repeat User Password:
|
|
+------------+----------------------------------+
|
|
| Field | Value |
|
|
+------------+----------------------------------+
|
|
| email | None |
|
|
| enabled | True |
|
|
| id | 3a81e6c8103b46709ef8d141308d4c72 |
|
|
| name | demo |
|
|
| project_id | ab8ea576c0574b6092bb99150449b2d3 |
|
|
| username | demo |
|
|
+------------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Create the <literal>_member_</literal> role:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack role create _member_</userinput>
|
|
<computeroutput>+-------+----------------------------------+
|
|
| Field | Value |
|
|
+-------+----------------------------------+
|
|
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
|
|
| name | _member_ |
|
|
+-------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
<step>
|
|
<para>Add the <literal>_member_</literal> role to the
|
|
<literal>demo</literal> project and user:</para>
|
|
<screen><prompt>$</prompt> <userinput>openstack role add --project demo --user demo _member_</userinput>
|
|
<computeroutput>+-------+----------------------------------+
|
|
| Field | Value |
|
|
+-------+----------------------------------+
|
|
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
|
|
| name | _member_ |
|
|
+-------+----------------------------------+</computeroutput></screen>
|
|
</step>
|
|
</substeps>
|
|
</step>
|
|
</procedure>
|
|
<note>
|
|
<para>You can repeat this procedure to create additional projects
|
|
and users.</para>
|
|
</note>
|
|
</section>
|