This is guide takes you to the second part of configuring OpenStack identity service on controller node, you can also go through the previous article on configuring KeyStone #1. Here we will be covering service entity and API end point creations.
Create the service entity and API endpoint:
To create the service entity and API endpoint, we have to export below variables to pass the value of authentication token.
# export OS_TOKEN=43405b090eda983ddde2 ## Replace this token (43405b090eda983ddde2 ) with OS_TOEKEN value from keystone.conf file.
# export OS_URL=http://controller:35357/v2.0 ## Replace controller with your controller ip.
Create the service entity for the Identity service.
# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | c65841b4f8df478cbc19524c09fd9724 | | name | keystone | | type | identity | +-------------+----------------------------------+
Verify the service.
# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | c65841b4f8df478cbc19524c09fd9724 | keystone | identity | +----------------------------------+----------+----------+
Create the identity service API endpoint.
# openstack endpoint create \ --publicurl http://controller:5000/v2.0 \ --internalurl http://controller:5000/v2.0 \ --adminurl http://controller:35357/v2.0 \ --region RegionOne \ identity +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | adminurl | http://controller:35357/v2.0 | | id | f402a9389d474c13a97a78a30f13c6e5 | | internalurl | http://controller:5000/v2.0 | | publicurl | http://controller:5000/v2.0 | | region | RegionOne | | service_id | c65841b4f8df478cbc19524c09fd9724 | | service_name | keystone | | service_type | identity | +--------------+----------------------------------+
Verify the endpoint details.
# openstack endpoint list +----------------------------------+-----------+--------------+--------------+ | ID | Region | Service Name | Service Type | +----------------------------------+-----------+--------------+--------------+ | f402a9389d474c13a97a78a30f13c6e5 | RegionOne | keystone | identity | +----------------------------------+-----------+--------------+--------------+
Create projects, users, and roles:
Create a admin project, user and role for administration, we will use default domain for simplicity.
Create the admin project.
# openstack project create --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | enabled | True | | id | 9b05e6bffdb94c8081d665561d05e31e | | name | admin | +-------------+----------------------------------+
Create the admin user.
# openstack user create --password-prompt admin User Password: Repeat User Password: +----------+----------------------------------+ | Field | Value | +----------+----------------------------------+ | email | None | | enabled | True | | id | 127a9a6b822a4e3eba69fa54128873cd | | name | admin | | username | admin | +----------+----------------------------------+
Create the admin role.
# openstack role create admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 33af4f957aa34cc79451c23bf014af6f | | name | admin | +-------+----------------------------------+
Add admin role to admin project and user.
# openstack role add --project admin --user admin admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 33af4f957aa34cc79451c23bf014af6f | | name | admin | +-------+----------------------------------+
Create the service project.
# openstack project create --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | enabled | True | | id | 39e1b9944e564ceb9e71c98623b676cd | | name | service | +-------------+----------------------------------+
Create the demo project to use for normal user.
# openstack project create --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | enabled | True | | id | 909c4d7219c14a63aa0ef6f1ece18546 | | name | demo | +-------------+----------------------------------+
Create the demo user.
# openstack user create --password-prompt demo User Password: Repeat User Password: +----------+----------------------------------+ | Field | Value | +----------+----------------------------------+ | email | None | | enabled | True | | id | 453ce23fa9f347b5baa53210aff7f207 | | name | demo | | username | demo | +----------+----------------------------------+
Create the user role.
# openstack role create user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | fa78c101a7ed40b19de219e7d3eeda62 | | name | user | +-------+----------------------------------+
Add the user role to demo project and user.
# openstack role add --project demo --user demo user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | fa78c101a7ed40b19de219e7d3eeda62 | | name | user | +-------+----------------------------------+
Verify operation:
# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 39e1b9944e564ceb9e71c98623b676cd | service | | 909c4d7219c14a63aa0ef6f1ece18546 | demo | | 9b05e6bffdb94c8081d665561d05e31e | admin | +----------------------------------+---------+
# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 127a9a6b822a4e3eba69fa54128873cd | admin | | 453ce23fa9f347b5baa53210aff7f207 | demo | +----------------------------------+-------+
# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 33af4f957aa34cc79451c23bf014af6f | admin | | fa78c101a7ed40b19de219e7d3eeda62 | user | +----------------------------------+-------+
Verify operation with role based access, to do that unset the exported variables.
# unset OS_TOKEN OS_URL
Execute the following command to list the roles as admin user.
# openstack --os-auth-url http://controller:35357 --os-project-name admin --os-username admin --os-auth-type password role list Password: +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 33af4f957aa34cc79451c23bf014af6f | admin | | fa78c101a7ed40b19de219e7d3eeda62 | user | +----------------------------------+-------+
Execute the following command to list the roles as demo user, you should get below error.
# openstack --os-auth-url http://controller:35357 --os-project-name demo --os-username demo --os-auth-type password role list Password: ERROR: openstack You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-143ee967-4a26-4474-bf88-0b660354869d)
That’s all, you have successfully configured KeyStone on Ubuntu 14.04.2