This guide takes you to the second part of configuring OpenStack identity service on controller node, you can also go through the previous article on configuring KeyStone #1. Here we will be covering service entity and API end point creations.
Create the service entity and API endpoint:
To create the service entity and API endpoint, we have to export below variables to pass the value of authentication token.
# export OS_TOKEN=43405b090eda983ddde2 ## Replace this token (43405b090eda983ddde2 ) with OS_TOEKEN value from keystone.conf file.
# export OS_URL=http://controller:35357/v3 ## Replace controller with your controller ip.
Configure the Identity API version.
# export OS_IDENTITY_API_VERSION=3
Create the service entity for the Identity service.
# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | ced1e3e2bfe449eeba6a0f19bad90caf | | name | keystone | | type | identity | +-------------+----------------------------------+
Verify the service.
# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | ced1e3e2bfe449eeba6a0f19bad90caf | keystone | identity | +----------------------------------+----------+----------+
Create the identity service API endpoint.
# openstack endpoint create --region RegionOne identity public http://controller:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 0fdd1aa5fe414213b3b3b616157debfc | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | ced1e3e2bfe449eeba6a0f19bad90caf | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v2.0 | +--------------+----------------------------------+ # openstack endpoint create --region RegionOne identity internal http://controller:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | f825a8526c2c4924a74f3e6acfd199c0 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | ced1e3e2bfe449eeba6a0f19bad90caf | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v2.0 | +--------------+----------------------------------+ # openstack endpoint create --region RegionOne identity admin http://controller:35357/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 35496d62fddd4fe188f384a61bf36d24 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | ced1e3e2bfe449eeba6a0f19bad90caf | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v2.0 | +--------------+----------------------------------+
Verify the endpoint details.
# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+ | 0fdd1aa5fe414213b3b3b616157debfc | RegionOne | keystone | identity | True | public | http://controller:5000/v2.0 | | 35496d62fddd4fe188f384a61bf36d24 | RegionOne | keystone | identity | True | admin | http://controller:35357/v2.0 | | f825a8526c2c4924a74f3e6acfd199c0 | RegionOne | keystone | identity | True | internal | http://controller:5000/v2.0 | +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+
Create projects, users, and roles:
Create a admin project, user and role for administration, we will use default domain for simplicity.
Create the admin project.
# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | default | | enabled | True | | id | fe858f6a43f84c26b994f0be74c928e6 | | is_domain | False | | name | admin | | parent_id | None | +-------------+----------------------------------+
Create the admin user.
# openstack user create --domain default --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | 19be37de9db146f8a6b282eb1dbbee14 | | name | admin | +-----------+----------------------------------+
Create the admin role.
# openstack role create admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 6741bf6d8cb94ddbb45de71ad6c2a07a | | name | admin | +-------+----------------------------------+
Add admin role to admin project and user.
# openstack role add --project admin --user admin admin
Create the service project.
# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 3745819894644e95b72c2693ff4ea34f | | is_domain | False | | name | service | | parent_id | None | +-------------+----------------------------------+
Create the demo project to use for normal user.
# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | b558b39292b247b7a346678b80ed71e0 | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+
Create the demo user.
# openstack user create --domain default --password-prompt demo User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | 69f8896c14a940619839443271aa9d05 | | name | demo | +-----------+----------------------------------+
Create the user role.
# openstack role create user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | db27eefc8e8047c499fb822d9ad6f630 | | name | user | +-------+----------------------------------+
Add the user role to demo project and user.
# openstack role add --project demo --user demo user
Verify operation:
# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 3745819894644e95b72c2693ff4ea34f | service | | b558b39292b247b7a346678b80ed71e0 | demo | | fe858f6a43f84c26b994f0be74c928e6 | admin | +----------------------------------+---------+
# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 19be37de9db146f8a6b282eb1dbbee14 | admin | | 69f8896c14a940619839443271aa9d05 | demo | +----------------------------------+-------+
# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 6741bf6d8cb94ddbb45de71ad6c2a07a | admin | | db27eefc8e8047c499fb822d9ad6f630 | user | +----------------------------------+-------+
For security reasons, disable the temporary authentication token mechanism:
Edit the /etc/keystone/keystone-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.
Verify operation with role based access, to do that unset the exported variables.
# unset OS_TOKEN OS_URL
Execute the following command to list the roles as admin user.
# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-11-02T11:25:53.930932Z | | id | 7b614d616e964ab7880e82643c0b1659 | | project_id | fe858f6a43f84c26b994f0be74c928e6 | | user_id | 19be37de9db146f8a6b282eb1dbbee14 | +------------+----------------------------------+
As the demo user, request an authentication token.
# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name demo --os-username demo --os-auth-type password token issue Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-11-02T11:29:28.174824Z | | id | d42d40e47fe84f64a6bd9ecdf1ff240e | | project_id | b558b39292b247b7a346678b80ed71e0 | | user_id | 69f8896c14a940619839443271aa9d05 | +------------+----------------------------------+
That’s all, you have successfully configured KeyStone on Ubuntu 14.04.
