You need to minimally define a tenant, user, and role to link the tenant and user as the most basic set of details to get other services authenticating and authorizing with the Identity service.
Scripted configuration:
The Keystone project offers a bash script for populating tenants, users, and roles at https://github.com/openstack/keystone/blob/master/tools/sample_data.sh with sample data
On any distribution with python tools, you can run this keystone-init script that automates the steps below that use the keystone client API.
$ git clone https://github.com/nimbis/keystone-init.git
You'll need PyYAML installed to use this script. Look at the script that does the work: https://github.com/nimbis/keystone-init/blob/master/keystone-init.py.
Edit the accompanying configuration file the script uses: https://github.com/nimbis/keystone-init/blob/master/config.yaml with the IP address of your servers. You can substitute quickly using this command in the directory where config.yaml is stored:
$ sed -i.bak s/192.168.206.130/172.16.150.12/g config.yaml
Then run the modified script as root:
# ./keystone-init.py config.yaml
Manual configuration:
Here are the manual, unscripted steps. First, create a default tenant, we'll name it
openstackDemo in this example.
$ keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 tenant-create --name openstackDemo --description "Default Tenant" --enabled true
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Default Tenant |
| enabled | true |
| id | b5815b046cfe47bb891a7b64119e7f80 |
| name | openstackDemo |
+-------------+----------------------------------+Create a default user named adminUser.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id b5815b046cfe47bb891a7b64119e7f80 --name adminUser --pass secretword --enabled true
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | a4c2d43f80a549a19864c89d759bb3fe |
| name | admin |
| password | $6$rounds=40000$MsFWIgIfbAHnhUH8$vvSK9/Uy3P5BTdH0kn.0MH.xFHAR2pWQCpTRLTENPs.3w53jb5BbbkIKHnkTbzWW3xVwqsb3W5e./3EIaNPeP0 |
| tenantId | b5815b046cfe47bb891a7b64119e7f80 |
+----------+-------------------------------------------------------------------------------------------------------------------------+Create the default roles, admin and
memberRole.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 role-create --name admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | e3d9d157cc95410ea45d23bbbc2e5c10 |
| name | admin |
+----------+----------------------------------+$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 role-create --name memberRole
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | cffc2edea9c74b4a8779cc0d7a22fc21 |
| name | memberRole |
+----------+----------------------------------+Grant the admin role to the
adminUser user in the
openstackDemo tenant with
"user-role-add".
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user a4c2d43f80a549a19864c89d759bb3fe --tenant_id b5815b046cfe47bb891a7b64119e7f80 --role e3d9d157cc95410ea45d23bbbc2e5c10
There is no output to this command.
Create a Service Tenant. This tenant contains all the services that we make known to the service catalog.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 tenant-create --name service --description "Service Tenant" --enabled true
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | true |
| id | eb7e0c10a99446cfa14c244374549e9d |
| name | service |
+-------------+----------------------------------+Create a Glance Service User in the Service Tenant. You'll do this for any service you add to be in the Keystone service catalog.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name glance --pass glance --enabled true
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | 46b2667a7807483d983e0b4037a1623b |
| name | glance |
| password | $6$rounds=40000$kf1ENaCoy7wOfRjx$LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+-------------------------------------------------------------------------------------------------------------------------+Grant the admin role to the
glance user in the
service tenant.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 46b2667a7807483d983e0b4037a1623b --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10
There is no output to this command.
Create a Nova Service User in the Service Tenant.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name nova --pass nova --enabled true
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | 54b3776a8707834d983e0b4037b1345c |
| name | nova |
| password | $6$rounds=40000$kf1ENaCoy7wOfRjx$LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+-------------------------------------------------------------------------------------------------------------------------+Grant the admin role to the
nova user in the
service tenant.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 54b3776a8707834d983e0b4037b1345c --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10
There is no output to this command.
Create an EC2 Service User in the Service Tenant.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name ec2 --pass ec2 --enabled true
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | 32e7668b8707834d983e0b4037b1345c |
| name | ec2 |
| password | $6$rounds=40000$kf1ENaCoy7wOfRjx$LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+-------------------------------------------------------------------------------------------------------------------------+Grant the admin role to the
ec2 user in the
service tenant.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 32e7668b8707834d983e0b4037b1345c --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10
There is no output to this command.
Create an Object Storage Service User in the Service Tenant.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-create --tenant_id eb7e0c10a99446cfa14c244374549e9d --name swift --pass swiftpass --enabled true
+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property | Value |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email | None |
| enabled | true |
| id | 4346677b8909823e389f0b4037b1246e |
| name | swift |
| password | $6$rounds=40000$kf1ENaCoy7wOfRjx$LKQtsQbBqSBr2ZH7fwToAut0EYYz6M278N16Xg4Va2vTEOFabvTVXCdCP4hA5ikdCQO8Mh1nJvuFMEvGHaht3/ |
| tenantId | eb7e0c10a99446cfa14c244374549e9d |
+----------+-------------------------------------------------------------------------------------------------------------------------+Grant the admin role to the
swift user in the
service tenant.
$keystone --token 012345SECRET99TOKEN012345 --endpoint http://192.168.206.130:35357/v2.0 user-role-add --user 4346677b8909823e389f0b4037b1246e --tenant_id eb7e0c10a99446cfa14c244374549e9d --role e3d9d157cc95410ea45d23bbbc2e5c10
There is no output to this command.
Next you create definitions for the services.
