Now we are going to create some users. All OpenStack services will utilize keystone for authentication. Start by creating an admin user, tenant (a groups of users), and role (an ID for a set of permissions).
$ keystone user-create --name admin --pass secret
+----------+-----------------------------------+
| Property | Value |
+----------+-----------------------------------+
| email | None |
| enabled | True |
| id | 94d659c3c9534095aba5f8475c87091a |
| name | admin |
| password | ... |
| tenantId | None |
+----------+-----------------------------------+
$ keystone role-create --name admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 78035c5d3cd94e62812d6d37551ecd6a |
| name | admin |
+----------+----------------------------------+
$ keystone tenant-create --name admin
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | None |
| enabled | True |
| id | 6f8e3e36c4194b86b9a9b55d4b722af3 |
| name | admin |
+-------------+----------------------------------+
Add the admin user to the admin tenant with a role of admin. Note that the IDs used in this command come from the output of the previous three commands above.
$ keystone user-role-add --user 94d659c3c9534095aba5f8475c87091a \
--role 78035c5d3cd94e62812d6d37551ecd6a \
--tenant_id 6f8e3e36c4194b86b9a9b55d4b722af3
Now that an admin user has been created, that account can be used to administer keystone. To make it easy to set the admin user's credentials in the proper environment variables, create a keystonerc_admin file with the following contents
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=http://127.0.0.1:35357/v2.0/
export PS1="[\u@\h \W(keystone_admin)]\$ "
Now that the keystonerc_admin file has been created, test it by running the command to list users. Only an administrator can perform this action.
$ unset SERVICE_TOKEN
$ unset SERVICE_ENDPOINT
$ . ~/keystonerc_admin
$ keystone user-list
+----------------------------------+---------+-------+-------+
| id | enabled | email | name |
+----------------------------------+---------+-------+-------+
| 94d659c3c9534095aba5f8475c87091a | True | None | admin |
+----------------------------------+---------+-------+-------+
Add keystone as an API endpoint in the registry of endpoints in Keystone. Horizon (the web dashboard) requires this. Note that the id returned from the service-create command is then used as a part of the endpoint-create command.
$ keystone service-create --name=keystone --type=identity \
--description="Keystone Identity Service"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Keystone Identity Service |
| id | a8bff1db381f4751bd8ac126464511ae |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
$ keystone endpoint-create --region RegionOne \
--service_id a8bff1db381f4751bd8ac126464511ae \
--publicurl 'http://127.0.0.1:5000/v2.0' \
--adminurl 'http://127.0.0.1:35357/v2.0' \
--internalurl 'http://127.0.0.1:5000/v2.0'
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://127.0.0.1:35357/v2.0 |
| id | 1295011fdc874a838f702518e95a0e13 |
| internalurl | http://127.0.0.1:5000/v2.0 |
| publicurl | http://127.0.0.1:5000/v2.0 |
| region | RegionOne |
| service_id | a8bff1db381f4751bd8ac126464511ae |
+-------------+----------------------------------+
So far we have been using the admin user. Now it is time to create a regular user, tenant, and role. In this example, it will have a username of username. Feel free to make it something else if you prefer.
$ keystone user-create --name username --pass secret
+----------+-----------------------------------+
| Property | Value |
+----------+-----------------------------------+
| email | None |
| enabled | True |
| id | 1d59c0bfef9b4ea9ab63e2a058e68ae0 |
| name | username |
| password | ... |
| tenantId | None |
+----------+-----------------------------------+
$ keystone role-create --name user
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 8261ac4eabcc4da4b01610dbad6c038a |
| name | user |
+----------+----------------------------------+
$ keystone tenant-create --name rhsummit
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | None |
| enabled | True |
| id | 05816b0106994f95a83b913d4ff995eb |
| name | rhsummit |
+-------------+----------------------------------+
Add the new user to the rhsummit tenant with a role of user. The IDs used in this command come from the output of the previous three commands.
$ keystone user-role-add --user 1d59c0bfef9b4ea9ab63e2a058e68ae0 \
--role 8261ac4eabcc4da4b01610dbad6c038a \
--tenant_id 05816b0106994f95a83b913d4ff995eb
To make it easy to use the admin user's credentials, we created the ~/keystonerc_admin file. Now let's do the same thing for the new username user, create the file ~/keystonerc_username with the following contents
export OS_USERNAME=username
export OS_TENANT_NAME=rhsummit
export OS_PASSWORD=secret
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
export PS1="[\u@\h \W(keystone_username)]\$ "
Test out using the new user. Source the keystonerc_username file and try a couple of commands. The user-list command should fail since only an administrator can do that. However, retrieving a token should succeed.
$ . ~/keystonerc_username
$ keystone user-list
You are not authorized to perform the requested action: admin_required (HTTP 403)
$ keystone token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | 2012-05-19T13:29:37Z |
| id | 0d709cb5840d4e53ba49fc0415b6a379 |
| tenant_id | 05816b0106994f95a83b913d4ff995eb |
| user_id | 1d59c0bfef9b4ea9ab63e2a058e68ae0 |
+-----------+----------------------------------+
