Sep 072015
 
OpenStack Logo
OpenStack Logo

This is guide takes you to the second part of configuring OpenStack identity service on controller node, you can also go through the previous article on configuring KeyStone #1. Here we will be covering service entity and API end point creations.

Create the service entity and API endpoint:

To create the service entity and API endpoint, we have to export below variables to pass the value of authentication token.

# export OS_TOKEN=43405b090eda983ddde2  ## Replace this token (43405b090eda983ddde2 ) with OS_TOEKEN value from keystone.conf file.
# export OS_URL=http://controller:35357/v2.0  ## Replace controller with your controller ip.

Create the service entity for the Identity service.

# openstack service create --name keystone --description "OpenStack Identity" identity

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | c65841b4f8df478cbc19524c09fd9724 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

Verify the service.

# openstack service list
+----------------------------------+----------+----------+
| ID                               | Name     | Type     |
+----------------------------------+----------+----------+
| c65841b4f8df478cbc19524c09fd9724 | keystone | identity |
+----------------------------------+----------+----------+

Create the identity service API endpoint.

# openstack endpoint create \
--publicurl http://controller:5000/v2.0 \
--internalurl http://controller:5000/v2.0 \
--adminurl http://controller:35357/v2.0 \
--region RegionOne \
identity
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| adminurl     | http://controller:35357/v2.0     |
| id           | f402a9389d474c13a97a78a30f13c6e5 |
| internalurl  | http://controller:5000/v2.0      |
| publicurl    | http://controller:5000/v2.0      |
| region       | RegionOne                        |
| service_id   | c65841b4f8df478cbc19524c09fd9724 |
| service_name | keystone                         |
| service_type | identity                         |
+--------------+----------------------------------+

Verify the endpoint details.

# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+
| ID                               | Region    | Service Name | Service Type |
+----------------------------------+-----------+--------------+--------------+
| f402a9389d474c13a97a78a30f13c6e5 | RegionOne | keystone     | identity     |
+----------------------------------+-----------+--------------+--------------+

Create projects, users, and roles:

Create a admin project, user and role for administration, we will use default domain for simplicity.

Create the admin project.

# openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| enabled     | True                             |
| id          | 9b05e6bffdb94c8081d665561d05e31e |
| name        | admin                            |
+-------------+----------------------------------+

Create the admin user.

# openstack user create --password-prompt admin
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | 127a9a6b822a4e3eba69fa54128873cd |
| name     | admin                            |
| username | admin                            |
+----------+----------------------------------+

Create the admin role.

# openstack role create admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 33af4f957aa34cc79451c23bf014af6f |
| name  | admin                            |
+-------+----------------------------------+

Add admin role to admin project and user.

# openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 33af4f957aa34cc79451c23bf014af6f |
| name  | admin                            |
+-------+----------------------------------+

Create the service project.

# openstack project create --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| enabled     | True                             |
| id          | 39e1b9944e564ceb9e71c98623b676cd |
| name        | service                          |
+-------------+----------------------------------+

Create the demo project to use for normal user.

#  openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| enabled     | True                             |
| id          | 909c4d7219c14a63aa0ef6f1ece18546 |
| name        | demo                             |
+-------------+----------------------------------+

Create the demo user.

# openstack user create --password-prompt demo
User Password:
Repeat User Password:
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | 453ce23fa9f347b5baa53210aff7f207 |
| name     | demo                             |
| username | demo                             |
+----------+----------------------------------+

Create the user role.

# openstack role create user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | fa78c101a7ed40b19de219e7d3eeda62 |
| name  | user                             |
+-------+----------------------------------+

Add the user role to demo project and user.

# openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | fa78c101a7ed40b19de219e7d3eeda62 |
| name  | user                             |
+-------+----------------------------------+

Verify operation:

# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 39e1b9944e564ceb9e71c98623b676cd | service |
| 909c4d7219c14a63aa0ef6f1ece18546 | demo    |
| 9b05e6bffdb94c8081d665561d05e31e | admin   |
+----------------------------------+---------+
# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 127a9a6b822a4e3eba69fa54128873cd | admin |
| 453ce23fa9f347b5baa53210aff7f207 | demo  |
+----------------------------------+-------+
# openstack role list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 33af4f957aa34cc79451c23bf014af6f | admin |
| fa78c101a7ed40b19de219e7d3eeda62 | user  |
+----------------------------------+-------+

Verify operation with role based access, to do that unset the exported variables.

# unset OS_TOKEN OS_URL

Execute the following command to list the roles as admin  user.

# openstack --os-auth-url http://controller:35357 --os-project-name admin --os-username admin --os-auth-type password  role list
Password:
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 33af4f957aa34cc79451c23bf014af6f | admin |
| fa78c101a7ed40b19de219e7d3eeda62 | user  |
+----------------------------------+-------+

Execute the following command to list the roles as demo user, you should get below error.

# openstack --os-auth-url http://controller:35357 --os-project-name demo --os-username demo --os-auth-type password role list
Password:
ERROR: openstack You are not authorized to perform the requested action: admin_required (HTTP 403) (Request-ID: req-143ee967-4a26-4474-bf88-0b660354869d)

That’s all, you have successfully configured KeyStone on Ubuntu 14.04.2