/
ch_identity_mgmt.xml
1403 lines (1374 loc) · 44.6 KB
/
ch_identity_mgmt.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
<?xml version="1.0" encoding="UTF-8"?>
<chapter xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch-identity-mgmt-config">
<title>Identity Management</title>
<para>
The default identity management system for OpenStack is the OpenStack Identity Service, code-named Keystone.
Once Identity is installed, it is configured via a primary
configuration file (<filename>etc/keystone.conf</filename>), possibly
a separate logging configuration file, and initializing data into
keystone using the command line client.
</para>
<xi:include href="../common/keystone-concepts.xml"/>
<section xml:id="keystone-configuration-file">
<title>Configuration File</title>
<para>
The Identity configuration file is an 'ini' file format with
sections, extended from
<link xlink:href="http://pythonpaste.org/">Paste</link>, a common
system used to configure python WSGI based applications. In
addition to the paste config entries, general configuration values
are stored under <literal>[DEFAULT]</literal>,
<literal>[sql]</literal>, <literal>[ec2]</literal> and then
drivers for the various services are included under their
individual sections.
</para>
<para> The services include: <itemizedlist>
<listitem>
<para><literal>[identity]</literal> - the python module that
backends the identity system</para>
</listitem>
<listitem>
<para><literal>[catalog]</literal> - the python module that
backends the service catalog</para>
</listitem>
<listitem>
<para><literal>[token]</literal> - the python module that
backends the token providing mechanisms</para>
</listitem>
<listitem>
<para><literal>[policy]</literal> - the python module that
drives the policy system for RBAC</para>
</listitem>
</itemizedlist></para>
<para>
The configuration file is expected to be named
<literal>keystone.conf</literal>. When starting up Identity, you
can specify a different configuration file to use with
<literal>--config-file</literal>. If you do
<emphasis role="strong">not</emphasis> specify a configuration
file, keystone will look in the following directories for a
configuration file, in order:
</para>
<itemizedlist>
<listitem>
<para>
<literal>~/.keystone</literal>
</para>
</listitem>
<listitem>
<para>
<literal>~/</literal>
</para>
</listitem>
<listitem>
<para>
<literal>/etc/keystone</literal>
</para>
</listitem>
<listitem>
<para>
<literal>/etc</literal>
</para>
</listitem>
</itemizedlist>
<para>
Logging is configured externally to the rest of Identity, the file
specifying the logging configuration is in the <literal>[DEFAULT]</literal>
section
of the keystone conf file under <literal>log_config</literal>. If
you wish to route all your logging through syslog, set
<literal>use_syslog=true</literal> option in the
<literal>[DEFAULT]</literal> section.
</para>
<para>
A sample logging file is available with the project in the
directory <filename>etc/logging.conf.sample</filename>. Like other
OpenStack projects, Identity uses the `python logging module`,
which includes extensive configuration options for choosing the
output levels and formats.
</para>
<para>
In addition to this documentation page, you can check the
<filename>etc/keystone.conf</filename> sample configuration files
distributed with keystone for example configuration files for each
server application.
</para>
<section xml:id="sample-configuration-files">
<title>Sample Configuration Files</title>
<itemizedlist>
<listitem>
<para>
<literal>etc/keystone.conf</literal>
</para>
</listitem>
<listitem>
<para>
<literal>etc/logging.conf.sample</literal>
</para>
</listitem>
</itemizedlist>
</section>
</section>
<section xml:id="running-keystone">
<title>Running</title>
<para>
Running Identity is simply starting the services by using the
command:
</para>
<screen>
keystone-all
</screen>
<para>
Invoking this command starts up two wsgi.Server instances,
configured by the <literal>keystone.conf</literal> file as
described above. One of these wsgi 'servers' is
<literal>admin</literal> (the administration API) and the other is
<literal>main</literal> (the primary/public API interface). Both
of these run in a single process.
</para>
</section>
<section xml:id="migrating-from-legacy-versions-of-keystone">
<?dbhtml stop-chunking?>
<title>Migrating from legacy versions of keystone</title>
<para>
Migration support is provided for the following legacy keystone
versions:
</para>
<itemizedlist>
<listitem>
<para>
diablo-5
</para>
</listitem>
<listitem>
<para>
stable/diablo
</para>
</listitem>
<listitem>
<para>
essex-2
</para>
</listitem>
<listitem>
<para>
essex-3
</para>
</listitem>
</itemizedlist>
<para>
To migrate from legacy versions of Identity, use the following
steps:
</para>
<section xml:id="step-1-configure-keystone.conf">
<title>Step 1: Configure keystone.conf</title>
<para>
It is important that the database that you specify be different
from the one containing your existing install.
</para>
</section>
<section xml:id="step-2-db_sync-your-new-empty-database">
<title>Step 2: db_sync your new, empty database</title>
<para> Run the following command to configure the most recent
schema in your new Identity installation: </para>
<screen>
keystone-manage db_sync
</screen>
</section>
<section xml:id="step-3-import-your-legacy-data">
<title>Step 3: Import your legacy data</title>
<para>
Use the following command to import your old data:
</para>
<screen>
keystone-manage import_legacy [db_url, e.g. 'mysql://root@foobar/keystone']
</screen>
<para> Specify db_url as the connection string that was present
in your old <filename>keystone.conf</filename> file. </para>
</section>
<section xml:id="step-4-import-your-legacy-service-catalog">
<title>Step 4: Import your legacy service catalog</title>
<para> While the older Identity service stored the service
catalog in the database, the updated version configures the
service catalog using a template file. An example service
catalog template file may be found in
etc/default_catalog.templates. </para>
<para>
To import your legacy catalog, run this command:
</para>
<screen>
keystone-manage export_legacy_catalog \
[db_url e.g. 'mysql://root@foobar/keystone'] > \
[path_to_templates e.g. 'etc/default_catalog.templates']
</screen>
<para>
After executing this command, you will need to restart the
keystone service to see your changes.
</para>
</section>
</section>
<section xml:id="migrating-from-nova-auth">
<?dbhtml stop-chunking?>
<title>Migrating from Legacy Authentication</title>
<para>
Migration of users, projects (aka tenants), roles and EC2
credentials is supported for the Diablo and Essex releases of
Nova. To migrate your auth data from Compute, use the following
steps:
</para>
<section xml:id="step-1-export-your-data-from-nova">
<title>Step 1: Export your data from Compute</title>
<para> Use the following command to export your data from
Compute (nova): </para>
<screen>
nova-manage export auth > /path/to/dump
</screen>
<para>
It is important to redirect the output to a file so it can be
imported in a later step.
</para>
</section>
<section xml:id="step-2-db_sync-your-new-empty-database-1">
<title>Step 2: db_sync your new, empty database</title>
<para>
Run the following command to configure the most recent schema in
your new installation:
</para>
<screen>
keystone-manage db_sync
</screen>
</section>
<section xml:id="step-3-import-your-data-to-keystone">
<title>Step 3: Import your data to Keystone</title>
<para>
To import your Compute auth data from a dump file created with
<command>nova-manage</command>, run this command:
</para>
<screen>
<prompt>$</prompt> <userinput>keystone-manage import_nova_auth <replaceable>[dump_file, e.g. /path/to/dump]</replaceable></userinput>
</screen>
</section>
</section>
<section xml:id="initializing-keystone">
<title>Initializing Keystone</title>
<para>
<command>keystone-manage</command> is designed to execute commands that cannot be
administered through the normal REST api. At the moment, the
following calls are supported:
</para>
<itemizedlist>
<listitem>
<para>
<literal>db_sync</literal>: Sync the database.
</para>
</listitem>
<listitem>
<para>
<literal>import_legacy</literal>: Import a legacy (pre-essex)
version of the db.
</para>
</listitem>
<listitem>
<para>
<literal>export_legacy_catalog</literal>: Export service
catalog from a legacy (pre-essex) db.
</para>
</listitem>
<listitem>
<para>
<literal>import_nova_auth</literal>: Load auth data from a
dump created with keystone-manage.
</para>
</listitem>
</itemizedlist>
<para>
Generally, the following is the first step after a source
installation:
</para>
<screen>
keystone-manage db_sync
</screen>
<para>
Invoking keystone-manage by itself will give you additional usage
information.
</para>
</section>
<section xml:id="adding-users-tenants-and-roles-with-python-keystoneclient">
<?dbhtml stop-chunking?>
<title>Adding Users, Tenants, and Roles with
python-keystoneclient</title>
<para>
User, tenants, and roles must be administered using admin
credentials. There are two ways to configure python-keystoneclient
to use admin credentials, using the token auth method, or password
auth method.
</para>
<section xml:id="token-auth-method">
<title>Token Auth Method</title>
<para>
To use keystone client using token auth, set the following flags
</para>
<itemizedlist>
<listitem>
<para>
<literal>--endpoint SERVICE_ENDPOINT</literal> : allows you
to specify the keystone endpoint to communicate with. The
default endpoint is
<link xlink:href="http://localhost:35357/v2.0'">http://localhost:35357/v2.0'</link>
</para>
</listitem>
<listitem>
<para>
<literal>--token SERVICE_TOKEN</literal> : your
administrator service token.
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="password-auth-method">
<title>Password Auth Method</title>
<itemizedlist>
<listitem>
<para>
<literal>--username OS_USERNAME</literal> : allows you to
specify the keystone endpoint to communicate with. For
example,
<link xlink:href="http://localhost:35357/v2.0'">http://localhost:35357/v2.0'</link>
</para>
</listitem>
<listitem>
<para>
<literal>--password OS_PASSWORD</literal> : Your
administrator password
</para>
</listitem>
<listitem>
<para>
<literal>--tenant_name OS_TENANT_NAME</literal> : Name of
your tenant
</para>
</listitem>
<listitem>
<para>
<literal>--auth_url OS_AUTH_URL</literal> : url of your
keystone auth server, for example
<link xlink:href="http://localhost:5000/v2.0'">http://localhost:5000/v2.0'</link>
</para>
</listitem>
</itemizedlist>
</section>
<section xml:id="example-usage">
<title>Example usage</title>
<para>The <literal>keystone</literal> client is set up to expect
commands in the general form of <literal>keystone</literal>
<literal>command</literal>
<literal>argument</literal>, followed by flag-like keyword
arguments to provide additional (often optional) information.
For example, the command <literal>user-list</literal> and
<literal>tenant-create</literal> can be invoked as follows: </para>
<screen>
# Using token auth env variables
export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/
export SERVICE_TOKEN=secrete_token
keystone user-list
keystone tenant-create --name=demo
# Using token auth flags
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ user-list
keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ tenant-create --name=demo
# Using user + password + tenant_name env variables
export OS_USERNAME=admin
export OS_PASSWORD=secrete
export OS_TENANT_NAME=admin
keystone user-list
keystone tenant-create --name=demo
# Using user + password + tenant_name flags
keystone --username=admin --password=secrete --tenant_name=admin user-list
keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo
</screen>
</section>
<section xml:id="tenants">
<title>Tenants</title>
<para>
Tenants are the high level grouping within Keystone that
represent groups of users. A tenant is the grouping that owns
virtual machines within Nova, or containers within Swift. A
tenant can have zero or more users, Users can be associated with
more than one tenant, and each tenant - user pairing can have a
role associated with it.
</para>
<section xml:id="tenant-create">
<title><literal>tenant-create</literal></title>
<para>
keyword arguments
</para>
<itemizedlist>
<listitem>
<para>
name
</para>
</listitem>
<listitem>
<para>
description (optional, defaults to None)
</para>
</listitem>
<listitem>
<para>
enabled (optional, defaults to True)
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone tenant-create --name=demo
</screen>
<para>
creates a tenant named "demo".
</para>
</section>
<section xml:id="tenant-delete">
<title><literal>tenant-delete</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
tenant_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone tenant-delete f2b7b39c860840dfa47d9ee4adffa0b3
</screen>
</section>
<section xml:id="tenant-enable">
<title><literal>tenant-enable</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
tenant_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone tenant-enable f2b7b39c860840dfa47d9ee4adffa0b3
</screen>
</section>
<section xml:id="tenant-disable">
<title><literal>tenant-disable</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
tenant_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone tenant-disable f2b7b39c860840dfa47d9ee4adffa0b3
</screen>
</section>
</section>
<section xml:id="users">
<title>Users</title>
<section xml:id="user-create">
<title><literal>user-create</literal></title>
<para> keyword arguments: </para>
<itemizedlist>
<listitem>
<para>
name
</para>
</listitem>
<listitem>
<para>
pass
</para>
</listitem>
<listitem>
<para>
email
</para>
</listitem>
<listitem>
<para>
default_tenant (optional, defaults to None)
</para>
</listitem>
<listitem>
<para>
enabled (optional, defaults to True)
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone user-create
--name=admin \
--pass=secrete \
--email=admin@example.com
</screen>
</section>
<section xml:id="user-delete">
<title><literal>user-delete</literal></title>
<para> keyword arguments: </para>
<itemizedlist>
<listitem>
<para>
user
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone user-delete f2b7b39c860840dfa47d9ee4adffa0b3
</screen>
</section>
<section xml:id="user-list">
<title><literal>user-list</literal></title>
<para>
list users in the system, optionally by a specific tenant
(identified by tenant_id)
</para>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
tenant_id (optional, defaults to None)
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone user-list
</screen>
</section>
<section xml:id="user-update-email">
<title><literal>user-update-email</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
user_id
</para>
</listitem>
<listitem>
<para>
email
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone user-update-email 03c84b51574841ba9a0d8db7882ac645 "someone@somewhere.com"
</screen>
</section>
<section xml:id="user-enable">
<title><literal>user-enable</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
user_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone user-enable 03c84b51574841ba9a0d8db7882ac645
</screen>
</section>
<section xml:id="user-disable">
<title><literal>user-disable</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
user_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone user-disable 03c84b51574841ba9a0d8db7882ac645
</screen>
</section>
<section xml:id="user-update-password">
<title><literal>user-update-password</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
user_id
</para>
</listitem>
<listitem>
<para>
password
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone user-update-password 03c84b51574841ba9a0d8db7882ac645 foo
</screen>
</section>
</section>
<section xml:id="roles">
<title>Roles</title>
<section xml:id="role-create">
<title><literal>role-create</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
name
</para>
</listitem>
</itemizedlist>
<para> example: </para>
<screen>
keystone role-create --name=demo
</screen>
</section>
<section xml:id="role-delete">
<title><literal>role-delete</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
role_id
</para>
</listitem>
</itemizedlist>
<para> example: </para>
<screen>
keystone role-delete 19d1d3344873464d819c45f521ff9890
</screen>
</section>
<section xml:id="role-list">
<title><literal>role-list</literal></title>
<para> example: </para>
<screen>
keystone role-list
</screen>
</section>
<section xml:id="role-get">
<title><literal>role-get</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
role_id
</para>
</listitem>
</itemizedlist>
<para> example: </para>
<screen>
keystone role-get role=19d1d3344873464d819c45f521ff9890
</screen>
</section>
<section xml:id="add-user-role">
<title><literal>add-user-role</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
role_id
</para>
</listitem>
<listitem>
<para>
user_id
</para>
</listitem>
<listitem>
<para>
tenant_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone role add-user-role \
3a751f78ef4c412b827540b829e2d7dd \
03c84b51574841ba9a0d8db7882ac645 \
20601a7f1d94447daa4dff438cb1c209
</screen>
</section>
<section xml:id="remove-user-role">
<title><literal>remove-user-role</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
role_id
</para>
</listitem>
<listitem>
<para>
user_id
</para>
</listitem>
<listitem>
<para>
tenant_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone remove-user-role \
19d1d3344873464d819c45f521ff9890 \
08741d8ed88242ca88d1f61484a0fe3b \
20601a7f1d94447daa4dff438cb1c209
</screen>
</section>
</section>
<section xml:id="services">
<title>Services</title>
<section xml:id="service-create">
<title><literal>service-create</literal></title>
<para>
keyword arguments
</para>
<itemizedlist>
<listitem>
<para>
name
</para>
</listitem>
<listitem>
<para>
type
</para>
</listitem>
<listitem>
<para>
description
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone service create \
--name=nova \
--type=compute \
--description="Nova Compute Service"
</screen>
</section>
<section xml:id="service-list">
<title><literal>service-list</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
service_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone service-list
</screen>
</section>
<section xml:id="service-get">
<title><literal>service-get</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
service_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone service-get 08741d8ed88242ca88d1f61484a0fe3b
</screen>
</section>
<section xml:id="service-delete">
<title><literal>service-delete</literal></title>
<para>
arguments
</para>
<itemizedlist>
<listitem>
<para>
service_id
</para>
</listitem>
</itemizedlist>
<para>
example:
</para>
<screen>
keystone service-delete 08741d8ed88242ca88d1f61484a0fe3b
</screen>
</section>
</section>
</section>
<section xml:id="configuring-services-to-work-with-keystone">
<title>Configuring Services to work with Keystone</title>
<para>
Once Keystone is installed and running,
services need to be configured to work with it. To do this, we
primarily install and configure middleware for the OpenStack service
to handle authentication tasks or otherwise interact with Keystone.
</para>
<para>
In general:
</para>
<itemizedlist>
<listitem>
<para>
Clients making calls to the service will pass in an
authentication token.
</para>
</listitem>
<listitem>
<para>
The Keystone middleware will look for and validate that token,
taking the appropriate action.
</para>
</listitem>
<listitem>
<para>
It will also retrieve additional information from the token such
as user name, id, tenant name, id, roles, etc...
</para>
</listitem>
</itemizedlist>
<para>
The middleware will pass those data down to the service as headers.
</para>
<section xml:id="setting-up-credentials">
<title>Setting up credentials</title>
<section xml:id="admin-token">
<title>Admin Token</title>
<para>
For a default installation of Keystone, before you can use the
REST API, you need to define an authorization token. This is
configured in <literal>keystone.conf</literal> file under the
section <literal>[DEFAULT]</literal>. In the sample file
provided with the keystone project, the line defining this token
is
</para>
<blockquote>
<para>
[DEFAULT] admin_token = ADMIN
</para>
</blockquote>
<para> This configured token is a "shared secret"
between keystone and other OpenStack services, and is used
by the client to communicate with the API to create tenants,
users, roles, etc. </para>
</section>
<section xml:id="setting-up-tenants-users-and-roles">
<title>Setting up tenants, users, and roles</title>
<para>
You need to minimally define a tenant, user, and role to link
the tenant and user as the most basic set of details to get
other services authenticating and authorizing with keystone.
</para>
<para>
You will also want to create service users for Compute (nova), Image (glance),
Object Storage (swift), etc. to be able to use to authenticate users against
the Identity service (keystone). The <literal>auth_token</literal> middleware supports
using either the shared secret described above as `admin_token`
or users for each service.
</para>
<para>
See the configuration section for a walk through on how to create
tenants, users, and roles.
</para>
</section>
</section>
<section xml:id="setting-up-services">
<title>Setting up services</title>
<?dbhtml stop-chunking?>
<section xml:id="creating-service-users">
<title>Creating Service Users</title>
<para>
To configure the OpenStack services with service users, we need
to create a tenant for all the services, and then users for each
of the services. We then assign those service users an Admin
role on the service tenant. This allows them to validate tokens
- and authenticate and authorize other user requests.
</para>
<para>
Create a tenant for the services, typically named 'service'
(however, the name can be whatever you choose):
</para>
<screen>
keystone tenant-create --name=service
</screen>
<para>
This returns a UUID of the tenant - keep that, you'll need it
when creating the users and specifying the roles.
</para>
<para>
Create service users for nova, glance, swift, and quantum (or
whatever subset is relevant to your deployment):
</para>
<screen>
keystone user-create --name=nova \
--pass=Sekr3tPass \
--tenant_id=[the uuid of the tenant] \
--email=nova@nothing.com
</screen>
<para>
Repeat this for each service you want to enable. Email is a
required field in keystone right now, but not used in relation
to the service accounts. Each of these commands will also return
a UUID of the user. Keep those to assign the Admin role.