Only users with admin credentials can administer users, tenants and roles. You can configure the python-keystoneclient with admin credentials through either the authentication token, or the username and password method.
To use keystone client using token auth, set the following flags:
--endpoint SERVICE_ENDPOINT. The keystone endpoint to communicate with. The default endpoint is http://localhost:35357/v2.0'.--token SERVICE_TOKEN. The administrator service token.
--username OS_USERNAME. The administrator username.--password OS_PASSWORD. The administrator password--tenant_name OS_TENANT_NAME. The tenant name.--auth_url OS_AUTH_URL. The URL of the keystone auth server, for example http://localhost:5000/v2.0'.
Use the following keystone parameters, in combination, to specify the version of the API to use:
--os-endpoint. Thekeystoneclient detects the version of the API from this parameter.--os-url. Specifies the service URL from the service catalog lookup.--os-identity-api-version. Specifies the Identity Service API version.
For example, the following parameters indicate the use of API v3:
--os-url "http://15.253.57.115:35357/v3" --os-identity-api-version 3
The following parameters indicate the use of API v2.0:
--os-url "http://15.253.57.115:35357/v2.0" --os-identity-api-version 2.0
The keystone client is set up to expect commands
in the general form of keystone
command
argument, followed by flag-like keyword arguments to
provide additional (often optional) information. For example, the
command user-list and
tenant-create can be invoked as follows:
# Using token auth env variables export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/ export SERVICE_TOKEN=secrete_token keystone user-list keystone tenant-create --name=demo # Using token auth flags keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ user-list keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ tenant-create --name=demo # Using user + password + tenant_name env variables export OS_USERNAME=admin export OS_PASSWORD=secrete export OS_TENANT_NAME=admin keystone user-list keystone tenant-create --name=demo # Using user + password + tenant_name flags keystone --username=admin --password=secrete --tenant_name=admin user-list keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo
A tenant is a group of zero or more users. In nova, a tenant owns virtual machines. In swift, a tenant owns containers. Users can be associated with more than one tenant. Each tenant and user pairing can have a role associated with it.
keyword arguments
name
description (optional, defaults to None)
enabled (optional, defaults to True)
The following command creates a tenant named demo:
keystone tenant-create --name=demo
keyword arguments:
name
pass
email
default_tenant (optional, defaults to None)
enabled (optional, defaults to True)
example:
keystone user-create --name=admin \ --pass=secrete \ [email protected]
list users in the system, optionally by a specific tenant (identified by tenant_id)
arguments
tenant_id (optional, defaults to None)
example:
keystone user-list
arguments
user_id
email
example:
keystone user-update --email 03c84b51574841ba9a0d8db7882ac645 "[email protected]"
arguments
role_id
user_id
tenant_id
example:
keystone add-user-role \ 3a751f78ef4c412b827540b829e2d7dd \ 03c84b51574841ba9a0d8db7882ac645 \ 20601a7f1d94447daa4dff438cb1c209
keyword arguments
name
type
description
example:
keystone service create \ --name=nova \ --type=compute \ --description="Nova Compute Service"
