Verify the Identity Service installation

To verify the Identity Service is installed and configured correctly, first unset the OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT environment variables. These were only used to bootstrap the administrative user and register the Identity Service.

$ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

You can now use regular username-based authentication. Request an authentication token using the admin user and the password you chose during the earlier administrative user-creation step.

See the section called “Define users, tenants, and roles” for further details.

$ keystone --os-username=admin --os-password=ADMIN_PASS \
  --os-auth-url=http://controller:35357/v2.0 token-get

You should receive a token in response, paired with your user ID. This verifies that keystone is running on the expected endpoint, and that your user account is established with the expected credentials.

Next, verify that authorization is behaving as expected by requesting authorization on a tenant.

$ keystone --os-username=admin --os-password=ADMIN_PASS \
  --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 token-get

You should receive a new token in response, this time including the ID of the tenant you specified. This verifies that your user account has an explicitly defined role on the specified tenant, and that the tenant exists as expected.

You can also set your --os-* variables in your environment to simplify command-line usage. Set up a openrc.sh file with the admin credentials and admin endpoint.

export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0

You can source this file to read in the environment variables.

$ source openrc.sh

Verify that your openrc.sh file is configured correctly by performing the same command as above, but without the --os-* arguments.

$ keystone token-get

The command returns a token and the ID of the specified tenant. This verifies that you have configured your environment variables correctly.

Finally, verify that your admin account has authorization to perform administrative commands.

$ keystone user-list

+----------------------------------+---------+--------------------+--------+
|                id                | enabled | email              |  name  |
+----------------------------------+---------+--------------------+--------+
| a4c2d43f80a549a19864c89d759bb3fe | True    | [email protected]  | admin  |

This verifies that your user account has the admin role, which matches the role used in the Identity Service policy.json file.