To verify that the Identity Service is installed and configured correctly, clear the values in the
OS_SERVICE_TOKEN
andOS_SERVICE_ENDPOINT
environment variables:$ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
These variables, which were used to bootstrap the administrative user and register the Identity Service, are no longer needed.
You can now use regular user name-based authentication.
Request a authentication token by using the
admin
user and the password you chose for that user:$ keystone --os-username=admin --os-password=
ADMIN_PASS
\ --os-auth-url=http://controller:35357/v2.0 token-getIn response, you receive a token paired with your user ID. This verifies that the Identity Service is running on the expected endpoint and that your user account is established with the expected credentials.
Verify that authorization behaves as expected. To do so, request authorization on a tenant:
$ keystone --os-username=admin --os-password=
ADMIN_PASS
\ --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 \ token-getIn response, you receive a token that includes the ID of the tenant that you specified. This verifies that your user account has an explicitly defined role on the specified tenant and the tenant exists as expected.
You can also set your
--os-*
variables in your environment to simplify command-line usage. Set up aadmin-openrc.sh
file with the admin credentials and admin endpoint:export OS_USERNAME=admin export OS_PASSWORD=
ADMIN_PASS
export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller:35357/v2.0Source this file to read in the environment variables:
$ source admin-openrc.sh
Verify that your
admin-openrc.sh
file is configured correctly. Run the same command without the--os-*
arguments:$ keystone token-get
The command returns a token and the ID of the specified tenant. This verifies that you have configured your environment variables correctly.
Verify that your admin account has authorization to perform administrative commands:
$ keystone user-list +----------------------------------+-------+---------+-------------------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------------------+ | afea5bde3be9413dbd60e479fddf9228 | admin | True | [email protected] | | 32aca1f9a47540c29d6988091f76c934 | demo | True | [email protected] | +----------------------------------+-------+---------+-------------------+
$ keystone user-role-list --user admin --tenant admin +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 | | 5d3b60b66f1f438b80eaae41a77b5951 | admin | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 | +----------------------------------+----------+----------------------------------+----------------------------------+
Seeing that the
id
in the output from the keystone user-list command matches theuser_id
in the keystone user-role-list command, and that the admin role is listed for that user, for the related tenant, this verifies that your user account has theadmin
role, which matches the role used in the Identity Servicepolicy.json
file.Note As long as you define your credentials and the Identity Service endpoint through the command line or environment variables, you can run all OpenStack client commands from any machine. For details, see Chapter 5, Install and configure the OpenStack clients.