After you install the Identity Service, set up users, tenants, and roles to authenticate against. These are used to allow access to services and endpoints, described in the next section.
Typically, you would indicate a user and password to
authenticate with the Identity Service. At this point, however, you
have not created any users, so you have to use the authorization
token created in an earlier step, see the section called “Install the Identity Service”
for further details. You can pass this with the
--os-token
option to the
keystone command or set the
OS_SERVICE_TOKEN
environment variable. Set
OS_SERVICE_TOKEN
, as well as
OS_SERVICE_ENDPOINT
to specify where the Identity
Service is running. Replace
with your authorization token.ADMIN_TOKEN
$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
Create an administrative user
Follow these steps to create an administrative user, role, and tenant. You will use this account for administrative interaction with the OpenStack cloud.
By default, the Identity Service creates a special
_member_
role. The OpenStack dashboard
automatically grants access to users with this role. You will
give the admin
user access to this role in
addition to the admin
role.
Note | |
---|---|
Any role that you create must map to roles specified in the
|
Create the
admin
user:$ keystone user-create --name=admin --pass=
ADMIN_PASS
--email=ADMIN_EMAIL
Replace
ADMIN_PASS
with a secure password and replaceADMIN_EMAIL
with an email address to associate with the account.Create the
admin
role:$ keystone role-create --name=admin
Create the
admin
tenant:$ keystone tenant-create --name=admin --description="Admin Tenant"
You must now link the
admin
user,admin
role, andadmin
tenant together using theuser-role-add
option:$ keystone user-role-add --user=admin --tenant=admin --role=admin
Link the
admin
user,_member_
role, andadmin
tenant:$ keystone user-role-add --user=admin --role=_member_ --tenant=admin
Create a normal user
Follow these steps to create a normal user and tenant, and link
them to the special _member_
role. You will
use this account for daily non-administrative interaction with
the OpenStack cloud. You can also repeat this procedure to create
additional cloud users with different usernames and passwords.
Skip the tenant creation step when creating these users.
Create the
demo
user:$ keystone user-create --name=demo --pass=
DEMO_PASS
--email=DEMO_EMAIL
Replace
DEMO_PASS
with a secure password and replaceDEMO_EMAIL
with an email address to associate with the account.Create the
demo
tenant:$ keystone tenant-create --name=demo --description="Demo Tenant"
Note Do not repeat this step when adding additional users.
Link the
demo
user,_member_
role, anddemo
tenant:$ keystone user-role-add --user=demo --role=_member_ --tenant=demo
Create a service
tenant
OpenStack services also require a username, tenant, and role to access
other OpenStack services. In a basic installation, OpenStack services
typically share a single tenant named service
.
You will create additional usernames and roles under this tenant as you install and configure each service.
Create the
service
tenant:$ keystone tenant-create --name=service --description="Service Tenant"