Adding users to Keystone
Adding users to the OpenStack Identity service requires that the user has a tenant that they can exist in and there is a defined role that can be assigned to them. For this section, we will create two users. The first user will be named admin and will have the admin role assigned to them in the cookbook tenant. The second user will be named demo and will have the Member role assigned to them in the same cookbook tenant.
Getting ready
We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.
Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:
export OS_TENANT_NAME=cookbook export OS_USERNAME=admin export OS_PASSWORD=openstack export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/ export OS_NO_CACHE=1 export OS_KEY=/vagrant/cakey.pem export OS_CACERT=/vagrant/ca.pem
Tip
You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment, issue the following command to get access to the Controller:
vagrant ssh controller
How to do it...
To create the required users in our OpenStack environment, perform the following steps:
- To create a user in the
cookbooktenant, we first need to get thecookbooktenant ID. To do this, issue the following command, which we conveniently store in a variable namedTENANT_IDwith thetenant-listoption:TENANT_ID=$(keystone tenant-list \ | awk '/\ cookbook\ / {print $2}')
- Now that we have the tenant ID, the
adminuser in thecookbooktenant is created using theuser-createoption and a password is chosen for the user:PASSWORD=openstack keystone user-create \ --name admin \ --tenant_id $TENANT_ID \ --pass $PASSWORD \ --email root@localhost \ --enabled true
The preceding code will produce the following output:
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | root@localhost | | enabled | True | | id | 2e23d0673e8a4deabe7c0fb70dfcb9f2 | | name | admin | | tenantId | 14e34722ac7b4fe298886371ec17cf40 | | username | admin | +----------+----------------------------------+
- As we are creating the
adminuser, which we are assigning the admin role, we need the admin role ID. We pick out the ID of theadminrole and conveniently store it in a variable to use it when assigning the role to the user with therole-listoption:ROLE_ID=$(keystone role-list \ | awk '/\ admin\ / {print $2}')
- To assign the role to our user, we need to use the user ID that was returned when we created that user. To get this, we can list the users and pick out the ID for that particular user with the following user-list option:
USER_ID=$(keystone user-list \ | awk '/\ admin\ / {print $2}')
- With the tenant ID, user ID, and an appropriate role ID available, we can assign that role to the user with the following user-role-add option:
keystone user-role-add \ --user $USER_ID \ --role $ROLE_ID \ --tenant_id $TENANT_ID
Tip
Note that there is no output produced on successfully running this command.
- The
adminuser also needs to be in theadmintenant for us to be able to administer the complete environment. To do this, we need to get theadmintenant ID and then repeat the previous step using this new tenant ID:ADMIN_TENANT_ID=$(keystone tenant-list \ | awk '/\ admin\ / {print $2}') keystone user-role-add \ --user $USER_ID \ --role $ROLE_ID \ --tenant_id $ADMIN_TENANT_ID
- To create the
demouser in thecookbooktenant with theMember roleassigned, we repeat the process defined in steps 1 to 5:# Get the cookbook tenant ID TENANT_ID=$(keystone tenant-list \ | awk '/\ cookbook\ / {print $2}') # Create the user PASSWORD=openstack keystone user-create \ --name demo \ --tenant_id $TENANT_ID \ --pass $PASSWORD \ --email demo@localhost \ --enabled true # Get the Member role ID ROLE_ID=$(keystone role-list \ | awk '/\ Member\ / {print $2}') # Get the demo user ID USER_ID=$(keystone user-list \ | awk '/\ demo\ / {print $2}') # Assign the Member role to the demo user in cookbook keystone user-role-add \ --user $USER_ID \ -–role $ROLE_ID \ --tenant_id $TENANT_ID
How it works...
Adding users in the OpenStack Identity service involves a number of steps and dependencies. First, a tenant is required for the user to be part of. Once the tenant exists, the user can be added. At this point, the user has no role associated, so the final step is to designate the role to this user, such as Member or admin.
Use the following syntax to create a user with the user-create option:
keystone user-create \ --name user_name \ --tenant_id TENANT_ID \ --pass PASSWORD \ --email email_address \ --enabled true
The user_name attribute is an arbitrary name but cannot contain any spaces. A password attribute must be present. In the previous examples, these were set to openstack. The email_address attribute must also be present.
To assign a role to a user with the user-role-add option, use the following syntax:
keystone user-role-add \ --user USER_ID \ --role ROLE_ID \ --tenant_id TENANT_ID
This means that we need to have the ID of the user, the ID of the role, and the ID of the tenant in order to assign roles to users. These IDs can be found using the following commands:
keystone tenant-list keystone user-list keystone role-list
