You're reading from OpenStack Cloud Computing Cookbook, Third Edition Over 110 effective recipes to help you build and operate OpenStack cloud computing, storage, networking, and automation

Product type Paperback

Published in Aug 2015

Publisher

ISBN-13 9781782174783

Length 436 pages

Edition 1st Edition

Tools

OpenStack

Concepts

Cloud Computing

Author (1):

Cody Bunch

View More author details

Table of Contents (13) Chapters

Preface

1. Keystone – OpenStack Identity Service FREE CHAPTER

2. Glance – OpenStack Image Service

3. Neutron – OpenStack Networking

4. Nova – OpenStack Compute

5. Swift – OpenStack Object Storage

6. Using OpenStack Object Storage

7. Administering OpenStack Object Storage

8. Cinder – OpenStack Block Storage

9. More OpenStack

10. Using the OpenStack Dashboard

11. Production OpenStack

Index

Configuring roles in Keystone

Roles are the permissions given to users within a tenant. Here, we will configure two roles: an admin role that allows for the administration of our environment, and a member role that is given to ordinary users who will be using the cloud environment.

Getting ready

We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export OS_TENANT_NAME=cookbook
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/
export OS_NO_CACHE=1
export OS_KEY=/vagrant/cakey.pem
export OS_CACERT=/vagrant/ca.pem

Tip

You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment, issue the following command to get access to the Controller:

vagrant ssh controller

How to do it...

To create the required roles in our OpenStack environment, perform the following steps:

Create the admin role as follows:

# admin role
keystone role-create --name admin
You will get an output like this:
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 625b81ae9f024366bbe023a62ab8a18d |
|   name   |              admin               |
+----------+----------------------------------+

To create the Member role, we repeat the step and specify the Member role:
```
# Member role
keystone role-create --name Member
```

How it works...

Creation of the roles is simply achieved by using the keystone client and specifying the role-create option with the following syntax:

keystone role-create --name role_name

The role_name attribute can't be arbitrary for admin and Member roles. The admin role has been set by default in /etc/keystone/policy.json as having administrative rights:

{
    "admin_required": [["role:admin"], ["is_admin:1"]]
}

The Member role is also configured by default in the OpenStack Dashboard, Horizon, for a non-admin user created through the web interface.

On creation of the role, the ID associated with is returned, and we can use it when assigning roles to users. To see a list of roles and the associated IDs in our environment, we can issue the following command: