Configure the Service tenant:
Openstack services also require tenant , role & users to interact with other openstack services. Each openstack services will create new users with admin privileges under this tenant.
root@OSCTRL-UA:~# keystone tenant-create --name=service --description="Service Tenant" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | 332f6865332b45aa9cf0d79aacd1ae3b | | name | service | +-------------+----------------------------------+ root@OSCTRL-UA:~#
Define services and API endpoints.
By Defining services and API endpoints, keystone service can track which openstack services are deployed and where it is located on the network. We must register each service in our openstack installation. keystone’s “service-create & endpoint-create ” does the job for you.
1. We have to register keystone service itself on keystone.Create a service entry for the Identity Service.
root@OSCTRL-UA:~# keystone service-create --name=keystone --type=identity --description="OpenStack Identity" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | cfa2859138ae4549919cbf2bfd06346f | | name | keystone | | type | identity | +-------------+----------------------------------+ root@OSCTRL-UA:~#
2. Create the API endpoint for identify service. When you specify an endpoint, you provide URLs for the public API, internal API, and admin API along with the controller’s host name. Admin API uses the different port than other API’s. You require service ID to create API endpoint.
You can take the service ID from previous step or you can get it using below command.
root@OSCTRL-UA:~# keystone service-list | awk '/ identity / {print $2}'
cfa2859138ae4549919cbf2bfd06346f
root@OSCTRL-UA:~#
Create the API endpoint for identify service.
root@OSCTRL-UA:~# keystone endpoint-create --service-id=$(keystone service-list | awk '/ identity / {print $2}') --publicurl=http://OSCTRL-UA:5000/v2.0 --internalurl=http://OSCTRL-UA:5000/v2.0 --adminurl=http://OSCTRL-UA:35357/v2.0
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://OSCTRL-UA:35357/v2.0 |
| id | 7dbbfe1b14c343048c01e672426154ed |
| internalurl | http://OSCTRL-UA:5000/v2.0 |
| publicurl | http://OSCTRL-UA:5000/v2.0 |
| region | regionOne |
| service_id | cfa2859138ae4549919cbf2bfd06346f |
+-------------+----------------------------------+
root@OSCTRL-UA:~#
You need to create an additional endpoint for each openstack services.
Verify the Keystone Installation:
1. Unset the variables.
root@OSCTRL-UA:~# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
2. Execute the command below to verify the identify service.
root@OSCTRL-UA:~# keystone --os-username=admin --os-password=admin123 --os-auth-url=http://OSCTRL-UA:35357/v2.0 token-get +----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2015-09-21T19:21:55Z | | id | MIIC+QYJKoZIhvcNAQcCoIIC6jCCAuYCAQExDTALBglghkgBZQMEAgEwggFHBgkqhkiG9w0BBwGgggE4BIIBNHsiYWNjZXNzIjogeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTUtMDktMjFUMTg6MjE6NTUuNjIxNzQyIiwgImV4cGlyZXMiOiAiMjAxNS0wOS0yMVQxOToyMTo1NVoiLCAiaWQiOiAicGxhY2Vob2xkZXIifSwgInNlcnZpY2VDYXRhbG9nIjogW10sICJ1c2VyIjogeyJ1c2VybmFtZSI6ICJhZG1pbiIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiZDE1NGFhNzQzYWI0NDA1YzgwMDU1MjM2YzQ3ZWQ5OGYiLCAicm9sZXMiOiBbXSwgIm5hbWUiOiAiYWRtaW4ifSwgIm1ldGFkYXRhIjogeyJpc19hZG1pbiI6IDAsICJyb2xlcyI6IFtdfX19MYIBhTCCAYECAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVW5zZXQxDjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tAgEBMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQC8qyuKE4UQLdYTvHla0h+NSFpH7s886awWfMPWSBRHX47WTOy4BzdRqKiGPrZBZmvlScOFLibxC8vBy7QakUGp+ubFmvGuBnHEZud1xTi3YM18yD+pRlcBg4AIZoOaZN3RecQ8dr9LSn2qioGaarGieHG1qTVMBMYrXrQNgzdQphk2v7ni049OKfXI5p3VfpZq4+bw+t-s3REVULvtKeUuW1UmD+wYOckmZWwRCS1zRIfKk+vMjTo+eperKH+9CMFCzrTxrQDBvWLHIaVtRXQ1RBSuOSXOGBOH-9ZIYYO827aT576ivsQUoJWyFwrRN8nlvEGftr2VHzlJk3bvjnjs | | user_id | d154aa743ab4405c80055236c47ed98f | +----------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ root@OSCTRL-UA:~#
You have received a token paired with your user ID “admin”. This verifies that the Identity(keystone) Service is running on the expected endpoint and that your user account is established with the expected credentials.
3. Create the source file to reduce the command length.
root@OSCTRL-UA:~# cat admin.rc export OS_USERNAME=admin export OS_PASSWORD=admin123 export OS_TENANT_NAME=admin export OS_AUTH_URL=http://OSCTRL-UA:35357/v2.0 root@OSCTRL-UA:~#
4. Source the file which you have created in the previous step.
root@OSCTRL-UA:~# source admin.rc root@OSCTRL-UA:~#
5.Run a command what you have in step 2 . Since, we have sourced the environment variables , you can simply run command without specifying the user credentials & OS Auth URL.
root@OSCTRL-UA:~# keystone token-get
6. Verify the admin account privileges by listing the keystone users.
root@OSCTRL-UA:~# keystone user-list +----------------------------------+---------+---------+----------------------------------+ | id | name | enabled | email | +----------------------------------+---------+---------+----------------------------------+ | d154aa743ab4405c80055236c47ed98f | admin | True | lingeshwaran.rangasamy@gmail.com | | 3f01d4f7aa9e477cb885334ab9c5929d | lingesh | True | lingeshwaran.rangasamy@gmail.com | +----------------------------------+---------+---------+----------------------------------+ root@OSCTRL-UA:~#
7. Let list the roles of each account.
root@OSCTRL-UA:~# keystone user-role-list --user admin --tenant admin +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | d154aa743ab4405c80055236c47ed98f | d14d6a07f862482398b3e3e4e8d581c6 | | 58d6701963044a609f9d3724295effcd | admin | d154aa743ab4405c80055236c47ed98f | d14d6a07f862482398b3e3e4e8d581c6 | +----------------------------------+----------+----------------------------------+----------------------------------+ root@OSCTRL-UA:~#
user_id must match for keystone user-list command and keystone user-role-list command output. The admin role is listed for that user, for the related tenant, this verifies that your user account has the admin role, which matches the role used in the Identity Service policy.json file.
Hope this article is informative to you .
Share it !! Be Sociable !!!
Alex says
Hi,
Please, could you check the part2?
Error: Internal Server Error
BR
Lingeswaran R says
Could you please check it now?
Thank you
Lingesh
Alex says
Thank you, Perfect!
obfuscatu says
I get No role with a name or ID of ‘_member_’ exists.
hat possible cause be for this ?!
bowen says
it is the same with me , no _member_ user exists . But, it seems still work well until now.
Can anyone explain that ?