Keystone
KeyStone Introduction
Keystone is an OpenStack project that provides Identity, Token, Catalog and Policy services for use specifically by projects in the OpenStack family. It implements OpenStack’s Identity API. All openstack services uses keystone for authentication and verification
Concepts A tenant also known as project . It has resources such as users, images, instances, networks and security groups. These resources are only visible to that particular project. A user can belong to one or more tenants and is able to switch between these projects to gain access to those resources. Users can have various roles assigned such as member,Admin.
Role in OpenStack
- Manages the Projects/Tenants,
- Manages the Users,Roles
- Manages the tokens and catalogs
keystone is developed on WSGI framework. The devstack installation uses apache2 as a webserver for keystone.
- Apache keystone wsgi configuration file is located in /etc/apache2/sites-available/keystone.conf.
- keystone config file is located in /etc/keystone/keystone.conf
Devstack Screens
In the devstack screens,
- Screen numbers 2-key,3-key-access are for keystone screens.
- Both screens are used for displaying the log files.
- Key screen displays the /var/log/apache2/keystone.log file
- Key-access screen displays /var/log/apache2/keystone-access.log file.
Stop/Start Keystone
To be updated
Accessing the Keystone from CLI
The following operations are frequently used by the user, which are served by the keystone.
- create/delete/list project
- create/delete/list user
- Assign/Remove roles to the user
Note : These operations are administrative operations, hence admin users are allowed to perform this.
Openstack CLI is a integreated CLI used for managing all the services.
Before using the CLI, localrc script file needs be sourced. localrc script file is present in the devstack directory. The project name and user name is the input to the localrc script file as below, localrc
Sourcing openrc file
cloud@devstack1:~$ cd devstack/
cloud@devstack1:~/devstack$ source openrc admin admin
WARNING: setting legacy OS_TENANT_NAME to support cli tools.
cloud@devstack1:~/devstack$ echo $OS_USERNAME
admin
cloud@devstack1:~/devstack$ echo $OS_PASSWORD
openstack123
cloud@devstack1:~/devstack
1. List the Projects (Tenants)
cloud@devstack1:~/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 3314475b00c54ecab56cedf094d98502 | alt_demo |
| 62b948dd49004bc48964262685631632 | admin |
| 84f868958c7941ad9f661f46a0150a45 | service |
| a01b133bfbd04cf8b4b189857d723aaf | demo |
| a18314bc67c64d7a904622da3436ae89 | red |
| fb2f50c7ecec4338acb4614253fae61d | invisible_to_admin |
+----------------------------------+--------------------+
cloud@devstack1:~/devstack$
2.Create a new Project
cloud@devstack1:~/devstack$ openstack project create --description "Blue Tenant" blue
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Blue Tenant |
| enabled | True |
| id | 98445401d0334a03a3c2e01fd6023fb3 |
| name | blue |
+-------------+----------------------------------+
cloud@devstack1:~/devstack$
3. Delete a Project
cloud@devstack1:~/devstack$ openstack project delete blue
cloud@devstack1:~/devstack$ openstack project list
+----------------------------------+--------------------+
| ID | Name |
+----------------------------------+--------------------+
| 3314475b00c54ecab56cedf094d98502 | alt_demo |
| 62b948dd49004bc48964262685631632 | admin |
| 84f868958c7941ad9f661f46a0150a45 | service |
| a01b133bfbd04cf8b4b189857d723aaf | demo |
| a18314bc67c64d7a904622da3436ae89 | red |
| fb2f50c7ecec4338acb4614253fae61d | invisible_to_admin |
+----------------------------------+--------------------+
cloud@devstack1:~/devstack$
4. Create a new user
cloud@devstack1:~/devstack$ openstack user create --password blue123 blue
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 9a4028db0936422a86313bb0b18411df |
| name | blue |
| username | blue |
+----------+----------------------------------+
5. List users
cloud@devstack1:~/devstack$ openstack user list
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
| 9d84fb2c650c4f8b9e24d069f5068fc3 | admin |
| 78fdfa16ec21402ca757c8f9eed32af1 | demo |
| 4ead3faa8f3d4ea8b10a17896fe2b078 | alt_demo |
| d3585b3a6f144a2e9bb9f6fda737e750 | nova |
| f00c1a8e0ddd4a9ab3526aada79260b9 | glance |
| c01b8b8c816f4b90b31e3ba2497e4e32 | cinder |
| 262528a5706c480eac2047887b9ad923 | neutron |
| 9216fdbb2fdf424c8215bd8d6b668105 | red |
| 9a4028db0936422a86313bb0b18411df | blue |
+----------------------------------+----------+
cloud@devstack1:~/devstack$
6.List Roles
cloud@devstack1:~/devstack$ openstack role list
+----------------------------------+---------------+
| ID | Name |
+----------------------------------+---------------+
| 473478d424034fb18f38765ba3f23a75 | anotherrole |
| 523dc876b6da436ba87dd390d1e44faf | Member |
| 77847571ea8842cc92addddcebccebce | service |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| e45766b55038491db7c02dead141c01f | ResellerAdmin |
| e64dbb4bea08458aabaa186c977429a7 | admin |
+----------------------------------+---------------+
7. Associate a Role,Project to the user
cloud@devstack1:~/devstack$ openstack role add --project blue --user blue Member
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 523dc876b6da436ba87dd390d1e44faf |
| name | Member |
+-----------+----------------------------------+
cloud@devstack1:~/devstack$
Exercises
- Create a DEMO1 project with member user(name:demo1member) and admin(name:admin) user.
- Change the demo1member role to admin of DEMO1 project
- Delete the demo1member user and DEMO1 project