Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- # Creating Users, Tenants and Roles in Keystone.
- root@Swift1:/etc/keystone# keystone-manage tenant add MyTenant
- SUCCESS: Tenant MyTenant created.
- root@Swift1:/etc/keystone# keystone-manage user add myuser mypassword MyTenant
- SUCCESS: User myuser created.
- root@Swift1:/etc/keystone# keystone-manage role add Admin
- SUCCESS: Role Admin created successfully.
- root@Swift1:/etc/keystone# keystone-manage role grant Admin myuser
- SUCCESS: Granted Admin the myuser role on None.
- root@Swift1:/etc/keystone# keystone-manage role grant Admin myuser MyTenant
- SUCCESS: Granted Admin the myuser role on MyTenant.
- root@Swift1:/etc/keystone# keystone-manage token add 999888777666 myuser MyTenant 2015-02-05T00:00
- SUCCESS: Token 999888777666 created.
- ### Create enpoint templates....Result:
- root@Swift1:/etc/keystone# mysql -u root -pmysqlpasswd keystone -e 'select * from endpoint_templates;'
- +----+-----------+----------+--------------------------------------------+-----------------------------------------+--------------------------------------------+---------+-----\
- ------+
- | id | region | service | public_url | admin_url | internal_url | enabled | is_g\
- lobal |
- +----+-----------+----------+--------------------------------------------+-----------------------------------------+--------------------------------------------+---------+-----\
- ------+
- | 1 | RegionOne | nova | http://10.2.20.51:8774/v1.1/%tenant_id% | http://10.2.20.51:8774/v1.1/%tenant_id% | http://10.2.20.51:8774/v1.1/%tenant_id% | 1 | \
- 1 |
- | 2 | RegionOne | glance | http://10.2.20.51:9292/v1.1/%tenant_id% | http://10.2.20.51:9292/v1.1/%tenant_id% | http://10.2.20.51:9292/v1.1/%tenant_id% | 1 | \
- 1 |
- | 3 | RegionOne | keystone | http://10.2.20.51:5000/v2.0 | http://10.2.20.51:5001/v2.0 | http://10.2.20.51:5000/v2.0 | 1 | \
- 1 |
- | 4 | RegionOne | swift | http://10.2.20.51:8080/v1/AUTH_%tenant_id% | http://10.2.20.51:8080/ | http://10.2.20.51:8080/v1/AUTH_%tenant_id% | 1 | \
- 1 |
- +----+-----------+----------+--------------------------------------------+-----------------------------------------+--------------------------------------------+---------+-----\
- ------+
- ### Adding more users & tenants. And the result.
- root@Swift1:/etc/swift# keystone-manage tenant add TestTenant
- SUCCESS: Tenant TestTenant created.
- root@Swift1:/etc/swift# keystone-manage user add TestUser Testpasswd
- SUCCESS: User TestUser created.
- root@Swift1:/etc/swift# keystone-manage role add Member
- SUCCESS: Role Member created successfully.
- root@Swift1:/etc/swift# keystone-manage role grant Member TestUser
- SUCCESS: Granted Member the TestUser role on None.
- root@Swift1:/etc/swift# keystone-manage role grant Admin TestUser TestTenant
- SUCCESS: Granted Admin the TestUser role on TestTenant.
- root@Swift1:/etc/swift# keystone-manage role grant Member TestUser MyTenant
- SUCCESS: Granted Member the TestUser role on MyTenant.
- root@Swift1:/etc/swift# mysql -u root -pmysqlpasswd -e 'select * from keystone.users;'
- +----------+------------+-------+---------+-----------+
- | id | password | email | enabled | tenant_id |
- +----------+------------+-------+---------+-----------+
- | myuser | mypassword | NULL | 1 | MyTenant |
- | TestUser | Testpasswd | NULL | 1 | NULL |
- +----------+------------+-------+---------+-----------+
- root@Swift1:/etc/swift# mysql -u root -pmysqlpasswd -e 'select * from keystone.tenants;'
- +------------+------+---------+
- | id | desc | enabled |
- +------------+------+---------+
- | MyTenant | NULL | 1 |
- | TestTenant | NULL | 1 |
- +------------+------+---------+
- root@Swift1:/etc/swift# mysql -u root -pmysqlpasswd -e 'select * from keystone.token;'
- +--------------+---------+-----------+---------------------+
- | id | user_id | tenant_id | expires |
- +--------------+---------+-----------+---------------------+
- | 999888777666 | myuser | MyTenant | 2015-02-05 00:00:00 |
- +--------------+---------+-----------+---------------------+
- root@Swift1:/etc/swift# mysql -u root -pmysqlpasswd -e 'select * from keystone.tenants;'
- +------------+------+---------+
- | id | desc | enabled |
- +------------+------+---------+
- | MyTenant | NULL | 1 |
- | TestTenant | NULL | 1 |
- +------------+------+---------+
- ### Keystone config file:
- root@Swift1:~# cat /etc/keystone/keystone.conf
- [DEFAULT]
- # Show more verbose log output (sets INFO log level output)
- verbose = False
- # Show debugging output in logs (sets DEBUG log level output)
- debug = False
- # Which backend store should Keystone use by default.
- # Default: 'sqlite'
- # Available choices are 'sqlite' [future will include LDAP, PAM, etc]
- default_store = sqlite
- # Log to this file. Make sure you do not set the same log
- # file for both the API and registry servers!
- log_file = /var/log/keystone/keystone.log
- # List of backends to be configured
- backends = keystone.backends.sqlalchemy
- #For LDAP support, add: ,keystone.backends.ldap
- # Dictionary Maps every service to a header.Missing services would get header
- # X_(SERVICE_NAME) Key => Service Name, Value => Header Name
- service-header-mappings = {
- 'nova' : 'X-Server-Management-Url',
- 'swift' : 'X-Storage-Url',
- 'cdn' : 'X-CDN-Management-Url'}
- # Address to bind the API server
- # TODO Properties defined within app not available via pipeline.
- service_host = 0.0.0.0
- # Port the bind the API server to
- service_port = 5000
- # Address to bind the Admin API server
- admin_host = 0.0.0.0
- # Port the bind the Admin API server to
- admin_port = 5001
- #Role that allows to perform admin operations.
- keystone-admin-role = Admin
- #Role that allows to perform service admin operations.
- keystone-service-admin-role = KeystoneServiceAdmin
- [keystone.backends.sqlalchemy]
- # SQLAlchemy connection string for the reference implementation registry
- # server. Any valid SQLAlchemy connection string is fine.
- # See: http://bit.ly/ideIpI
- sql_connection = mysql://keystonedbadmin:keystonedbadminpasswd@127.0.0.1/keystone
- backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
- 'User', 'Credentials', 'EndpointTemplates', 'Token',
- 'Service']
- # Period in seconds after which SQLAlchemy should reestablish its connection
- # to the database.
- sql_idle_timeout = 30
- [pipeline:admin]
- pipeline =
- urlrewritefilter
- admin_api
- [pipeline:keystone-legacy-auth]
- pipeline =
- urlrewritefilter
- legacy_auth
- RAX-KEY-extension
- service_api
- [app:service_api]
- paste.app_factory = keystone.server:service_app_factory
- [app:admin_api]
- paste.app_factory = keystone.server:admin_app_factory
- [filter:urlrewritefilter]
- paste.filter_factory = keystone.middleware.url:filter_factory
- [filter:legacy_auth]
- paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
- [filter:RAX-KEY-extension]
- paste.filter_factory = keystone.contrib.extensions.service.raxkey.frontend:filter_factory
- ## /etc/swift/proxy-server.conf
- [DEFAULT]
- bind_port = 8080
- user = swift
- [pipeline:main]
- pipeline = catch_errors cache keystone proxy-server
- [app:proxy-server]
- use = egg:swift#proxy
- account_autocreate = true
- [filter:keystone]
- use = egg:keystone#swiftauth
- keystone_admin_token = 999888777666
- keystone_url = http://10.2.20.51:5001/2.0
- [filter:cache]
- use = egg:swift#memcache
- set log_name = cache
- [filter:catch_errors]
- use = egg:swift#catch_errors
- ######
- ###### Testing keystone works fine:
- ######
- root@Swift1:/etc/swift# curl -s -d '{"tenantName": "MyTenant", "passwordCredentials": {"username": "myuser", "password": "mypassword"}}' -H 'Content-type: application/json' http
- ://10.2.20.51:5001/v2.0/tokens | python -mjson.tool
- {
- "auth": {
- "serviceCatalog": {
- "glance": [
- {
- "adminURL": "http://10.2.20.51:9292/v1.1/MyTenant",
- "internalURL": "http://10.2.20.51:9292/v1.1/MyTenant",
- "publicURL": "http://10.2.20.51:9292/v1.1/MyTenant",
- "region": "RegionOne"
- }
- ],
- "keystone": [
- {
- "adminURL": "http://10.2.20.51:5001/v2.0",
- "internalURL": "http://10.2.20.51:5000/v2.0",
- "publicURL": "http://10.2.20.51:5000/v2.0",
- "region": "RegionOne"
- }
- ],
- "nova": [
- {
- "adminURL": "http://10.2.20.51:8774/v1.1/MyTenant",
- "internalURL": "http://10.2.20.51:8774/v1.1/MyTenant",
- "publicURL": "http://10.2.20.51:8774/v1.1/MyTenant",
- "region": "RegionOne"
- }
- ],
- "swift": [
- {
- "adminURL": "http://10.2.20.51:8080/",
- "internalURL": "http://10.2.20.51:8080/v1/AUTH_MyTenant",
- "publicURL": "http://10.2.20.51:8080/v1/AUTH_MyTenant",
- "region": "RegionOne"
- }
- ]
- },
- "token": {
- "expires": "2015-02-05T00:00:00",
- "id": "999888777666"
- }
- }
- ##### We can even get a 24 hrs valid token for a newly created User / Tenant combo (and setting up proper endpoints)
- root@Swift1:/etc/swift# keystone-manage tenant add TestTenant
- SUCCESS: Tenant TestTenant created.
- root@Swift1:/etc/swift# keystone-manage user add TestUser Testpasswd
- SUCCESS: User TestUser created.
- root@Swift1:/etc/swift# keystone-manage role add Member
- SUCCESS: Role Member created successfully.
- root@Swift1:/etc/swift# keystone-manage role grant Member TestUser
- SUCCESS: Granted Member the TestUser role on None.
- root@Swift1:/etc/swift# keystone-manage role grant Admin TestUser TestTenant
- SUCCESS: Granted Admin the TestUser role on TestTenant.
- root@Swift1:/etc/swift# keystone-manage role grant Member TestUser MyTenant
- SUCCESS: Granted Member the TestUser role on MyTenant.
- root@Swift1:/etc/swift# keystone-manage endpoint add TestTenant 1
- SUCCESS: Endpoint 1 added to tenant TestTenant.
- root@Swift1:/etc/swift# keystone-manage endpoint add TestTenant 2
- SUCCESS: Endpoint 2 added to tenant TestTenant.
- root@Swift1:/etc/swift# keystone-manage endpoint add TestTenant 3
- SUCCESS: Endpoint 3 added to tenant TestTenant.
- root@Swift1:/etc/swift# keystone-manage endpoint add TestTenant 4
- SUCCESS: Endpoint 4 added to tenant TestTenant.
- root@Swift1:/etc/swift# curl -s -d '{"tenantName": "TestTenant", "passwordCredentials": {"username": "TestUser", "password": "Testpasswd"}}' -H 'Content-type: application/json' http://10.2.20.51:5001/v2.0/tokens | python -mjson.tool
- {
- "auth": {
- "serviceCatalog": {
- "glance": [
- {
- "adminURL": "http://10.2.20.51:9292/v1.1/%tenant_id%",
- "internalURL": "http://10.2.20.51:9292/v1.1/%tenant_id%",
- "publicURL": "http://10.2.20.51:9292/v1.1/%tenant_id%",
- "region": "RegionOne"
- }
- ],
- "keystone": [
- {
- "adminURL": "http://10.2.20.51:5001/v2.0",
- "internalURL": "http://10.2.20.51:5000/v2.0",
- "publicURL": "http://10.2.20.51:5000/v2.0",
- "region": "RegionOne"
- }
- ],
- "nova": [
- {
- "adminURL": "http://10.2.20.51:8774/v1.1/%tenant_id%",
- "internalURL": "http://10.2.20.51:8774/v1.1/%tenant_id%",
- "publicURL": "http://10.2.20.51:8774/v1.1/%tenant_id%",
- "region": "RegionOne"
- }
- ],
- "swift": [
- {
- "adminURL": "http://10.2.20.51:8080/",
- "internalURL": "http://10.2.20.51:8080/v1/AUTH_%tenant_id%",
- "publicURL": "http://10.2.20.51:8080/v1/AUTH_%tenant_id%",
- "region": "RegionOne"
- }
- ]
- },
- "token": {
- "expires": "2012-02-22T12:18:34.287003",
- "id": "614986da-1a37-480e-b82b-8c95afec8dc3"
- }
- }
- ### Closer look at the 24 hrs valid token:
- oot@Swift1:/etc/swift# mysql -u root -pmysqlpasswd -e 'select * from keystone.token;'
- +--------------------------------------+----------+-----------+---------------------+
- | id | user_id | tenant_id | expires |
- +--------------------------------------+----------+-----------+---------------------+
- | 999888777666 | myuser | MyTenant | 2015-02-05 00:00:00 |
- | 614986da-1a37-480e-b82b-8c95afec8dc3 | TestUser | NULL | 2012-02-22 12:18:34 |
- +--------------------------------------+----------+-----------+---------------------+
- # And get some details on it:
- root@Swift1:/etc/swift# curl -H "X-Auth-Token:999888777666" http://10.2.20.51:5001/v2.0/tokens/614986da-1a37-480e-b82b-8c95afec8dc3 | python -mjson.tool
- % Total % Received % Xferd Average Speed Time Time Time Current
- Dload Upload Total Spent Left Speed
- 100 198 100 198 0 0 14593 0 --:--:-- --:--:-- --:--:-- 15230
- {
- "auth": {
- "token": {
- "expires": "2012-02-22T12:18:34",
- "id": "614986da-1a37-480e-b82b-8c95afec8dc3"
- },
- "user": {
- "roleRefs": [
- {
- "id": 3,
- "roleId": "Member"
- }
- ],
- "tenantId": null,
- "username": "TestUser"
- }
- }
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement