Keystone – the authentication and authorization Service

  • Yum

Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization by implementing OpenStack’s Identity API.

Congrats on your OpenStack installation using devstack :-). Let’s get started using OpenStack. You can use OpenStack through both UI and CLI. To login through UI, launch the URL (http:<IP Address of VM on which we installed OpenStack>/dashboard) and login with admin as username and password that you provided in local.conf file before installation (default – OpenStackCOA.com).

OpenStack CLI requires openrc file for authentication. Let’s create openrc file for admin user. 

export OS_AUTH_URL=http://<IP Address of VM on which we installed OpenStack>/identity/v3
export OS_PROJECT_NAME="admin"
export OS_USER_DOMAIN_NAME="Default"
export OS_PROJECT_DOMAIN_ID="default"
export OS_USERNAME="admin"
export OS_PASSWORD="OpenStackCOA.com"
export OS_REGION_NAME="RegionOne"
export OS_INTERFACE=public
export OS_IDENTITY_API_VERSION=3

Login to the VM, and become stack user “su – stack” and create a file called admin-openrc and copy the export statements above to that file. Make sure to modify the IP address. Save the file and run “source admin-openrc” command. You are all set to use OpenStack CLI. Run the following command to verify “openstack service list” and you should get a list of OpenStack services.

Domain, Region, Project, User, Group and Role

It is very important to understand what is a Domain, Region and Project in Openstack. 

A Domain defines the administrative boundaries for management of Keystone entities. A domain can represent an individual, company, or operator owned space.

A Region is a general division in an OpenStack deployment. You can associate zero or more sub-regions with a region to make a tree-like structured hierarchy. 

A Project is a container that groups or isolates resources or identity objects. Depending on the service operator, a project might map to a customer, account, organization, or tenant.

Let’s see how to create Domain, Region and Project. Also, we will create Users, Group and Roles and associate them to respective domain / Project.

stack@openstackcoa:~$ openstack domain create Google
+————-+———————————-+
| Field | Value |
+————-+———————————-+
| description | |
| enabled | True |
| id | d026159948a44c65809854ace664b915 |
| name | Google |
| tags | [] |
+————-+———————————-+

 

stack@openstackcoa:~$ openstack project create –domain Google Google-Maps
+————-+———————————-+
| Field | Value |
+————-+———————————-+
| description | |
| domain_id | d026159948a44c65809854ace664b915 |
| enabled | True |
| id | 05f1644b76704898a0830360a8a087da |
| is_domain | False |
| name | Google-Maps |
| parent_id | d026159948a44c65809854ace664b915 |
| tags | [] |
+————-+———————————-+

 

stack@openstackcoa:~$ openstack project create –domain Google Google-Android
+————-+———————————-+
| Field | Value |
+————-+———————————-+
| description | |
| domain_id | d026159948a44c65809854ace664b915 |
| enabled | True |
| id | b224ee6958224721b478d9cbbf6c23b3 |
| is_domain | False |
| name | Google-Android |
| parent_id | d026159948a44c65809854ace664b915 |
| tags | [] |
+————-+———————————-+

 

stack@openstackcoa:~$ openstack region create india-north
+—————+————-+
| Field | Value |
+—————+————-+
| description | |
| enabled | True |
| parent_region | None |
| region | india-north |
+—————+————-+

 

stack@openstackcoa:~$ openstack group create –domain Google Google-Admin
+————-+———————————-+
| Field | Value |
+————-+———————————-+
| description | |
| domain_id | d026159948a44c65809854ace664b915 |
| id | 6a3f19231e0346418856f5d879d5101a |
| name | Google-Admin |
+————-+———————————-+

 

stack@openstackcoa:~$ openstack user create –domain Google –project Google-Maps –email sundarpichai@google.com –password-prompt spichai
User Password:
Repeat User Password:
+———————+———————————-+
| Field | Value |
+———————+———————————-+
| default_project_id | 05f1644b76704898a0830360a8a087da |
| domain_id | d026159948a44c65809854ace664b915 |
| email | sundarpichai@google.com |
| enabled | True |
| id | 71b224d271394653a18fac7beaf197de |
| name | spichai |
| options | {} |
| password_expires_at | None |
+———————+———————————-+

 

stack@openstackcoa:~$ openstack role create –domain Google Google-Admin-Role
+————-+———————————-+
| Field | Value |
+————-+———————————-+
| description | None |
| domain_id | d026159948a44c65809854ace664b915 |
| id | 964b4ed8896b476e83fbafd82e2d51e3 |
| name | Google-Admin-Role |
+————-+———————————-+

 

stack@openstackcoa:~$ openstack role add –domain Google –group Google-Admin –role-domain Google Google-Admin-Role

 

stack@openstackcoa:~$ openstack group add user –group-domain Google –user-domain Google Google-Admin spichai

 

Service and Endpoints

An OpenStack service provides one or more endpoints through which users can access resources and perform operations.

Endpoints are network-accessible address, usually a URL, through which you can access a service.

Let’s create a service in “india-north” region that we created before and add public, admin and internal endpoints.

stack@openstackcoa:~$ openstack service create –name Google-Search Search
+———+———————————-+
| Field | Value |
+———+———————————-+
| enabled | True |
| id | 1ccc377332854494b3f1a34bc0f9d4d1 |
| name | Google-Search |
| type | Search |
+———+———————————-+

 

stack@openstackcoa:~$ openstack endpoint create –region india-north Google-Search admin http://173.37.68.10/search
+————–+———————————-+
| Field | Value |
+————–+———————————-+
| enabled | True |
| id | 0dd5508364734c82a77ecf51ea5ae45b |
| interface | admin |
| region | india-north |
| region_id | india-north |
| service_id | 1ccc377332854494b3f1a34bc0f9d4d1 |
| service_name | Google-Search |
| service_type | Search |
| url | http://173.37.68.10/search |
+————–+———————————-+

 

stack@openstackcoa:~$ openstack endpoint create –region india-north Google-Search internal http://192.168.1.10/search
+————–+———————————-+
| Field | Value |
+————–+———————————-+
| enabled | True |
| id | 923bc65458684e14aa1cf5f9a5e8e94f |
| interface | internal |
| region | india-north |
| region_id | india-north |
| service_id | 1ccc377332854494b3f1a34bc0f9d4d1 |
| service_name | Google-Search |
| service_type | Search |
| url | http://192.168.1.10/search |
+————–+———————————-+

 

stack@openstackcoa:~$ openstack endpoint create –region india-north Google-Search public http://203.27.118.12/search
+————–+———————————-+
| Field | Value |
+————–+———————————-+
| enabled | True |
| id | 28a1fd41062e4fd4943f96a5328abf0f |
| interface | public |
| region | india-north |
| region_id | india-north |
| service_id | 1ccc377332854494b3f1a34bc0f9d4d1 |
| service_name | Google-Search |
| service_type | Search |
| url | http://203.27.118.12/search |
+————–+———————————-+

 

Practice the above commands and try creating your own Projects and Services. Try listing them using List and Show commands.

You can get more details about any command by providing help option (openstack project create -h). It will list all positional and optional arguments with details. If you not sure about the command, simply type openstack followed by the operations that you want to perform and Openstack CLI will suggest you all possible commands list. 

Share & Expand the Cloud :-)

Leave a Reply