Added new docs to admin section
Apart from the project related docs, these two docs also need to be added as per the specs. Change-Id: I81e536a7394ec6935434da296f99686d407e1608
This commit is contained in:
parent
33b0ec1397
commit
dcc9d5ce28
|
@ -0,0 +1,158 @@
|
|||
============================================
|
||||
Create and manage services and service users
|
||||
============================================
|
||||
|
||||
The Identity service enables you to define services, as
|
||||
follows:
|
||||
|
||||
- Service catalog template. The Identity service acts
|
||||
as a service catalog of endpoints for other OpenStack
|
||||
services. The ``/etc/keystone/default_catalog.templates``
|
||||
template file defines the endpoints for services. When
|
||||
the Identity service uses a template file back end,
|
||||
any changes that are made to the endpoints are cached.
|
||||
These changes do not persist when you restart the
|
||||
service or reboot the machine.
|
||||
- An SQL back end for the catalog service. When the
|
||||
Identity service is online, you must add the services
|
||||
to the catalog. When you deploy a system for
|
||||
production, use the SQL back end.
|
||||
|
||||
The ``auth_token`` middleware supports the
|
||||
use of either a shared secret or users for each
|
||||
service.
|
||||
|
||||
To authenticate users against the Identity service, you must
|
||||
create a service user for each OpenStack service. For example,
|
||||
create a service user for the Compute, Block Storage, and
|
||||
Networking services.
|
||||
|
||||
To configure the OpenStack services with service users,
|
||||
create a project for all services and create users for each
|
||||
service. Assign the admin role to each service user and
|
||||
project pair. This role enables users to validate tokens and
|
||||
authenticate and authorize other user requests.
|
||||
|
||||
Create a service
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
#. List the available services:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service list
|
||||
+----------------------------------+----------+------------+
|
||||
| ID | Name | Type |
|
||||
+----------------------------------+----------+------------+
|
||||
| 9816f1faaa7c4842b90fb4821cd09223 | cinder | volume |
|
||||
| 1250f64f31e34dcd9a93d35a075ddbe1 | cinderv2 | volumev2 |
|
||||
| da8cf9f8546b4a428c43d5e032fe4afc | ec2 | ec2 |
|
||||
| 5f105eeb55924b7290c8675ad7e294ae | glance | image |
|
||||
| dcaa566e912e4c0e900dc86804e3dde0 | keystone | identity |
|
||||
| 4a715cfbc3664e9ebf388534ff2be76a | nova | compute |
|
||||
| 1aed4a6cf7274297ba4026cf5d5e96c5 | novav21 | computev21 |
|
||||
| bed063c790634c979778551f66c8ede9 | neutron | network |
|
||||
| 6feb2e0b98874d88bee221974770e372 | s3 | s3 |
|
||||
+----------------------------------+----------+------------+
|
||||
|
||||
#. To create a service, run this command:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service create --name SERVICE_NAME --description SERVICE_DESCRIPTION SERVICE_TYPE
|
||||
|
||||
The arguments are:
|
||||
- ``service_name``: the unique name of the new service.
|
||||
- ``service_type``: the service type, such as ``identity``,
|
||||
``compute``, ``network``, ``image``, ``object-store``
|
||||
or any other service identifier string.
|
||||
- ``service_description``: the description of the service.
|
||||
|
||||
For example, to create a ``swift`` service of type
|
||||
``object-store``, run this command:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service create --name swift --description "object store service" object-store
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | object store service |
|
||||
| enabled | True |
|
||||
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
|
||||
| name | swift |
|
||||
| type | object-store |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
#. To get details for a service, run this command:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service show SERVICE_TYPE|SERVICE_NAME|SERVICE_ID
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service show object-store
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | object store service |
|
||||
| enabled | True |
|
||||
| id | 84c23f4b942c44c38b9c42c5e517cd9a |
|
||||
| name | swift |
|
||||
| type | object-store |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
Create service users
|
||||
~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
#. Create a project for the service users.
|
||||
Typically, this project is named ``service``,
|
||||
but choose any name you like:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project create service --domain default
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | None |
|
||||
| domain_id | e601210181f54843b51b3edff41d4980 |
|
||||
| enabled | True |
|
||||
| id | 3e9f3f5399624b2db548d7f871bd5322 |
|
||||
| is_domain | False |
|
||||
| name | service |
|
||||
| parent_id | e601210181f54843b51b3edff41d4980 |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
#. Create service users for the relevant services for your
|
||||
deployment.
|
||||
|
||||
#. Assign the admin role to the user-project pair.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role add --project service --user SERVICE_USER_NAME admin
|
||||
+-------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------+----------------------------------+
|
||||
| id | 233109e756c1465292f31e7662b429b1 |
|
||||
| name | admin |
|
||||
+-------+----------------------------------+
|
||||
|
||||
Delete a service
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
To delete a specified service, specify its ID.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service delete SERVICE_TYPE|SERVICE_NAME|SERVICE_ID
|
||||
|
||||
For example:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack service delete object-store
|
|
@ -0,0 +1,379 @@
|
|||
=================================
|
||||
Manage projects, users, and roles
|
||||
=================================
|
||||
|
||||
As an administrator, you manage projects, users, and
|
||||
roles. Projects are organizational units in the cloud to which
|
||||
you can assign users. Projects are also known as *projects* or
|
||||
*accounts*. Users can be members of one or more projects. Roles
|
||||
define which actions users can perform. You assign roles to
|
||||
user-project pairs.
|
||||
|
||||
You can define actions for OpenStack service roles in the
|
||||
``/etc/PROJECT/policy.json`` files. For example, define actions for
|
||||
Compute service roles in the ``/etc/nova/policy.json`` file.
|
||||
|
||||
You can manage projects, users, and roles independently from each other.
|
||||
|
||||
During cloud set up, the operator defines at least one project, user,
|
||||
and role.
|
||||
|
||||
You can add, update, and delete projects and users, assign users to
|
||||
one or more projects, and change or remove the assignment. To enable or
|
||||
temporarily disable a project or user, update that project or user.
|
||||
You can also change quotas at the project level.
|
||||
|
||||
Before you can delete a user account, you must remove the user account
|
||||
from its primary project.
|
||||
|
||||
Before you can run client commands, you must download and
|
||||
source an OpenStack RC file. See `Download and source the OpenStack RC file
|
||||
<https://docs.openstack.org/user-guide/common/cli-set-environment-variables-using-openstack-rc.html#download-and-source-the-openstack-rc-file>`_.
|
||||
|
||||
Projects
|
||||
~~~~~~~~
|
||||
|
||||
A project is a group of zero or more users. In Compute, a project owns
|
||||
virtual machines. In Object Storage, a project owns containers. Users
|
||||
can be associated with more than one project. Each project and user
|
||||
pairing can have a role associated with it.
|
||||
|
||||
List projects
|
||||
-------------
|
||||
|
||||
List all projects with their ID, name, and whether they are
|
||||
enabled or disabled:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project list
|
||||
+----------------------------------+--------------------+
|
||||
| ID | Name |
|
||||
+----------------------------------+--------------------+
|
||||
| f7ac731cc11f40efbc03a9f9e1d1d21f | admin |
|
||||
| c150ab41f0d9443f8874e32e725a4cc8 | alt_demo |
|
||||
| a9debfe41a6d4d09a677da737b907d5e | demo |
|
||||
| 9208739195a34c628c58c95d157917d7 | invisible_to_admin |
|
||||
| 3943a53dc92a49b2827fae94363851e1 | service |
|
||||
| 80cab5e1f02045abad92a2864cfd76cb | test_project |
|
||||
+----------------------------------+--------------------+
|
||||
|
||||
Create a project
|
||||
----------------
|
||||
|
||||
Create a project named ``new-project``:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project create --description 'my new project' new-project \
|
||||
--domain default
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | my new project |
|
||||
| domain_id | e601210181f54843b51b3edff41d4980 |
|
||||
| enabled | True |
|
||||
| id | 1a4a0618b306462c9830f876b0bd6af2 |
|
||||
| is_domain | False |
|
||||
| name | new-project |
|
||||
| parent_id | e601210181f54843b51b3edff41d4980 |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
Update a project
|
||||
----------------
|
||||
|
||||
Specify the project ID to update a project. You can update the name,
|
||||
description, and enabled status of a project.
|
||||
|
||||
- To temporarily disable a project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project set PROJECT_ID --disable
|
||||
|
||||
- To enable a disabled project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project set PROJECT_ID --enable
|
||||
|
||||
- To update the name of a project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project set PROJECT_ID --name project-new
|
||||
|
||||
- To verify your changes, show information for the updated project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project show PROJECT_ID
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | my new project |
|
||||
| enabled | True |
|
||||
| id | 0b0b995694234521bf93c792ed44247f |
|
||||
| name | new-project |
|
||||
| properties | |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
Delete a project
|
||||
----------------
|
||||
|
||||
Specify the project ID to delete a project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project delete PROJECT_ID
|
||||
|
||||
Users
|
||||
~~~~~
|
||||
|
||||
List users
|
||||
----------
|
||||
|
||||
List all users:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user list
|
||||
+----------------------------------+----------+
|
||||
| ID | Name |
|
||||
+----------------------------------+----------+
|
||||
| 352b37f5c89144d4ad0534139266d51f | admin |
|
||||
| 86c0de739bcb4802b8dc786921355813 | demo |
|
||||
| 32ec34aae8ea432e8af560a1cec0e881 | glance |
|
||||
| 7047fcb7908e420cb36e13bbd72c972c | nova |
|
||||
+----------------------------------+----------+
|
||||
|
||||
Create a user
|
||||
-------------
|
||||
|
||||
To create a user, you must specify a name. Optionally, you can
|
||||
specify a project ID, password, and email address. It is recommended
|
||||
that you include the project ID and password because the user cannot
|
||||
log in to the dashboard without this information.
|
||||
|
||||
Create the ``new-user`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user create --project new-project --password PASSWORD new-user
|
||||
+------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+------------+----------------------------------+
|
||||
| email | None |
|
||||
| enabled | True |
|
||||
| id | 6322872d9c7e445dbbb49c1f9ca28adc |
|
||||
| name | new-user |
|
||||
| project_id | 0b0b995694234521bf93c792ed44247f |
|
||||
| username | new-user |
|
||||
+------------+----------------------------------+
|
||||
|
||||
Update a user
|
||||
-------------
|
||||
|
||||
You can update the name, email address, and enabled status for a user.
|
||||
|
||||
- To temporarily disable a user account:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user set USER_NAME --disable
|
||||
|
||||
If you disable a user account, the user cannot log in to the
|
||||
dashboard. However, data for the user account is maintained, so you
|
||||
can enable the user at any time.
|
||||
|
||||
- To enable a disabled user account:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user set USER_NAME --enable
|
||||
|
||||
- To change the name and description for a user account:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user set USER_NAME --name user-new --email new-user@example.com
|
||||
User has been updated.
|
||||
|
||||
Delete a user
|
||||
-------------
|
||||
|
||||
Delete a specified user account:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user delete USER_NAME
|
||||
|
||||
Roles and role assignments
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
List available roles
|
||||
--------------------
|
||||
|
||||
List the available roles:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role list
|
||||
+----------------------------------+---------------+
|
||||
| ID | Name |
|
||||
+----------------------------------+---------------+
|
||||
| 71ccc37d41c8491c975ae72676db687f | Member |
|
||||
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
|
||||
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
|
||||
| 6ecf391421604da985db2f141e46a7c8 | admin |
|
||||
| deb4fffd123c4d02a907c2c74559dccf | anotherrole |
|
||||
+----------------------------------+---------------+
|
||||
|
||||
Create a role
|
||||
-------------
|
||||
|
||||
Users can be members of multiple projects. To assign users to multiple
|
||||
projects, define a role and assign that role to a user-project pair.
|
||||
|
||||
Create the ``new-role`` role:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role create new-role
|
||||
+-----------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-----------+----------------------------------+
|
||||
| domain_id | None |
|
||||
| id | a34425c884c74c8881496dc2c2e84ffc |
|
||||
| name | new-role |
|
||||
+-----------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
|
||||
If you are using identity v3, you may need to use the
|
||||
``--domain`` option with a specific domain name.
|
||||
|
||||
Assign a role
|
||||
-------------
|
||||
|
||||
To assign a user to a project, you must assign the role to a
|
||||
user-project pair. To do this, you need the user, role, and project
|
||||
IDs.
|
||||
|
||||
#. List users and note the user ID you want to assign to the role:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user list
|
||||
+----------------------------------+----------+
|
||||
| ID | Name |
|
||||
+----------------------------------+----------+
|
||||
| 6ab5800949644c3e8fb86aaeab8275c8 | admin |
|
||||
| dfc484b9094f4390b9c51aba49a6df34 | demo |
|
||||
| 55389ff02f5e40cf85a053cc1cacb20c | alt_demo |
|
||||
| bc52bcfd882f4d388485451c4a29f8e0 | nova |
|
||||
| 255388ffa6e54ec991f584cb03085e77 | glance |
|
||||
| 48b6e6dec364428da89ba67b654fac03 | cinder |
|
||||
| c094dd5a8e1d4010832c249d39541316 | neutron |
|
||||
| 6322872d9c7e445dbbb49c1f9ca28adc | new-user |
|
||||
+----------------------------------+----------+
|
||||
|
||||
#. List role IDs and note the role ID you want to assign:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role list
|
||||
+----------------------------------+---------------+
|
||||
| ID | Name |
|
||||
+----------------------------------+---------------+
|
||||
| 71ccc37d41c8491c975ae72676db687f | Member |
|
||||
| 149f50a1fe684bfa88dae76a48d26ef7 | ResellerAdmin |
|
||||
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
|
||||
| 6ecf391421604da985db2f141e46a7c8 | admin |
|
||||
| deb4fffd123c4d02a907c2c74559dccf | anotherrole |
|
||||
| bef1f95537914b1295da6aa038ef4de6 | new-role |
|
||||
+----------------------------------+---------------+
|
||||
|
||||
#. List projects and note the project ID you want to assign to the role:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project list
|
||||
+----------------------------------+--------------------+
|
||||
| ID | Name |
|
||||
+----------------------------------+--------------------+
|
||||
| 0b0b995694234521bf93c792ed44247f | new-project |
|
||||
| 29c09e68e6f741afa952a837e29c700b | admin |
|
||||
| 3a7ab11d3be74d3c9df3ede538840966 | invisible_to_admin |
|
||||
| 71a2c23bab884c609774c2db6fcee3d0 | service |
|
||||
| 87e48a8394e34d13afc2646bc85a0d8c | alt_demo |
|
||||
| fef7ae86615f4bf5a37c1196d09bcb95 | demo |
|
||||
+----------------------------------+--------------------+
|
||||
|
||||
#. Assign a role to a user-project pair:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role add --user USER_NAME --project TENANT_ID ROLE_NAME
|
||||
|
||||
For example, assign the ``new-role`` role to the ``demo`` and
|
||||
``test-project`` pair:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role add --user demo --project test-project new-role
|
||||
|
||||
#. Verify the role assignment:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role assignment list --user USER_NAME \
|
||||
--project PROJECT_ID --names
|
||||
+----------------------------------+-------------+---------+------+
|
||||
| ID | Name | Project | User |
|
||||
+----------------------------------+-------------+---------+------+
|
||||
| a34425c884c74c8881496dc2c2e84ffc | new-role | demo | demo |
|
||||
| 04a7e3192c0745a2b1e3d2baf5a3ee0f | Member | demo | demo |
|
||||
| 62bcf3e27eef4f648eb72d1f9920f6e5 | anotherrole | demo | demo |
|
||||
+----------------------------------+-------------+---------+------+
|
||||
|
||||
.. note::
|
||||
|
||||
Before the Newton release, users would run
|
||||
the :command:`openstack role list --user USER_NAME --project TENANT_ID` command to
|
||||
verify the role assignment.
|
||||
|
||||
View role details
|
||||
-----------------
|
||||
|
||||
View details for a specified role:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role show ROLE_NAME
|
||||
+-----------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-----------+----------------------------------+
|
||||
| domain_id | None |
|
||||
| id | a34425c884c74c8881496dc2c2e84ffc |
|
||||
| name | new-role |
|
||||
+-----------+----------------------------------+
|
||||
|
||||
Remove a role
|
||||
-------------
|
||||
|
||||
Remove a role from a user-project pair:
|
||||
|
||||
#. Run the :command:`openstack role remove` command:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role remove --user USER_NAME --project TENANT_ID ROLE_NAME
|
||||
|
||||
#. Verify the role removal:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role list --user USER_NAME --project TENANT_ID
|
||||
|
||||
If the role was removed, the command output omits the removed role.
|
|
@ -16,6 +16,8 @@ command-line client.
|
|||
|
||||
identity-concepts.rst
|
||||
identity-bootstrap.rst
|
||||
cli-manage-projects-users-and-roles.rst
|
||||
cli-keystone-manage-services.rst
|
||||
identity-certificates-for-pki.rst
|
||||
identity-domain-specific-config.rst
|
||||
identity-external-authentication.rst
|
||||
|
|
Loading…
Reference in New Issue