Mindmajix

How to Create the Service Tenant and Service Users

Creating the Service Tenant and Service Users

After you install the Identity service, create tenants (projects), users and roles for your environment to authenticate against. Without users, OpenStack cloud does not have much value as they allow access to services and endpoints.

With the service endpoints already created, we can now configure them so that our OpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. Configuring each service to have their own username and password allows for greater security, troubleshooting and, auditing within our environment. For each service that uses an OpenStack Identity service for authentication and authorization, we specify these details in their relevant configuration file, when setting up that service. Each service itself has to authenticate with keystone in order for it to be available within OpenStack. The configuration of that service is then done using these credentials. For example, for ‘glance’ we specify the following in /etc/ glance/glance-registry-api.ini, when used with OpenStack Identity service, which matches what we have created previously:

[filter:authtoken]

 paste.filter_factory =

keystone.middleware.auth_token:filter_factory

service_protocol = http

service_host = 172.16.0.200

service_port = 5000

auth_host = 172.16.0.200

auth_port = 35357

auth_protocol = http

auth_uri = http:// 172.16.0.200: 5000/

admin_tenant_name = service

admin_user = glance

admin_password = glance

Getting started

To begin with, ensure you’re logged into our OpenStack Controller host— where OpenStack Identity service has been installed— or an appropriate Ubuntu client that has access to where OpenStack Identity service is installed.

To log on to our OpenStack Controller host that was created using Vagrant, issue the following command:

vagrant ssh controller

If the keystone client tool isn’t available, this can be installed on an Ubuntu client to manage our OpenStack Identity service, by issuing the following command:

sudo apt-get update

sudo apt-get -y install python-keystoneclient

Ensure that we have our environment set correctly to access our OpenStack environment:

export ENDPOINT = 1172.16.0.200

export SERVICE_TOKEN = ADMIN

export

SERVICE_ENDPOINT = http:// ${ ENDPOINT}: 35357/ v2.0

How to achieve it…

To configure an appropriate service tenant, carry out the following steps:

1) Create the service tenant (these are the organizational units in cloud to which you can assign users) as follows:

keystone tenant-create \

–name service \

–description “Service Tenant” \

–enabled true

This produces output similar to what is shown as follows:

Screenshot_5

2) Record the ID of the service tenant, so that we can assign service users to this ID, as follows:

SERVICE_TENANT_ID = $( keystone tenant-list \ | awk ‘/\ service\ / {print $ 2}’)

3) For each of the services in this section, we will create the user accounts to be named the same as the services and set the password to be the same as the service name too. For example, we will add a user called nova, with a password nova in the service tenant, using the user-create option, as follows:

keystone user-create \

–name nova \ –pass nova \

–tenant_id $ SERVICE_TENANT_ID \

–email nova@ localhost \

–enabled true

This will produce output similar to what is shown as follows: 

Screenshot_6

4) We then repeat this for each of our other services that will use OpenStack Identity service:

keystone user-create \

–name glance \

–pass glance \

–tenant_id $ SERVICE_TENANT_ID \

–email glance@ localhost \

–enabled true

 keystone user-create \

–name keystone \

–pass keystone \

–tenant_id $ SERVICE_TENANT_ID \

–emailkeystone@ localhost \

–enabled true

keystone user-create \

–name cinder \

–pass cinder \

–tenant_id $ SERVICE_TENANT_ID \

–email cinder@ localhost \

–enabled true

5) We can now assign these users the admin role in the service tenant. To do this, we use the user-role-add option after retrieving the user ID of the nova user. For example, to add the admin role to the nova user in the service tenant, we do the following:

 # Get the nova user id

NOVA_USER_ID = $( keystone user-list \  | awk ‘/\ nova\ / {print $ 2}’)

# Get the admin role id

ADMIN_ROLE_ID = $( keystone role-list \  | awk ‘/\ admin\ / {print $ 2}’)

# Assign the nova user the admin role in service tenant

keystone user-role-add \

–user $ NOVA_USER_ID \

–role $ ADMIN_ROLE_ID \

–tenant_id $ SERVICE_TENANT_ID

6) We then repeat this for our other service users, glance, keystone and cinder:

# Get the glance user id

GLANCE_USER_ID = $( keystone user-list \  | awk ‘/\ glance\ / {print $ 2}’)

# Assign the glance user the admin role in service tenant

keystone user-role-add \

–user $ GLANCE_USER_ID \

–role $ ADMIN_ROLE_ID \

–tenant_id $ SERVICE_TENANT_ID

 # Get the keystone user id

KEYSTONE_USER_ID = $ (keystone user-list \  | awk ‘/\ keystone\ / {print $ 2}’)

# Assign the keystone user the admin role in service tenant

keystone user-role-add \

–user $ KEYSTONE_USER_ID \

–role $ ADMIN_ROLE_ID \

–tenant_id $ SERVICE_TENANT_ID

# Get the cinder user id

CINDER_USER_ID = $ (keystone user-list \   | awk ‘/\ cinder \ / {print $ 2}’)

# Assign the cinder user the admin role in service tenant

keystone user-role-add \

–user $ CINDER_USER_ID \

–role $ ADMIN_ROLE_ID \

–tenant_id $ SERVICE_TENANT_ID

Projects, roles and tenants can be managed independently from each other.

How it works…

Creation of the service tenant, populated with the services required to run OpenStack, is no different from creating any other users on our system that requires the admin role. We create the usernames and passwords and ensure they exist in the service tenant with the admin role assigned to each user. We then use these credentials while configuring the services to authenticate with OpenStack Identity service.

Enroll for Instructor Led Live OpenStack Training


0 Responses on How to Create the Service Tenant and Service Users"

Leave a Message

Your email address will not be published. Required fields are marked *

Copy Rights Reserved © Mindmajix.com All rights reserved. Disclaimer.
Course Adviser

Fill your details, course adviser will reach you.