Setting up tenants, users,and roles

1.        $git clonehttps://github.com/nimbis/keystone-init.git由于网络原因,没有git成功

增加Default Tenant:openstackDemo

2.       keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 tenant-create --name openstackDemo --description"Default Tenant" --enabled true

openstack 用户权限管理 openstack admin_功能测试

增加default user:adminUser

3.       keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-create --tenant_id516c51ea92474295844aa98c3994ba59 --name adminUser --pass secretword --enabledtrue

增加default role:admin和memberRole

4.       keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 role-create --name admin

openstack 用户权限管理 openstack admin_openstack 用户权限管理_02

5.       keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 role-create --name memberRole



Grant the adminrole to the adminUser user in theopenstackDemo tenant with “userrole-add”.

6.      keystone --tokenSECRET1234567890 --endpoint http://192.168.3.6:35357/v2.0 user-role-add --user82253661a9724a6c8ed3da5b83ba9f00 --tenant_id 516c51ea92474295844aa98c3994ba59–role 51bbb02c1c4f4252bede1e11a33ab2f9

Create a Service Tenant. Thistenant contains all the services that we make known to the service catalog.

7.       keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 tenant-create --name service --description"Service Tenant" --enabled true


openstack 用户权限管理 openstack admin_学习_03

Create a Glance Service Userin the Service Tenant

8.       keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-create --tenant_ideb3f17d8ef5a45e19a894be697a15a65 --name glance --pass glance --enabled true



Grant the admin role to the glance user in the service tenant

9.       keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-role-add --userd40eb0656e0640eeba2cf2af5ceb6241 --tenant_id eb3f17d8ef5a45e19a894be697a15a65–role 51bbb02c1c4f4252bede1e11a33ab2f9

Create a Nova Service User inthe Service Tenant

10.   keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-create --tenant_ideb3f17d8ef5a45e19a894be697a15a65 --name nova --pass nova --enabled true



Grant the admin role to the nova user in the service tenant

11.   keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-role-add --user693d1005c2374ee9bcb2f2f52624caff --tenant_id eb3f17d8ef5a45e19a894be697a15a65–role 51bbb02c1c4f4252bede1e11a33ab2f9

Create an Object Storage ServiceUser in the Service Tenant.

12.  keystone --tokenSECRET1234567890 --endpoint http://192.168.3.6:35357/v2.0 user-create–tenant_id eb3f17d8ef5a45e19a894be697a15a65 --name swift --pass swiftpass–enabled true


Grant the admin role to the swift user in the service tenant

13.   keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-role-add --user4c22054357c942468800b46798f6a2f0 --tenant_id eb3f17d8ef5a45e19a894be697a15a65–role 51bbb02c1c4f4252bede1e11a33ab2f9

Create an EC2 Service User inthe Service Tenant.

14.   keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-create --tenant_ideb3f17d8ef5a45e19a894be697a15a65 --name ec2 --pass ec2 --enabled true



Grant the admin role to the ec2 user in the service tenant.

15.   keystone --token SECRET1234567890 --endpointhttp://192.168.3.6:35357/v2.0 user-role-add --user17210309cfc644b5af86e596325baad4 --tenant_id eb3f17d8ef5a45e19a894be697a15a65–role 51bbb02c1c4f4252bede1e11a33ab2f9

Enable keystone

对S3的支持

In order to enable the compatibility for Swift with theS3 API within Keystone, make sure to

definea new filter and enable it. In the keystone.conf file :

1.   Define the filter:

[filter:s3_extension]

paste.filter_factory =keystone.contrib.s3:S3Extension.factory

2.   Enable it by add “s3_extension”to the “admin_api” pipeline.

[pipeline:admin_api]

pipeline = token_auth admin_token_auth xml_bodyjson_body debug

ec2_extension s3_extension crud_extensionadmin_service

Creating keystone servicesand service endpoints

1.      Define the identity service:


openstack 用户权限管理 openstack admin_学习_04


openstack 用户权限管理 openstack admin_学习_05

2.      Define the Compute service:



openstack 用户权限管理 openstack admin_f5_06

3.      Define the Volume service:

openstack 用户权限管理 openstack admin_功能测试_07


openstack 用户权限管理 openstack admin_功能测试_08


4.      Define the Image service:



openstack 用户权限管理 openstack admin_openstack 用户权限管理_09

openstack 用户权限管理 openstack admin_openstack 用户权限管理_10

5.      Define the EC2 compatibilityservice:



openstack 用户权限管理 openstack admin_openstack 用户权限管理_11

openstack 用户权限管理 openstack admin_学习_12

6.      Define the Object Storageservice:




openstack 用户权限管理 openstack admin_openstack 用户权限管理_13

验证keystone

添加环境变量,为了方便期间,添加文件keystonerc,内容:

export ADMIN_TOKEN=SECRET1234567890

export OS_USERNAME=adminUser

export OS_PASSWORD=secretword

export OS_TENANT_NAME=openstackDemo

exportOS_AUTH_URL=http://127.0.0.1:5000/v2.0/

运行source keystonerc

openstack 用户权限管理 openstack admin_openstack 用户权限管理_14