Keystone – An OpenStack Identity Service tutorial

Through this OpenStack Cloud Computing book extract, Kevin Jackson, Cody Bunch, Egle Sigler, and James Denton will help you understand the OpenStack Identity service known as Keystone.
Keystone provides services for authenticating and managing user accounts and role information for our OpenStack cloud environment.
In this article, we will cover the following topics:
- Creating domains
- Enabling domains in the OpenStack dashboard
- Configuring roles in Keystone
- Deleting roles
- Deleting domains
Creating OpenStack domains in Keystone
To create a domain in our OpenStack environment, perform the following step:
1. We start by creating a domain called bookstore
as follows:
openstack domain create --description "Book domain" bookstore
The output will look similar to this:
Enabling domains in the OpenStack dashboard
To enable multidomain support in the OpenStack dashboard, we will update one horizon variable, OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT
in local_settings.py
using the openstack-ansible
deployment tool. First, you will need to connect to your openstack-ansible
deployment host. Once connected, execute the following steps:
1. Edit the /etc/openstack_deploy/user_variables.yml
file to add the following line:
horizon_keystone_multidomain_support: True
2. Deploy Horizon with the openstack-ansible
command:
openstack-ansible \ /opt/openstack-ansible/playbooks/os-horizon-install.yml
The openstack-ansible
command produces a lot of output. For brevity, its output has been omitted.
3. Launch the OpenStack dashboard to verify that the login screen now shows domain field:
Configuring roles in Keystone
To create the required roles in our OpenStack environment, perform the following steps:
1. Creation of the cloud_admin
role is done as follows:
openstack role create --domain bookstore cloud_admin:
2. To configure the
user
role for the default
domain, execute the following command:
openstack role create user
This command created a new role called user
. Since we didn’t specify a domain, it was created under the default
domain.
3. View roles associated with the bookstore
domain:
openstack role list --domain bookstore
4. List roles associated with the current admin user:
openstack role list
Deleting roles
In order to delete a role, execute the following commands:
1. Get the role’s name from a current role list:
openstack role list
2. Delete the
oldrole
role:
openstack role delete oldrole
This command will have no output.
Deleting domains
In order to delete a domain, execute the following commands:
1. Get the domain’s name from a current domain list:
2. Verify that there are no users associated with the
olddomain
domain that we will be deleting:
openstack user list --domain olddomain
This list should be empty before proceeding. If it is not, delete all the users before proceeding to the next step.
3. Disable the domain:
openstack domain set --disable olddomain
This command will have no output.
4. Delete domain:
openstack domain delete olddomain
If successful, this command will have no output.
Summary
In this article, we learned the concepts of domains and roles in Keystone. A Keystone domain is a high-level OpenStack Identity resource that contains projects, users, and groups. A project has resources such as users, images, and instances, as well as networks in it that can be restricted only to that particular project unless explicitly shared with others.
This tutorial is a recipe excerpt from “OpenStack Cloud Computing Cookbook – Fourth Edition” by Packt. Use the code ORJEA10 at checkout to get the eBook for just $10 (valid until 30th April 2018).