Keystone – An OpenStack Identity Service tutorial
Through this OpenStack Cloud Computing book extract, Kevin Jackson, Cody Bunch, Egle Sigler, and James Denton will help you understand the OpenStack Identity service known as Keystone.
Keystone provides services for authenticating and managing user accounts and role information for our OpenStack cloud environment.
In this article, we will cover the following topics:
- Creating domains
- Enabling domains in the OpenStack dashboard
- Configuring roles in Keystone
- Deleting roles
- Deleting domains
Creating OpenStack domains in Keystone
To create a domain in our OpenStack environment, perform the following step:
1. We start by creating a domain called bookstore as follows:
openstack domain create --description "Book domain" bookstore
The output will look similar to this:
Enabling domains in the OpenStack dashboard
To enable multidomain support in the OpenStack dashboard, we will update one horizon variable, OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT in local_settings.py using the openstack-ansible deployment tool. First, you will need to connect to your openstack-ansible deployment host. Once connected, execute the following steps:
1. Edit the /etc/openstack_deploy/user_variables.yml file to add the following line:
horizon_keystone_multidomain_support: True
2. Deploy Horizon with the openstack-ansible command:
openstack-ansible \ /opt/openstack-ansible/playbooks/os-horizon-install.yml
The openstack-ansible command produces a lot of output. For brevity, its output has been omitted.
3. Launch the OpenStack dashboard to verify that the login screen now shows domain field:
Configuring roles in Keystone
To create the required roles in our OpenStack environment, perform the following steps:
1. Creation of the cloud_admin role is done as follows:
openstack role create --domain bookstore cloud_admin:
2. To configure the user role for the default domain, execute the following command:
openstack role create user
This command created a new role called user. Since we didn’t specify a domain, it was created under the default domain.
3. View roles associated with the bookstore domain:
openstack role list --domain bookstore
4. List roles associated with the current admin user:
openstack role list
Deleting roles
In order to delete a role, execute the following commands:
1. Get the role’s name from a current role list:
openstack role list
2. Delete the oldrole role:
openstack role delete oldrole
This command will have no output.
Deleting domains
In order to delete a domain, execute the following commands:
1. Get the domain’s name from a current domain list:
2. Verify that there are no users associated with the olddomain domain that we will be deleting:
openstack user list --domain olddomain
This list should be empty before proceeding. If it is not, delete all the users before proceeding to the next step.
3. Disable the domain:
openstack domain set --disable olddomain
This command will have no output.
4. Delete domain:
openstack domain delete olddomain
If successful, this command will have no output.
Summary
In this article, we learned the concepts of domains and roles in Keystone. A Keystone domain is a high-level OpenStack Identity resource that contains projects, users, and groups. A project has resources such as users, images, and instances, as well as networks in it that can be restricted only to that particular project unless explicitly shared with others.
This tutorial is a recipe excerpt from “OpenStack Cloud Computing Cookbook – Fourth Edition” by Packt. Use the code ORJEA10 at checkout to get the eBook for just $10 (valid until 30th April 2018).
