Identity - Keystone Couch To OpenStack
May 10, 2015
Identity - Keystone
Couch To OpenStack
- Subscribe & Recordings: http://bit.ly/BrownbagPodcast
- Sign up for the rest of the series: http://openstack.prov12n.com/about-couch-to-openstack/
Some Logistics
On Twitter: #vBrownBag
Also: @cody_bunch
Join the conversation
- New Edition: http://www.packtpub.com/openstack-cloud-computing-cookbook-second-edition/book
- Old Edition: http://amzn.to/12eI6rX
Buy the Book
7/2/2013 – Intro to OpenStack < Recording here: http://buff.ly/1cQZ3xC7/9/2013 – Vagrant Primer < Recording here: http://bit.ly/149FnWt7/16/2013 – Identity services (Keystone) << We Are Here7/23/2013 – Image services (Glance)7/30/2013 – Compute Services (Nova)8/6/2013 – Block Storage / Volume Services (Cinder)8/13/2013 – Networking Services (Quantum)8/20/2013 - Monitoring & Troubleshooting8/27/2013 - HA OpenStack9/3/2013 – DevOps Deployments
Note: Dates are subject to change depending on how far we get in each lesson.
The Rest of the Series
Y’all did the homework right?
Remember we have a G+ Support group here:https://plus.google.com/communities/101663052588382171429
Homework Review
- git clone https://github.com/bunchc/Couch_to_OpenStack.git
- cd Couch_to_OpenStack- vagrant up
Build Time!
- Adds the Grizzly packages for Ubuntu- Set’s a bunch of variables- Installs MySQL
- Creates a DB- Creates a User- Assigns User to DB
- Installs keystone- Configs keystone- Creates a user / tenant / endpoint, etc
Build – What’s it doing?
- Identity Management Service- Provides centralized Authentication and
Authorization for OpenStack Services- … Let’s take a look:
Keystone Intro
Keystone Intro
- Users- A User or Service- Set of credentials
- User / Pass- User / API Key- User / RSA Token- etc
Concepts - Users
- Tenant- A collection of resources
- Instances in Nova- Networks in Neutron- Images in Glance
- aka “projects”
Concepts - Tenants
- Role- Binds a user to a tenant- Privileges or Rights on a set of resources- For example
- Access to networks- Ability to upload images- Access to consoles
Concepts - Roles
- Token- Arbitrary bit of text- Provides context & scope for authorization- PKI Tokens in Grizzly
- keystone.token.providers.pki.Provider- Additional providers in the future
Concepts – Token
- Service- An OpenStack Service
- Keystone- Cinder- Nova- etc
- Provides “endpoints”, or URLs users can use to operate the services
Concepts – Service
- Endpoint- Network Address / URL for a service
- Admin- Internal- Public
Concepts – Endpoint
- http://docs.openstack.org/trunk/openstack-identity/admin/content/Identity-Service-Concepts-e1362.html
- http://www.slideshare.net/kamesh001/openstack-keystone
- http://docs.openstack.org/developer/keystone/configuration.html
Concepts – Reference
- vagrant ssh controller- sudo su -- cat .stackrc
- export OS_TENANT_NAME=cookbook- export OS_USERNAME=admin- export OS_PASSWORD=openstack- export
OS_AUTH_URL=http://${MY_IP}:5000/v2.0/
- source .stackrc
Using Keystone!
- keystone service-list+----------------------------------+----------+----------+---------------------------+| id | name | type | description |+----------------------------------+----------+----------+---------------------------+| cd9aedf1430e48aa9d63af7c52581aa0 | cinder | volume | Cinder Volume Service || 9ed2fcefaf70476896b7b5dd3fff1a8c | ec2 | ec2 | EC2 Compatibility Layer || 830ed2c03fd742a586c5c378f6c540e0 | glance | image | Glance Image Service || 9103fbbc247248ea9132025e91ba7025 | keystone | identity | Keystone Identity Service || e75645d65beb4a95a79d1b3cabf7f256 | nova | compute | Nova Compute Service |+----------------------------------+----------+----------+---------------------------+- keystone service-get <UUID>+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| description | Keystone Identity Service || id | 9103fbbc247248ea9132025e91ba7025 || name | keystone || type | identity |+-------------+----------------------------------+
List Services
# keystone user-list+----------------------------------+------------+---------+-------+| id | name | enabled | email |+----------------------------------+------------+---------+-------+| 390f2da1b41447aea3fa87f3feb77159 | admin | True | || e2d55836f1d64e7d9131eedb222803ea | cinder | True | || 690ba1fd20104b7db99873c02d7497a3 | glance | True | || 62b9f4c6924749deb80c2f3e0ed86df8 | monitoring | True | || 3b57d891ef9649c087d6c7259f0cdf80 | nova | True | |+----------------------------------+------------+---------+-------+
# keystone user-get 3b57d891ef9649c087d6c7259f0cdf80+----------+----------------------------------+| Property | Value |+----------+----------------------------------+| email | || enabled | True || id | 3b57d891ef9649c087d6c7259f0cdf80 || name | nova || tenantId | 5551bace71ff4d3f891176fe22cb3016 |+----------+----------------------------------+
List Users
# keystone tenant-list+----------------------------------+---------+---------+| id | name | enabled |+----------------------------------+---------+---------+| e9f36d967ce249398f223da966fac706 | admin | True || 5551bace71ff4d3f891176fe22cb3016 | service | True |+----------------------------------+---------+---------+
# keystone tenant-get 5551bace71ff4d3f891176fe22cb3016+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| description | service Tenant || enabled | True || id | 5551bace71ff4d3f891176fe22cb3016 || name | service |+-------------+----------------------------------+
List Tenants
# keystone endpoint-list+----------------------------------+-----------+-------------------------------------------+-------------------------------------------+-------------------------------------------+----------------------------------+| id | region | publicurl | internalurl | adminurl | service_id |+----------------------------------+-----------+-------------------------------------------+-------------------------------------------+-------------------------------------------+----------------------------------+| 087c7b7b7a4c433c97414db7187d0ac1 | RegionOne | http://10.178.22.42:8773/services/Cloud | http://10.178.22.42:8773/services/Cloud | http://10.178.22.42:8773/services/Admin | 9ed2fcefaf70476896b7b5dd3fff1a8c || 520e98d49f5e4c23a93f278cf12a4b22 | RegionOne | http://10.178.22.42:5000/v2.0 | http://10.178.22.42:5000/v2.0 | http://10.178.22.42:35357/v2.0 | 9103fbbc247248ea9132025e91ba7025 || 8c253aea03cb445fbe5549bf65baf430 | RegionOne | http://10.178.22.42:9292/v1 | http://10.178.22.42:9292/v1 | http://10.178.22.42:9292/v1 | 830ed2c03fd742a586c5c378f6c540e0 || ec3a2237002c4dbdb4db365fbc961aa1 | RegionOne | http://10.178.22.42:8776/v1/%(tenant_id)s | http://10.178.22.42:8776/v1/%(tenant_id)s | http://10.178.22.42:8776/v1/%(tenant_id)s | cd9aedf1430e48aa9d63af7c52581aa0 || f9aa590ca08346a6a4a228b993cdcf39 | RegionOne | http://10.178.22.42:8774/v2/%(tenant_id)s | http://10.178.22.42:8774/v2/%(tenant_id)s | http://10.178.22.42:8774/v2/%(tenant_id)s | e75645d65beb4a95a79d1b3cabf7f256 |+----------------------------------+-----------+-------------------------------------------+-------------------------------------------+-------------------------------------------+----------------------------------+
# keystone endpoint-get --service identity+--------------------+-------------------------------+| Property | Value |+--------------------+-------------------------------+| identity.publicURL | http://10.178.22.42:5000/v2.0 |+--------------------+-------------------------------+
List Endpoints
We’re going to need some things to make Glance work next week. Specifically, you’ll want a role, endpoint, service, and maybe some others in keystone.
Additionally, like getting keystone up and running, let’s try to get glance installed for next week as well.
Homework!