Hey Cole, I started going though your instructions, but got sidetracked a bit by keystone ... seems we have a common theme here :-) On Mon, 2011-11-28 at 11:34 -0500, Cole Robinson wrote: > # First we need to set up keystone, since horizon requires it. > sudo yum install -y openstack-keystone Best to include --enablerepo=updates-testing > # Clear any previous keystone config > sudo rm /var/lib/keystone/keystone.sqlite > sudo systemctl start openstack-keystone.service Right, yes - although keystone-manage doesn't talk to the service, it's best to let the service create the DB as owned by keystone:keystone before trying to use keystone-manage. If you dive right in with keystone-manage, it'll be owned by root:root and the service won't be able to start. > # These steps are derived from > # http://keystone.openstack.org/configuringservices.html > # Assumes that openstack, keystone, and dashboard are all on localhost > > sudo keystone-manage service add nova compute "Nova Compute Service" > sudo keystone-manage service add glance image "Glance Image Service" > sudo keystone-manage service add keystone identity "Keystone Identity Service" > > sudo keystone-manage endpointTemplates add RegionOne nova \ > http://localhost:8774/v1.1/ \ > http://localhost:8774/v1.1/ \ > http://localhost:8774/v1.1/ \ > 1 1 Wow, what a disgusting command! (For my own reference, the args here are region, service, publicURL, adminURL, internalURL, enabled and global) > sudo keystone-manage endpointTemplates add RegionOne glance \ > http://localhost:9292/v1.1/ \ > http://localhost:9292/v1.1/ \ > http://localhost:9292/v1.1/ \ > 1 1 > > sudo keystone-manage endpointTemplates add RegionOne keystone \ > http://localhost:5000/v2.0 \ > http://localhost:35357/v2.0 \ > http://localhost:5000/v2.0 \ > 1 1 > > sudo keystone-manage user add admin admin > sudo keystone-manage user add demo demo > > sudo keystone-manage tenant add admin > sudo keystone-manage tenant add demo > > sudo keystone-manage role add Admin One slightly surprising thing is that the Admin role has special significance - see keystone-admin-role in keystone.conf. I wonder why it's not added automatically if it's special? > sudo keystone-manage role grant Admin admin admin > sudo keystone-manage token add 999888777666 admin admin 2015-02-05T00:00 Rather than using keystone-manage to add a token, I think you can just authenticate as admin and generate a token that way e.g. $> curl -v -d '{"auth": {"passwordCredentials": {"username": "admin", "password": "admin"}}}' \ -H "Content-type: application/json" http://localhost:5000/v2.0/tokens {"access": {"token": {"expires": "2011-11-30T13:14:02.210014", "id": "a361aff4-2a65-480b-a77a-3c81c4ee02cc"}, "user": {"id": "1", "roles": [{"id": "1", "name": "Admin"}], "name": "admin"}}} and then you can check that token works with e.g. $> curl -H 'X-Auth-Token: a361aff4-2a65-480b-a77a-3c81c4ee02cc' http://localhost:35357/v2.0/tenants {"tenants": {"values": [{"enabled": true, "description": "None", "name": "admin", "id": "1"}], "links": []}} > sudo keystone-manage role add Member > sudo keystone-manage role grant Member demo demo > sudo keystone-manage role grant Admin admin demo > > sudo keystone-manage endpoint add demo nova > sudo keystone-manage endpoint add demo glance > sudo keystone-manage endpoint add demo identity > > sudo keystone-manage endpoint add admin nova > sudo keystone-manage endpoint add admin glance > sudo keystone-manage endpoint add admin identity Okay, this sidetracked me a bit because you named the service for keystone 'keystone' above, not 'identity' - so why does it appear to work? It turns out this arg should be an integer endpointTemplate ID. I've filed a bug with a fix to validate the arg: https://bugs.launchpad.net/keystone/+bug/897749 But it looks like that because all the templates you added are 'global' (the second '1' arg to 'endpointTemplates add'), you don't need to also explicitly add them to the tenants To check the endpoints list, I'm looking at the serviceCatalog list in the result from authenticating using that tenant: $> curl -v -d '{"auth": {"passwordCredentials": {"username": "admin", "password": "p4ssw0rd"}, "tenantName": "admin"}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens Cheers, Mark. _______________________________________________ cloud mailing list cloud@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/cloud
