Keystone – OpenStack Identity Service

In this article by Cody Bunch, Kevin Jackson and, Egle Sigler, the authors of  OpenStack Cloud Computing Cookbook, Third Edition, we will cover the following topics:

  • Creating tenants in Keystone
  • Configuring roles in Keystone
  • Adding users to Keystone

(For more resources related to this topic, see here.)

The OpenStack Identity service, known as Keystone, provides services for authenticating and managing user accounts and role information for our OpenStack cloud environment. It is a crucial service that underpins the authentication and verification between all of our OpenStack cloud services and is the first service that needs to be installed within an OpenStack environment. The OpenStack Identity service authenticates users and tenants by sending a validated authorization token between all OpenStack services. This token is used for authentication and verification so that you can use that service, such as OpenStack Storage and Compute. Therefore, configuration of the OpenStack Identity service must be completed first, consisting of creating appropriate roles for users and services, tenants, the user accounts, and the service API endpoints that make up our cloud infrastructure.

In Keystone, we have the concepts of tenants, roles and users. A tenant is like a project and has resources such as users, images, and instances, as well as networks in it that are only known to that particular project. A user can belong to one or more tenants and is able to switch between these projects to gain access to those resources. Users within a tenant can have various roles assigned. In the most basic scenario, a user can be assigned either the role of admin or just be a member. When a user has admin privileges within a tenant, they are able to utilize features that can affect the tenant (such as modifying external networks), whereas a normal user is assigned the member role, which is generally assigned to perform user-related roles, such as spinning up instances, creating volumes, and creating tenant only networks.

Creating tenants in Keystone

A tenant in OpenStack is a project, and the two terms are generally used interchangeably. Users can't be created without having a tenant assigned to them, so these must be created first. Here, we will create a tenant called cookbook for our users.

Getting ready

We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export OS_TENANT_NAME=cookbook

export OS_USERNAME=admin

export OS_PASSWORD=openstack

export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/

export OS_NO_CACHE=1

export OS_KEY=/vagrant/cakey.pem

export OS_CACERT=/vagrant/ca.pem

You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment issue the following command to get access to the Controller:

vagrant ssh controller

How to do it...

To create a tenant in our OpenStack environment, perform the following steps:

  1. We start by creating a tenant called cookbook:
    keystone tenant-create \
    
        --name cookbook \
    
        --description "Default Cookbook Tenant" \
    
        --enabled true

    This will produce output similar to:

    +-------------+----------------------------------+
    |   Property  |              Value               |
    +-------------+----------------------------------+
    | description |     Default Cookbook Tenant      |
    |   enabled   |               True               |
    |      id     | fba7b31689714d1ab39a751bc9483efd |
    |     name    |             cookbook             |
    +-------------+----------------------------------+

  2. We also need an admin tenant so that when we create users in this tenant, they have access to our complete environment. We do this in the same way as in the previous step:
    keystone tenant-create \
    
        --name admin \
    
        --description "Admin Tenant" \
    
        --enabled true

How it works...

Creation of the tenants is achieved by using the keystone client, specifying the tenant-create option with the following syntax:

keystone tenant-create \

    --name tenant_name \

    --description "A description" \

    --enabled true

The tenant_name is an arbitrary string and must not contain spaces. On creation of the tenant, this returns an ID associated with it that we use when adding users to this tenant. To see a list of tenants and the associated IDs in our environment, we can issue the following command:

keystone tenant-list

Configuring roles in Keystone

Roles are the permissions given to users within a tenant. Here, we will configure two roles: an admin role that allows for the administration of our environment, and a member role that is given to ordinary users who will be using the cloud environment.

Getting ready

We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export OS_TENANT_NAME=cookbook

export OS_USERNAME=admin

export OS_PASSWORD=openstack

export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/

export OS_NO_CACHE=1

export OS_KEY=/vagrant/cakey.pem

export OS_CACERT=/vagrant/ca.pem

You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment, issue the following command to get access to the Controller:

vagrant ssh controller

How to do it...

To create the required roles in our OpenStack environment, perform the following steps:

  1. Create the admin role as follows:
    # admin role
    
    keystone role-create --name admin

    You will get an output like this:

    +----------+----------------------------------+
    | Property |              Value               |
    +----------+----------------------------------+
    |    id    | 625b81ae9f024366bbe023a62ab8a18d |
    |   name   |              admin               |
    +----------+----------------------------------+

  2. To create the Member role, we repeat the step and specify the Member role:
    # Member role
    keystone role-create --name Member

How it works...

Creation of the roles is simply achieved by using the keystone client and specifying the role-create option with the following syntax:

keystone role-create --name role_name

The role_name attribute can't be arbitrary for admin and Member roles. The admin role has been set by default in /etc/keystone/policy.json as having administrative rights:

{

    "admin_required": [["role:admin"], ["is_admin:1"]]

}

The Member role is also configured by default in the OpenStack Dashboard, Horizon, for a non-admin user created through the web interface.

On creation of the role, the ID associated with is returned, and we can use it when assigning roles to users. To see a list of roles and the associated IDs in our environment, we can issue the following command:

keystone role-list

Adding users to Keystone

Adding users to the OpenStack Identity service requires that the user has a tenant that they can exist in and there is a defined role that can be assigned to them. Here, we will create two users. The first user will be named admin and will have the admin role assigned to them in the cookbook tenant. The second user will be named demo and will have the Member role assigned to them in the same cookbook tenant.

Getting ready

We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export OS_TENANT_NAME=cookbook

export OS_USERNAME=admin

export OS_PASSWORD=openstack

export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/

export OS_NO_CACHE=1

export OS_KEY=/vagrant/cakey.pem

export OS_CACERT=/vagrant/ca.pem

You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment, issue the following command to get access to the Controller:

vagrant ssh controller

How to do it...

To create the required users in our OpenStack environment, perform the following steps:

  1. To create a user in the cookbook tenant, we first need to get the cookbook tenant ID. To do this, issue the following command, which we conveniently store in a variable named TENANT_ID with the tenant-list option:
    TENANT_ID=$(keystone tenant-list \
        | awk '/\ cookbook\ / {print $2}')
  2. Now that we have the tenant ID, the admin user in the cookbook tenant is created using the user-create option and a password is chosen for the user:
    PASSWORD=openstack
    
    keystone user-create \
    
        --name admin \
    
        --tenant_id $TENANT_ID \
    
        --pass $PASSWORD \
    
        --email root@localhost \

        --enabled true

    The preceding code will produce the following output:

    +----------+----------------------------------+
    | Property |              Value               |
    +----------+----------------------------------+
    |  email   |          root@localhost          |
    | enabled  |               True               |
    |    id    | 2e23d0673e8a4deabe7c0fb70dfcb9f2 |
    |   name   |              admin               |
    | tenantId | 14e34722ac7b4fe298886371ec17cf40 |
    | username |              admin               |
    +----------+----------------------------------+

  3. As we are creating the admin user, which we are assigning the admin role, we need the admin role ID. We pick out the ID of the admin role and conveniently store it in a variable to use it when assigning the role to the user with the role-list option:
    ROLE_ID=$(keystone role-list \
        | awk '/\ admin\ / {print $2}')
  4. To assign the role to our user, we need to use the user ID that was returned when we created that user. To get this, we can list the users and pick out the ID for that particular user with the following user-list option:
    USER_ID=$(keystone user-list \
        | awk '/\ admin\ / {print $2}')
  5. With the tenant ID, user ID, and an appropriate role ID available, we can assign that role to the user with the following user-role-add option:
    keystone user-role-add \
    
        --user $USER_ID \
    
        --role $ROLE_ID \
    
        --tenant_id $TENANT_ID

    Note that there is no output produced on successfully running this command.

  6. The admin user also needs to be in the admin tenant for us to be able to administer the complete environment. To do this, we need to get the admin tenant ID and then repeat the previous step using this new tenant ID:
    ADMIN_TENANT_ID=$(keystone tenant-list \
    
        | awk '/\ admin\ / {print $2}')
    
    keystone user-role-add \
    
        --user $USER_ID \
    
        --role $ROLE_ID \
    
        --tenant_id $ADMIN_TENANT_ID
  7. To create the demo user in the cookbook tenant with the Member role assigned, we repeat the process defined in steps 1 to 5:
    # Get the cookbook tenant ID
    
    TENANT_ID=$(keystone tenant-list \
    
        | awk '/\ cookbook\ / {print $2}')
    
     
    
    # Create the user
    
    PASSWORD=openstack
    
    keystone user-create \
    
        --name demo \
    
        --tenant_id $TENANT_ID \
    
        --pass $PASSWORD \
    
        --email demo@localhost \
    
        --enabled true
    
     
    
    # Get the Member role ID
    
    ROLE_ID=$(keystone role-list \
    
        | awk '/\ Member\ / {print $2}')
    
     
    
    # Get the demo user ID
    
    USER_ID=$(keystone user-list \
    
        | awk '/\ demo\ / {print $2}')
    
     
    
    # Assign the Member role to the demo user in cookbook
    
    keystone user-role-add \
    
        --user $USER_ID \
    
        -–role $ROLE_ID \
    
        --tenant_id $TENANT_ID

How it works...

Adding users in the OpenStack Identity service involves a number of steps and dependencies. First, a tenant is required for the user to be part of. Once the tenant exists, the user can be added. At this point, the user has no role associated, so the final step is to designate the role to this user, such as Member or admin.

Use the following syntax to create a user with the user-create option:

keystone user-create \

    --name user_name \

    --tenant_id TENANT_ID \

    --pass PASSWORD \

    --email email_address \

    --enabled true

The user_name attribute is an arbitrary name but cannot contain any spaces. A password attribute must be present. In the previous examples, these were set to openstack. The email_address attribute must also be present.

To assign a role to a user with the user-role-add option, use the following syntax:

keystone user-role-add \

    --user USER_ID \

    --role ROLE_ID \

    --tenant_id TENANT_ID

This means that we need to have the ID of the user, the ID of the role, and the ID of the tenant in order to assign roles to users. These IDs can be found using the following commands:

keystone tenant-list

keystone user-list

keystone role-list

Summary

In this article, we have looked at the basic operations with respect to Keystone, such as creating tenants, configuring roles, and adding users. To know everything else about cloud computing with OpenStack, check out OpenStack Cloud Computing Cookbook, Third Edition, also currently being used at CERN!

The book has chapters on the Identity Service, Image Service, Networking, Object Storage, Block Storage, as well as how to manage OpenStack in production environments! It’s everything you need and more to make your job so much easier!

Resources for Article: 


Further resources on this subject: 


You've been reading an excerpt of:

OpenStack Cloud Computing Cookbook - Third Edition

Explore Title