Skip to content

Latest commit

 

History

History
193 lines (109 loc) · 9.89 KB

03.md

File metadata and controls

193 lines (109 loc) · 9.89 KB

+++ date = "2015-09-30" draft = false weight = 3 title = "Lab 03 - Keystone - CLI" +++

Lab Duration: 35 minutes

Lab Objective

The objective of this lab is to teach how to create a project and user at the CLI, we'll also dive a bit into OpenStack 'roles'. We created projects and users in the previous lab, but we used the Horizon dashboard. In production, it is highly unlikely that system admins will spend much time within Horizon.

1. Project, Users, and Roles definitions (reference)

  1. An OpenStack admin will manage projects, users, and roles.

    • Projects are organizational units in the cloud to which you can assign users. Projects are also known as tenants or accounts.

    • Users can be members of one or more projects.

    • Roles define which actions users can perform. You assign roles to user-project pairs.

2. Creating a Project and User at the CLI

Back to our story. Remember, we still promised our customer Vault Tek Enterprise that they could have access to a project space with a single user, Chester Copperpot. Let's try setting this user up at the CLI.

  1. SSH to your controller as root, you might use:

  • Your browser (https://sshproxy.alta3.training/)

    Once logged into the browser, type screen -x <last initial><first initial> to return to your previous session

  • Alternative, you may use PuTTY (Windows), or Terminal (Apple)

  1. Apply the admin access variables to the bash environment. It prevents you from issuing needlessly long CLI commands. This will be covered in another lesson if it has not been covered already.

    [root@controller]# source keystonerc_admin

  2. Keystone's job is management of users and credentials. Issue this command to the keystone service to create a new tenant.

    [root@controller ~(keystone_admin)]# keystone tenant-create --name vault_tek

    Notice the deprecation warning message that came up? If you didn't, let's check it out now.

    /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Pyth
, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)

    The openstack cli has been rewritten (python openstack wrapper). These commands will still work, at least for now, but support has moved to the new cli client. You'll have an opportunity to access the python-openstackclient soon.

  3. Create the user chestercopperpot, within the tenant (project) vault_tek, the password fa5tpa55w0rd, and the email address chester@vault_tek.example

    [root@controller ~(keystone_admin)]# keystone user-create --name chestercopperpot --tenant vault_tek --pass fa5tpa55w0rd --email chester@vault_tek.example

    If this command is successfully run, you should see output similar to below:

    +----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |    chester@vault_tek.example     |
| enabled  |               True               |
|    id    | c9b7d3be7fe843c78412ff510457ddd3 |
|   name   |         chestercopperpot         |
| tenantId | a411280ca390483ea2161209371d133a |
| username |         chestercopperpot         |
+----------+----------------------------------+

  4. Display the tenants (projects) currently available.

    [root@controller ~(keystone_admin)]# keystone tenant-list

    This command is analogous to looking at the Identity > Projects page in the Horizon dashboard.

  5. Display the users that have been created in the system.

    [root@controller ~(keystone_admin)]# keystone user-list

    This command is analogous to looking at the Identity > Users page in the Horizon dashboard

  6. Log in to the Horizon interface as chestercopperpot // fa5tpa55w0rd

  • If you have forgotten how to get to Horizon, simply navigate to your FQDN in a web browser
  1. Once logged in, you should be part of the new project called vault_tek.

  • How can you quickly identify the project that you are a part of in Horizon?

    HINT: Look in the upper left corner of your screen.

  • We logged into Horizon in the previous lab, but if you are new to OpenStack, click around, and make sure everything appears as you would expect it to within the OpenStack Horizon dashboard.

  1. That's it! Good job. Leave everything the way it is. We'll tweak the acme_inc and vault_tek tenants (projects) in a subsequent lab. If you are done early, feel free to perform the subsequent section on using the python-openstackclient.

3. Exploring roles at the CLI

OpenStack uses a Role Based Access Control (RBAC) mechanism to manage accesses to resources. Users' roles granted on each project and domain are stored into Keystone, and can be updated through Keystone's API. However, policy enforcement (actually allowing or not the access to resources according to a user's roles) is performed independently in each service, based on the rules defined in each policy.json file.

You assign roles to user-project pairs. Define actions for OpenStack service roles in the /etc//policy.json files. For example, define actions for Compute service roles in the /etc/nova/policy.json file.

  1. First let us find all of the policy.json files on the system.

    [root@controller ~(keystone_admin)]# find / -name 'policy.json'

  2. Great! Now let's take a look at what one of these files contains.

    [root@controller ~(keystone_admin)]# cat /etc/cinder/policy.json | less

    For students who do not have much experience using the less command:

    Press CTRL + F to go forward one window, and CTRL + B to go back one window Press CTRL + D to go forward one half window, and CTRL + U to go back one half window Press q to quit Less utility and return to the CLI If you have never used the less utility, you might find the following cheat sheet useful (http://sheet.shiar.nl/less)

    • The rules contained inside of these files may be customized. Customizing these rules controls who may call on a particular service. For example, maybe you want to create a user that may ONLY create a virtual router with neutron, or ONLY create cinder volumes. This is all made possible with roles.

  3. There are two roles you should know about:

  • The ** member** role, when assigned to a user, allows a user to manage all of the resources within their project (instances, volumes, and so on). If no role is defined, than this default role will be applied.

  • The admin role, when assigned to a user, allows the user total control over the entire OpenStak platform.

  1. Roles are applied when the user is created, and may also be applied after the user is created.

    • Users may occupy more than one role

  2. To view the current roles available, type the following:

    [root@controller ~(keystone_admin)]# keystone role-list

  3. Create a new role called ultra_admin by typing the following:

    [root@controller ~(keystone_admin)]# keystone role-create --name ultra_admin

  4. Let's give alice the role ultra_admin

    [root@controller ~(keystone_admin)]# keystone tenant-list

    • Highlight the id for acme_inc

    [root@controller ~(keystone_admin)]# keystone user-role-add --user aliceanderson --role ultra_admin --tenant <right_click_to_paste_the_tenant_ID_you_highlighted>

  5. Confirm that aliceanderson is now a 'ultra_admin'

    [root@controller ~(keystone_admin)]# keystone user-role-list --user aliceanderson --tenant <right_click_to_paste_the_tenant_ID_you_highlighted>

  6. Of course, aliceanderson being an ultra_admin doesn't really do anything, until we edit the policy.json file so that the role ultra_admin performs the way we want it to, but hopefully roles are clear.

    • Now is a great time to ask the instructor to explain roles if you are still a bit unclear.

    • Manipulating these policy.json files is tricky, but the following link is a great resource with a cool working example if you're looking to know more

3. OPTIONAL - Creating a Project at the CLI (using python-openstackclient)

Earlier in this lab, there was mention of the python-openstackclient. The python-openstackclient is trying to unite all of the OpenStack services on a single platform with a common set of commands. Some admins are using it, and some are not. At the end of the day, there is nothing 'new' you can do within this platform.

The following is a list of the steps you would take to utilize the python-openstackclient in order to create the project 'the_shire' and the user 'gandalf'. You already did this so there is no need to do it a second time. However, if you are a rocket scientist and finished this lab early, feel free to stare & compare and play around with the python-openstackclient environment.

  1. SSH into your controller as root (if you are not already)

  2. If you are not sourced as admin already, issue the following command:

    [root@controller]# source keystonerc_admin

  3. Start the python-openstackclient

    [root@controller ~(keystone_admin)]# openstack

    Within the python-openstackclient, you'll be issuing commands as admin since the admin permissions were set when you executed openstack

  4. Get a sense of the commands you can issue:

    (openstack) help

  5. Issue the following commands to create the project, and then create the user gandalf with the password noneshallpass

    (openstack) project create the_shire

    (openstack) user create gandalf --project the_shire --password noneshallpass --email [email protected]

    (openstack) exit

  6. Log in to the Horizon interface as gandalf // noneshallpass

  • If you have forgotten how to get to Horizon, simply navigate to your FQDN in a web browser

  • The login should work! If it did, good job! If other students are still working, feel free to play around in the python-openstackclient a bit more.