| date | draft | weight | title |
|---|---|---|---|
2016-05-09 |
false |
3 |
Lab 03 - Keystone - CLI |
| Mon | Mon | Mon | Mon | Tue | Tue | Tue | Tue | Wed | Wed | Wed | Thur | Thur | Thur | Thur |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 00 | 01 | 02 |  |
04 | 05 | 06 | 07 | 08 | 09 | 10 | 11 | 12 | 13 | 14 |
The objective of this lab is to teach how to create a project and user at the CLI (same as we did in Horizon), and introduce the concept of controlling OpenStack user permissions with ‘roles’. We created projects and users in the previous lab, but we used the Horizon dashboard. In production, it is highly unlikely that system admins will spend much time within Horizon.
-
An OpenStack admin will manage projects, users, and roles.
-
Projects are organizational units in the cloud to which you can assign users. Projects are also known as tenants or accounts.
-
Users can be members of one or more projects.
-
Roles define which actions users can perform. You assign roles to user-project pairs.
-
Back to our story. Remember, we still promised our customer Vault Tek Enterprise that they could have access to a project space with a single user, Chester Copperpot. Let's try setting this user up at the CLI.
-
SSH to your controller as root, you might use:
-
Apply the admin access variables to the bash environment. It prevents you from issuing needlessly long CLI commands. This will be covered in another lesson if it has not been covered already.
[root@controller]#source keystonerc_admin -
Keystone's job is management of users and credentials. Issue this command to the keystone service to create a new tenant.
[root@controller ~(keystone_admin)]#keystone tenant-create --name vault_tekNotice the deprecation warning message that came up? If you didn't, let's check it out now.
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Pyth , continue using python-keystoneclient. 'python-keystoneclient.', DeprecationWarning)The openstack cli has been rewritten (python openstack wrapper). These commands will still work, at least for now, but support has moved to the new cli client. You'll have an opportunity to access the python-openstackclient soon.
-
Create the user chestercopperpot, within the tenant (project) vault_tek, the password fa5tpa55w0rd, and the email address chester@vault_tek.example
[root@controller ~(keystone_admin)]#keystone user-create --name chestercopperpot --tenant vault_tek --pass fa5tpa55w0rd --email chester@vault_tek.exampleIf this command is successfully run, you should see output similar to below:
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | chester@vault_tek.example | | enabled | True | | id | c9b7d3be7fe843c78412ff510457ddd3 | | name | chestercopperpot | | tenantId | a411280ca390483ea2161209371d133a | | username | chestercopperpot | +----------+----------------------------------+ -
Display the tenants (projects) currently available.
[root@controller ~(keystone_admin)]#keystone tenant-listThe results look like this and are analogous to the Identity > Projects page in the Horizon dashboard.
+----------------------------------+-----------------------------------------------------------------+---------+ | id | name | enabled | +----------------------------------+-----------------------------------------------------------------+---------+ | 67f9b771e7f24bcc9109a01005f96c3a | acme_inc | True | | 300b2cc45c3846939e589310ae714e46 | admin | True | | a9c27d47441e432c8529f8f30ea3261e | demo | True | | 85a11a1515f94848be7aa5b56adec8bf | services | True | | 31c02925465b4da5b8f18cfaa6fba382 | temp_tenant | True | | 8f6d4710d774466f96858af6fa69aaa3 | vault_tek | True | +----------------------------------+-----------------------------------------------------------------+---------+ -
Display the users that have been created in the system.
[root@controller ~(keystone_admin)]#keystone user-listThe results look like this:
+----------------------------------+------------------+---------+---------------------------+ | id | name | enabled | email | +----------------------------------+------------------+---------+---------------------------+ | e9483918caa940a48fe882ba092c7e0b | admin | True | root@localhost | | ba62896bc6c0474bb552946e097ed71f | aliceanderson | True | | | 489a6706a097475099e5d2d4aa024c11 | bobbarker | True | | | 9b1f9b36d7354b1ea121ccfbae339d8b | ceilometer | True | ceilometer@localhost | | abafc32941b6465885378aa6d5c74a1e | chestercopperpot | True | chester@vault_tek.example | | e96c13b017b341a79808ebc9f04afa98 | cinder | True | cinder@localhost | | 92b130a947e342adb476431b041ed43c | demo | True | | | 6146821b56ed4ca18f82b0f90afd278c | glance | True | glance@localhost | | ff5f550ecf064e65bd45d2d0b91bbdab | neutron | True | neutron@localhost | | d3125ab7d2eb4ba0a23d480eee988419 | nova | True | nova@localhost | | 4c8da8951ad34d4498d534e2efb842ec | swift | True | swift@localhost | +----------------------------------+------------------+---------+---------------------------+ -
Log in to the Horizon interface as
chestercopperpot//fa5tpa55w0rd
- If you have forgotten how to get to Horizon, simply navigate to your FQDN in a web browser
- Once logged in, you should be part of the new project called vault_tek.
-
How can you quickly identify the project that you are a part of in Horizon?
HINT: Look in the upper left corner of your screen.
-
We logged into Horizon in the previous lab, but if you are new to OpenStack, click around, and make sure everything appears as you would expect it to within the OpenStack Horizon dashboard.
OpenStack uses a Role Based Access Control (RBAC) mechanism to manage accesses to resources. Users' roles granted on each project and domain are stored into Keystone, and can be updated through Keystone's API. However, policy enforcement (actually allowing or not the access to resources according to a user's roles) is performed independently in each service, based on the rules defined in each policy.json file.
You assign roles to user-project pairs. Define actions for OpenStack service roles in the /etc/project/policy.json files. For example, define actions for Compute service roles in the /etc/nova/policy.json file.
-
First let us find all of the policy.json files on the system.
[root@controller ~(keystone_admin)]#find / -name 'policy.json'Note that there is a policy for nova, keystone, cinder, glance, neutron, and ceilometer
/etc/nova/policy.json /etc/keystone/policy.json /etc/cinder/policy.json /etc/glance/policy.json /etc/neutron/policy.json /etc/ceilometer/policy.json -
Great! Now let's take a look at what one of these files contains.
[root@controller ~(keystone_admin)]#cat /etc/cinder/policy.json | lessFor students who do not have much experience using the less command:
- Press q to quit - Exit Less utility and return to the CLI
- Press CTRL + F - Forward one window
- Press CTRL + B - Back one window
- Less utility cheat sheet (http://sheet.shiar.nl/less)
The rules contained inside of these files may be customized. Customizing these rules controls who may call on a particular service. For example, maybe you want to create a user that may ONLY create a virtual router with neutron, or ONLY create cinder volumes. This is all made possible with roles.
Each policy is defined by a one-line statement in the form "" : "".
If you want to go on a deep dive concerning defining roles within policy.json, check out the following link: http://docs.openstack.org/kilo/config-reference/content/policy-json-file.html
Here are a few basic examples of syntax usage within policy.json:
"volume:get": "",Means anyone can do a "volume:get": "", that is to say, this empty string means 'always'."volume:get": "rule:admin_api",Means that ONLY admin_api can "volume:get""volume:get": "!",Means NO ONE EVER can "volume:get"{ "context_is_admin": "role:admin", "admin_or_owner": "is_admin:True or project_id:%(project_id)s", "default": "rule:admin_or_owner", "admin_api": "is_admin:True", "volume:create": "", "volume:delete": "", "volume:get": "", "volume:get_all": "", "volume:get_volume_metadata": "", "volume:get_volume_admin_metadata": "rule:admin_api", "volume:delete_volume_admin_metadata": "rule:admin_api", "volume:update_volume_admin_metadata": "rule:admin_api", "volume:get_snapshot": "", "volume:get_all_snapshots": "", "volume:extend": "", "volume:update_readonly_flag": "", "volume:retype": "", "volume_extension:types_manage": "rule:admin_api", "volume_extension:types_extra_specs": "rule:admin_api", "volume_extension:volume_type_access": "", "volume_extension:volume_type_access:addProjectAccess": "rule:admin_api", "volume_extension:volume_type_access:removeProjectAccess": "rule:admin_api", "volume_extension:volume_type_encryption": "rule:admin_api", "volume_extension:volume_encryption_metadata": "rule:admin_or_owner", "volume_extension:extended_snapshot_attributes": "", "volume_extension:volume_image_metadata": "", "volume_extension:quotas:show": "", "volume_extension:quotas:update": "rule:admin_api", "volume_extension:quota_classes": "", "volume_extension:volume_admin_actions:reset_status": "rule:admin_api", "volume_extension:snapshot_admin_actions:reset_status": "rule:admin_api", "volume_extension:backup_admin_actions:reset_status": "rule:admin_api", "volume_extension:volume_admin_actions:force_delete": "rule:admin_api", "volume_extension:volume_admin_actions:force_detach": "rule:admin_api", "volume_extension:snapshot_admin_actions:force_delete": "rule:admin_api", "volume_extension:volume_admin_actions:migrate_volume": "rule:admin_api", "volume_extension:volume_admin_actions:migrate_volume_completion": "rule:admin_api", "volume_extension:volume_host_attribute": "rule:admin_api", "volume_extension:volume_tenant_attribute": "rule:admin_or_owner", "volume_extension:volume_mig_status_attribute": "rule:admin_api", "volume_extension:hosts": "rule:admin_api", "volume_extension:services": "rule:admin_api", "volume_extension:volume_manage": "rule:admin_api", "volume_extension:volume_unmanage": "rule:admin_api", "volume:services": "rule:admin_api", "volume:create_transfer": "", "volume:accept_transfer": "", "volume:delete_transfer": "", "volume:get_all_transfers": "", "volume_extension:replication:promote": "rule:admin_api", "volume_extension:replication:reenable": "rule:admin_api", "backup:create" : "", "backup:delete": "", "backup:get": "", "backup:get_all": "", "backup:restore": "", "backup:backup-import": "rule:admin_api", "backup:backup-export": "rule:admin_api", "snapshot_extension:snapshot_actions:update_snapshot_status": "", "consistencygroup:create" : "group:nobody", "consistencygroup:delete": "group:nobody", "consistencygroup:update": "group:nobody", "consistencygroup:get": "group:nobody", "consistencygroup:get_all": "group:nobody", "consistencygroup:create_cgsnapshot" : "group:nobody", "consistencygroup:delete_cgsnapshot": "group:nobody", "consistencygroup:get_cgsnapshot": "group:nobody", "consistencygroup:get_all_cgsnapshots": "group:nobody", "scheduler_extension:scheduler_stats:get_pools" : "rule:admin_api" } -
To view the current roles available, type the following:
[root@controller ~(keystone_admin)]#keystone role-listThere are two roles you should know about:
The
_member_role, when assigned to a user, allows a user to manage all of the resources within their project (instances, volumes, and so on). If no role is defined, than this default role will be applied.The
adminrole, when assigned to a user, allows the user total control over the entire OpenStack platform.+----------------------------------+---------------+ | id | name | +----------------------------------+---------------+ | 73ac60d79e5d48049781908adbfef45b | ResellerAdmin | | f2db5327b06140d8aeb3beb9ab09ba73 | SwiftOperator | | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 6d840affa1c9401d9e883c9c8496c750 | admin | +----------------------------------+---------------+ -
Create a new role called
ultra_adminby typing the following:[root@controller ~(keystone_admin)]#keystone role-create --name ultra_adminRoles are applied when the user is created, and may also be applied after the user is created.
Users may occupy more than one role
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | a9e79b4e382e4eeca7a13adeadf0a9f2 | | name | ultra_admin | +----------+----------------------------------+ -
Let's give alice the role ultra_admin, so start by obtaining acme_inc's ID
[root@controller ~(keystone_admin)]#keystone tenant-list+----------------------------------+-----------+---------+ | id | name | enabled | +----------------------------------+-----------+---------+ | 57d57fce06ea44d79d2abd6307216600 | acme_inc | True | <- Highlight YOUR id (not the one in THIS example) for acme_inc | 300b2cc45c3846939e589310ae714e46 | admin | True | | a9c27d47441e432c8529f8f30ea3261e | demo | True | | 85a11a1515f94848be7aa5b56adec8bf | services | True | | c4a7843ebc974911aa039fe6191866dc | vault_tek | True | +----------------------------------+-----------+---------+ -
Now assign alice the role of ultra-admin of tenant acme_inc
[root@controller ~(keystone_admin)]#keystone user-role-add --user aliceanderson --role ultra_admin --tenant <INSERT acme_inc id here>There will be no special reward if you get this right, just something like this: /usr/lib/python2.7/site-packages/keystoneclient/shell.py:65: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
-
Confirm that aliceanderson is now a 'ultra_admin'
[root@controller ~(keystone_admin)]#keystone user-role-list --user aliceanderson --tenant <right_click_to_paste_the_tenant_ID_you_highlighted>+----------------------------------+-------------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+-------------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ba62896bc6c0474bb552946e097ed71f | 67f9b771e7f24bcc9109a01005f96c3a | | 10e8b93ef4b1494ebbc82d1195210252 | ultra_admin | ba62896bc6c0474bb552946e097ed71f | 67f9b771e7f24bcc9109a01005f96c3a | +----------------------------------+-------------+----------------------------------+----------------------------------+ -
Of course, aliceanderson being an ultra_admin doesn't really do anything, until we edit the policy.json file so that the role ultra_admin performs the way we want it to, but hopefully roles are clear.
-
Now is a great time to ask the instructor to explain roles if you are still a bit unclear.
-
Manipulating these policy.json files is tricky, but the following link is a great resource with a cool working example if you're looking to know more
-
Earlier in this lab, there was mention of the python-openstackclient. The python-openstackclient is trying to unite all of the OpenStack services on a single platform with a common set of commands. Some admins are using it, and some are not. At the end of the day, there is nothing 'new' you can do within this platform.
The following is a list of the steps you would take to utilize the python-openstackclient in order to create the project 'the_shire', as well as the user 'gandalf'. Provided you have the time, go ahead and try these steps! You'll notice that you do not recieve any deprecation errors when working with the python-openstackclient.
-
SSH into your controller as root (if you are not already)
-
If you are not sourced as admin already, issue the following command:
[root@controller]#source keystonerc_admin -
Start the python-openstackclient
[root@controller ~(keystone_admin)]#openstackWithin the python-openstackclient, you'll be issuing commands as admin since the admin permissions were set when you executed
openstack -
Get a sense of the commands you can issue:
(openstack)helpcompute service list object save token issue | compute service set object show token revoke | console log show project create usage list | console url show project delete usage show | container create project list user create | container delete project set user delete | container list project show user list | container save project usage list user role list | container show quota set user set | ec2 credentials create quota show user show | ec2 credentials delete role add volume create | ec2 credentials list role create volume delete | ec2 credentials show role delete volume list | endpoint create role list volume set | endpoint delete role remove volume show | endpoint list role show volume type create | endpoint show security group create volume type delete | extension list security group delete volume type list | flavor create security group list volume type set | flavor delete security group rule create volume type unset | flavor list security group rule delete volume unset | flavor set security group rule list | flavor show security group set | flavor unset security group show | help server add security group | host list server add volume | host show server create | hypervisor list server delete | hypervisor show server image create | hypervisor stats show server list | image create server lock | image delete server migrate | image list server pause | image save server reboot | image set server rebuild | image show server remove security group | ip fixed add server remove volume -
Issue the following commands to create the project, and then create the user
gandalfwith the passwordnoneshallpass(openstack)project create the_shire(openstack)user create gandalf --project the_shire --password noneshallpass --email [email protected](openstack)exit -
Log in to the Horizon interface as
gandalf//noneshallpass
-
If you have forgotten how to get to Horizon, simply navigate to your FQDN in a web browser
-
The login should work! If it did, good job! If other students are still working, feel free to play around in the python-openstackclient a bit more.