Skip to content

Instantly share code, notes, and snippets.

@kentarosasaki
Last active August 29, 2015 14:23
Show Gist options
  • Save kentarosasaki/501fa4653745f2190acd to your computer and use it in GitHub Desktop.
Save kentarosasaki/501fa4653745f2190acd to your computer and use it in GitHub Desktop.
Keystone v3 APIを使ってOpenStackにテナント(プロジェクト)の管理者の概念を導入する ref: http://qiita.com/kentarosasaki/items/a6dc61b52f2386889789
openstack role list
+----------------------------------+---------------+
| ID | Name |
+----------------------------------+---------------+
| 69a12bb20a6b4d40a6aa3976341e94b8 | _member_ |
| e119fa409edb46738b3832430122a6fe | project_admin |
| ebf755abf62641d386335070d561ac5b | admin |
+----------------------------------+---------------+
openstack project list --long
+----------------------------------+---------+-----------+----------------+---------+
| ID | Name | Domain ID | Description | Enabled |
+----------------------------------+---------+-----------+----------------+---------+
| 5e312dd75687441ca66afd1928994a28 | admin | default | Admin Tenant | True |
| cadcece515464528baedcb84efab7ba7 | demo | default | | True |
| d91fb8307105471da67128f5bfcff118 | service | default | Service Tenant | True |
+----------------------------------+---------+-----------+----------------+---------+
openstack role add --project=demo --user=demo_user _member_
openstack user list --domain=default | grep demo_user
| 84790aef5e6a702c0ec31b0f9d4a6eee03e79b366c163be412cd99ac1ac6712f | demo_user |
openstack role assignment list | grep 84790aef5e6a702c0ec31b0f9d4a6eee03e79b366c163be412cd99ac1ac6712f
| 69a12bb20a6b4d40a6aa3976341e94b8 | 84790aef5e6a702c0ec31b0f9d4a6eee03e79b366c163be412cd99ac1ac6712f | | cadcece515464528baedcb84efab7ba7 | |
keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} role-create --name project_admin
sudo su -
apt-get install python-dev libffi-dev
cd /opt
git clone https://github.com/openstack/python-openstackclient.git
cd python-openstackclient
git checkout stable/kilo
python ./tools/install_venv.py
./tools/with_venv.sh python setup.py install
echo "alias openstack='/opt/python-openstackclient/tools/with_venv.sh openstack'" >> ~/.bashrc
source ~/.bashrc
diff policy.json policy.json.orig
28c28
< "identity:get_domain": "rule:admin_required or role:project_admin",
---
> "identity:get_domain": "rule:admin_required",
34,36c34,36
< "identity:get_project": "rule:admin_required or role:project_admin",
< "identity:list_projects": "rule:admin_required or role:project_admin",
< "identity:list_user_projects": "rule:admin_or_owner or role:project_admin",
---
> "identity:get_project": "rule:admin_required",
> "identity:list_projects": "rule:admin_required",
> "identity:list_user_projects": "rule:admin_or_owner",
38c38
< "identity:update_project": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)",
---
> "identity:update_project": "rule:admin_required",
41,42c41,42
< "identity:get_user": "rule:admin_required or role:project_admin",
< "identity:list_users": "rule:admin_required or role:project_admin",
---
> "identity:get_user": "rule:admin_required",
> "identity:list_users": "rule:admin_required",
70,71c70,71
< "identity:get_role": "rule:admin_required or role:project_admin",
< "identity:list_roles": "rule:admin_required or role:project_admin",
---
> "identity:get_role": "rule:admin_required",
> "identity:list_roles": "rule:admin_required",
77,79c77,79
< "identity:list_grants": "rule:admin_required or role:project_admin",
< "identity:create_grant": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)",
< "identity:revoke_grant": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)",
---
> "identity:list_grants": "rule:admin_required",
> "identity:create_grant": "rule:admin_required",
> "identity:revoke_grant": "rule:admin_required",
81c81
< "identity:list_role_assignments": "rule:admin_required or role:project_admin",
---
> "identity:list_role_assignments": "rule:admin_required",
"identity:update_project": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)",
service keystone restart
export OS_REGION_NAME=<Region Name>
export OS_TENANT_NAME=demo
export OS_USERNAME=<User Name>
export OS_PASSWORD=<User Password>
export OS_AUTH_URL=http://<Keystone Endpoint>:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} service-create --name keystonev3 --type identityv3 --description "OpenStack Identity v3"
keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} endpoint-create --region=${REGION} --service-id=$(keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} service-list | awk '/ identityv3 / {print $2}') --publicurl=http://${KEYSTONE_ENDPOINT}:5000/v3 --internalurl=http://${KEYSTONE_ENDPOINT}:5000/v3 --adminurl=http://${KEYSTONE_ENDPOINT}:35357/v3
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment