Last active
August 29, 2015 14:23
-
-
Save kentarosasaki/501fa4653745f2190acd to your computer and use it in GitHub Desktop.
Keystone v3 APIを使ってOpenStackにテナント(プロジェクト)の管理者の概念を導入する ref: http://qiita.com/kentarosasaki/items/a6dc61b52f2386889789
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openstack role list |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
+----------------------------------+---------------+ | |
| ID | Name | | |
+----------------------------------+---------------+ | |
| 69a12bb20a6b4d40a6aa3976341e94b8 | _member_ | | |
| e119fa409edb46738b3832430122a6fe | project_admin | | |
| ebf755abf62641d386335070d561ac5b | admin | | |
+----------------------------------+---------------+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openstack project list --long |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
+----------------------------------+---------+-----------+----------------+---------+ | |
| ID | Name | Domain ID | Description | Enabled | | |
+----------------------------------+---------+-----------+----------------+---------+ | |
| 5e312dd75687441ca66afd1928994a28 | admin | default | Admin Tenant | True | | |
| cadcece515464528baedcb84efab7ba7 | demo | default | | True | | |
| d91fb8307105471da67128f5bfcff118 | service | default | Service Tenant | True | | |
+----------------------------------+---------+-----------+----------------+---------+ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openstack role add --project=demo --user=demo_user _member_ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openstack user list --domain=default | grep demo_user |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 84790aef5e6a702c0ec31b0f9d4a6eee03e79b366c163be412cd99ac1ac6712f | demo_user | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
openstack role assignment list | grep 84790aef5e6a702c0ec31b0f9d4a6eee03e79b366c163be412cd99ac1ac6712f |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| 69a12bb20a6b4d40a6aa3976341e94b8 | 84790aef5e6a702c0ec31b0f9d4a6eee03e79b366c163be412cd99ac1ac6712f | | cadcece515464528baedcb84efab7ba7 | | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} role-create --name project_admin |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
sudo su - | |
apt-get install python-dev libffi-dev | |
cd /opt | |
git clone https://github.com/openstack/python-openstackclient.git | |
cd python-openstackclient | |
git checkout stable/kilo | |
python ./tools/install_venv.py | |
./tools/with_venv.sh python setup.py install |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
echo "alias openstack='/opt/python-openstackclient/tools/with_venv.sh openstack'" >> ~/.bashrc | |
source ~/.bashrc |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
diff policy.json policy.json.orig |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
28c28 | |
< "identity:get_domain": "rule:admin_required or role:project_admin", | |
--- | |
> "identity:get_domain": "rule:admin_required", | |
34,36c34,36 | |
< "identity:get_project": "rule:admin_required or role:project_admin", | |
< "identity:list_projects": "rule:admin_required or role:project_admin", | |
< "identity:list_user_projects": "rule:admin_or_owner or role:project_admin", | |
--- | |
> "identity:get_project": "rule:admin_required", | |
> "identity:list_projects": "rule:admin_required", | |
> "identity:list_user_projects": "rule:admin_or_owner", | |
38c38 | |
< "identity:update_project": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)", | |
--- | |
> "identity:update_project": "rule:admin_required", | |
41,42c41,42 | |
< "identity:get_user": "rule:admin_required or role:project_admin", | |
< "identity:list_users": "rule:admin_required or role:project_admin", | |
--- | |
> "identity:get_user": "rule:admin_required", | |
> "identity:list_users": "rule:admin_required", | |
70,71c70,71 | |
< "identity:get_role": "rule:admin_required or role:project_admin", | |
< "identity:list_roles": "rule:admin_required or role:project_admin", | |
--- | |
> "identity:get_role": "rule:admin_required", | |
> "identity:list_roles": "rule:admin_required", | |
77,79c77,79 | |
< "identity:list_grants": "rule:admin_required or role:project_admin", | |
< "identity:create_grant": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)", | |
< "identity:revoke_grant": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)", | |
--- | |
> "identity:list_grants": "rule:admin_required", | |
> "identity:create_grant": "rule:admin_required", | |
> "identity:revoke_grant": "rule:admin_required", | |
81c81 | |
< "identity:list_role_assignments": "rule:admin_required or role:project_admin", | |
--- | |
> "identity:list_role_assignments": "rule:admin_required", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
"identity:update_project": "rule:admin_required or (project_id:%(target.project.id)s and role:project_admin)", |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
service keystone restart |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
export OS_REGION_NAME=<Region Name> | |
export OS_TENANT_NAME=demo | |
export OS_USERNAME=<User Name> | |
export OS_PASSWORD=<User Password> | |
export OS_AUTH_URL=http://<Keystone Endpoint>:5000/v3 | |
export OS_IDENTITY_API_VERSION=3 | |
export OS_PROJECT_DOMAIN_ID=default | |
export OS_USER_DOMAIN_ID=default |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} service-create --name keystonev3 --type identityv3 --description "OpenStack Identity v3" | |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} endpoint-create --region=${REGION} --service-id=$(keystone --os-token ${OS_SERVICE_TOKEN} --os-endpoint ${OS_SERVICE_ENDPOINT} service-list | awk '/ identityv3 / {print $2}') --publicurl=http://${KEYSTONE_ENDPOINT}:5000/v3 --internalurl=http://${KEYSTONE_ENDPOINT}:5000/v3 --adminurl=http://${KEYSTONE_ENDPOINT}:35357/v3 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment