3c5fa979a4
Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
4.8 KiB
Establish Keystone Credentials from a Linux Account
The preferred method for establishing Keystone credentials is to log
in to an LDAP account created using ldapusersetup.
For more information about ldapusersetup, see Create LDAP
Linux Accounts <create-ldap-linux-accounts>.
User accounts created using ldapusersetup have access to the Keystone CLI as
part of the shell. To list the available commands, type
? at the command line:
user1@controller-0:~$ ?
awk echo history ls pwd source cat clear
env grep keystone lsudo rm system cd cp
exit ll man openstack scp vim cut export
help lpath env passwd sftp kubectl helmWhen a user logs in to an account of this type, they are prompted to store Keystone credentials for the duration of the session:
Pre-store Keystone user credentials for this session? (y/N):yThis invokes a script to obtain the credentials. The user can invoke the same script at any time during the session as follows:
user1@controller-0:~$ source /home/sysadmin/lshell_env_setupAny Keystone credentials created by the script persist for the duration of the session. This includes credentials added by previous invocations of the script in the same session.
The Keystone Credentials Script
The Keystone credentials script offers the LDAP user name as the default Keystone user name:
Enter Keystone username [user1]:Enter Keystone user domain name:It requires the name of the tenant for which the user requires access:
Enter Project name:tenant1Note
The Keystone user must be a member of a Keystone tenant. This is configured using Keystone.
Enter Project domain name:It also requires the Keystone user password:
Enter Keystone password:When the script is run during login, it sets the default Keystone Region Name and Keystone Authentication URL.
Selecting default Keystone Region Name: RegionOne
Selecting default Keystone Authentication URL: http://192.168.204.2:5000/v2.0/
To re-configure your environment run "source ~/lshell_env_setup" in your shell
Keystone credentials preloaded!If the script is run from the shell after login, it provides an option to change the Keystone Region Name and Keystone Authentication URL.
Alternative Methods for Establishing Keystone Credentials
You can also establish Keystone credentials using the following methods:
Download an OpenStack RC file (openrc.sh) from the Horizon Web interface, and use it to source the required environment. For more information, refer to http://docs.openstack.org.
Note
Only users with bash shell can source the required environment. This does not apply to users with limited shell.
Add the required environment variables manually:
- OS_USERNAME
-
the Keystone user name
- OS_USER_DOMAIN_NAME
-
the default domain for the user
- OS_PROJECT_NAME
-
the tenant name
- OS_PROJECT_DOMAIN_NAME
-
the default domain for the project
- OS_PASSWORD
-
a clear text representation of the Keystone password
- OS_AUTH_URL
-
the Keystone Authentication URL
- OS_IDENTITY_API_VERSION
-
the identity API version
- OS_INTERFACE
-
the interface
- OS_REGION_NAME
-
the Keystone Region Name
For security and reliability, add all of the variables.
Provide credentials as command-line options.
user1@controller-0:~$ system --os-username admin --os-password seeCaution host-list
Caution
does not recommend using the command-line option to provide Keystone credentials. It creates a security risk, because the supplied credentials are visible in the command-line history.