Creating OpenStack identity service authentication realms for the blueprint designer

You can use an authentication realm to import user accounts from an OpenStack server to the blueprint design server. You must specify the URL and account information for the Keystone identity service.

Before you begin

Install an engine for the OpenStack server. See Installing engines.

About this task

These steps assume that you have user accounts on the OpenStack server and are managing user authentication on that server. To manage authentication through another source, create functional IDs on the OpenStack server and add those IDs to a cloud project, as described in Creating cloud projects for the blueprint designer.

If your OpenStack identity service that uses API v3 contains multiple domains, you must create an authentication realm for each domain.

Procedure

  1. Log in to the blueprint designer as a user with the following permissions:
    • Configure Security
    • Manage Users & Groups
  2. Click Settings > Users.
  3. Click Create New Realm.
  4. Specify a name and description for the new authentication realm.
    Note: If your OpenStack identity service uses API v3, include the domain name in the authentication realm.
  5. In the Allowed Login Attempts list, specify the number of times that a user can attempt to log in before the account is locked. A blank value means that an unlimited number of attempts are allowed.
  6. In the Type list, select OpenStack Identity Service.
  7. In the OpenStack Identity Service section, in the Identity URL field, specify the location of the identity service, such as https://example.com:5000/v2.0 or https://example.com:5000/v3.
  8. Specify the Heat orchestration engine to use:
    • To use the default Heat engine for the OpenStack cloud, select the Use default orchestration engine check box.
      Note: This engine must have the custom types for the blueprint design server as described in Extending Heat orchestration engines.
    • To use a different Heat engine, such as an engine that you installed through Installing engines, clear the Use default orchestration engine check box and specify the location of your engine, such as http://engine.example.com:8004.
      Note: Do not use the localhost variable in this field, even if the engine is on the same system as the blueprint design server.
  9. Specify the administrator user name, password, and tenant or project for the OpenStack server.
    Note: If your OpenStack identity service uses API v3, specify the administrator user name, password, and tenant or project for a domain on the OpenStack server.
    Note: This administrator user must be a member of each tenant that you want to use.
  10. If your OpenStack identity service uses API v3, enter the domain that the administrator user that you specified belongs to. If your OpenStack identity service uses API v2.0, accept the default value.
  11. Click Save. The new realm opens, showing the table of users.
  12. Click Users, and then click Import User to import users from the authentication realm. If your OpenStack identity service uses API v2.0, all users on the server are imported. If your OpenStack identity service uses API v3, only the users from the specified domain are imported.
    Note: If you cannot import users, click Edit, and then click Test Connection to view the failure details.

Results

The blueprint design server creates an authentication realm and cloud connection based on the cloud information that you specified. The blueprint design server also creates a cloud project for each tenant or project on the cloud.

What to do next

Related concepts:
Configuring security for the blueprint design server
Related tasks:
Creating authentication realms for the blueprint designer
Creating LDAP authentication realms for the blueprint designer
Creating SSO authentication realms for the blueprint designer
Connecting to OpenStack and OpenStack-based clouds
Configuring SSL security for OpenStack clouds
Importing user accounts from IBM UrbanCode Deploy to the blueprint design server
Feedback