Start of change

Configuring Keystone administration and users

To configure Keystone for client authentication, you must first configure the Keystone administration and users.

Parent topic: Start of changeClient authenticationEnd of change

Configuring Keystone administration

  1. Create or select a Keystone project for REST services. You can create a project or use an existing project such as the "service" project. To create a new project, enter the following command:
    openstack project create project_name
    where project_name is the name of the new project.
  2. Create or select a user that other users can communicate with for token validation. If you create a new user, specify a password for it. Enter a command like the following one to create a user:
    openstack user create user_name --password password
    where user_name is the user and password is the password.
  3. Assign the user an administration role within the project. Enter a command like the following one:
    openstack role add --user user_name --project project admin
    where user_name is the user and project is the project.
Configuring the Keystone administration is complete.

Configuring Keystone users

  1. Create user roles for REST API users. The commands in the following example create roles that will be configured for read-only access and read/write access: 
    openstack role create rest_ro
openstack role create rest_rw
  2. Create REST API users. The commands in the following example create two users, restuser1 and restuser2: 
    openstack user create restuser1 --password password1
openstack user create restuser2 --password password2
  3. Create or select a project for REST API users. To create a project, enter the following command:
    openstack project create project_name
    where project_name is the project.
  4. Add REST API users to the project and specify a role for each user. To add a user, enter the following command: 
    openstack role add --user user_id --project project role
    where user_id is the user ID, project is the project, and role is the role. In the following example, two users are added to the restusers project with a read-only or read/write role:
    openstack role add --user restuser1 --project restusers rest_ro
openstack role add --user restuser2 --project restusers rest_rw
Configuring the Keystone users is complete.
End of change