Only users with admin credentials can administer users, tenants and roles. You can configure the python-keystoneclient with admin credentials through either the authentication token, or the username and password method.
To use keystone client using token auth, set the following flags:
--endpoint SERVICE_ENDPOINT
. The keystone endpoint to communicate with. The default endpoint is http://localhost:35357/v2.0'.
--token SERVICE_TOKEN
. The administrator service token.
--username OS_USERNAME
. The administrator username.
--password OS_PASSWORD
. The administrator password
--tenant_name OS_TENANT_NAME
. The tenant name.
--auth_url OS_AUTH_URL
. The URL of the keystone auth server, for example http://localhost:5000/v2.0'.
Use the following keystone parameters, in combination, to specify the version of the API to use:
--os-endpoint
. The keystone
client detects the version of the API from this parameter.
--os-url
. Specifies the service URL from the service catalog lookup.
--os-identity-api-version
. Specifies the Identity Service API version.
For example, the following parameters indicate the use of API v3:
--os-url "http://15.253.57.115:35357/v3" --os-identity-api-version 3
The following parameters indicate the use of API v2.0:
--os-url "http://15.253.57.115:35357/v2.0" --os-identity-api-version 2.0
The keystone
client is set up to expect commands in the general form of keystone
command
argument
, followed by flag-like keyword arguments to provide additional (often optional) information. For example, the command user-list
and tenant-create
can be invoked as follows:
# Using token auth env variables export SERVICE_ENDPOINT=http://127.0.0.1:5000/v2.0/ export SERVICE_TOKEN=secrete_token keystone user-list keystone tenant-create --name=demo # Using token auth flags keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ user-list keystone --token=secrete --endpoint=http://127.0.0.1:5000/v2.0/ tenant-create --name=demo # Using user + password + tenant_name env variables export OS_USERNAME=admin export OS_PASSWORD=secrete export OS_TENANT_NAME=admin keystone user-list keystone tenant-create --name=demo # Using user + password + tenant_name flags keystone --username=admin --password=secrete --tenant_name=admin user-list keystone --username=admin --password=secrete --tenant_name=admin tenant-create --name=demo
A tenant is a group of zero or more users. In nova, a tenant owns virtual machines. In swift, a tenant owns containers. Users can be associated with more than one tenant. Each tenant and user pairing can have a role associated with it.
keyword arguments
name
description (optional, defaults to None)
enabled (optional, defaults to True)
The following command creates a tenant named demo:
keystone tenant-create --name=demo
keyword arguments:
name
pass
default_tenant (optional, defaults to None)
enabled (optional, defaults to True)
example:
keystone user-create --name=admin \ --pass=secrete \ --email=admin@example.com
list users in the system, optionally by a specific tenant (identified by tenant_id)
arguments
tenant_id (optional, defaults to None)
example:
keystone user-list
arguments
user_id
example:
keystone user-update --email 03c84b51574841ba9a0d8db7882ac645 "someone@somewhere.com"
arguments
role_id
user_id
tenant_id
example:
keystone add-user-role \ 3a751f78ef4c412b827540b829e2d7dd \ 03c84b51574841ba9a0d8db7882ac645 \ 20601a7f1d94447daa4dff438cb1c209
keyword arguments
name
type
description
example:
keystone service create \ --name=nova \ --type=compute \ --description="Nova Compute Service"