aboutsummaryrefslogtreecommitdiffstats
path: root/keystone-moon/doc/source/configuringservices.rst
diff options
context:
space:
mode:
Diffstat (limited to 'keystone-moon/doc/source/configuringservices.rst')
-rw-r--r--keystone-moon/doc/source/configuringservices.rst76
1 files changed, 74 insertions, 2 deletions
diff --git a/keystone-moon/doc/source/configuringservices.rst b/keystone-moon/doc/source/configuringservices.rst
index 3ffa13e7..40fe03a2 100644
--- a/keystone-moon/doc/source/configuringservices.rst
+++ b/keystone-moon/doc/source/configuringservices.rst
@@ -38,8 +38,80 @@ The middleware will pass those data down to the service as headers. More
details on the architecture of that setup is described in the
`authentication middleware documentation`_.
-Setting up credentials
-======================
+Setting up credentials with ``keystone-manage bootstrap``
+=========================================================
+
+Setting up projects, users, and roles
+-------------------------------------
+
+The ``keystone-manage bootstrap`` command will create a user, project and role,
+and will assign the newly created role to the newly created user on the newly
+created project. By default, the names of these new resources will be called
+``admin``.
+
+The defaults may be overridden by calling ``--bootstrap-username``,
+``--bootstrap-project-name`` and ``--bootstrap-role-name``. Each of these have
+an environment variable equivalent: ``OS_BOOTSTRAP_USERNAME``,
+``OS_BOOTSTRAP_PROJECT_NAME`` and ``OS_BOOTSTRAP_ROLE_NAME``.
+
+A user password must also be supplied. This can be passed in as either
+``--bootstrap-password``, or set as an environment variable using
+``OS_BOOTSTRAP_PASSWORD``.
+
+Optionally, if specified by ``--bootstrap-public-url``,
+``--bootstrap-admin-url`` and/or ``--bootstrap-internal-url`` or the equivalent
+environment variables, the command will create an identity service with the
+specified endpoint information. You may also configure the
+``--bootstrap-region-id`` and ``--bootstrap-service-name`` for the endpoints to
+your deployment's requirements.
+
+.. NOTE::
+
+ It is strongly encouraged to configure the identity service and its
+ endpoints while bootstrapping keystone.
+
+Minimally, keystone can be bootstrapped with:
+
+.. code-block:: bash
+
+ $ keystone-manage bootstrap --bootstrap-password s3cr3t
+
+Verbosely, keystone can be bootstrapped with:
+
+.. code-block:: bash
+
+ $ keystone-manage bootstrap --bootstrap-password s3cr3t
+ --bootstrap-username admin \
+ --bootstrap-project-name admin \
+ --bootstrap-role-name admin \
+ --bootstrap-service-name keystone \
+ --bootstrap-region-id RegionOne \
+ --bootstrap-admin-url http://localhost:35357 \
+ --bootstrap-public-url http://localhost:5000 \
+ --bootstrap-internal-url http://localhost:5000
+
+This will create an ``admin`` user with the ``admin`` role on the ``admin``
+project. The user will have the password specified in the command. Note that
+both the user and the project will be created in the ``default`` domain. By not
+creating an endpoint in the catalog users will need to provide endpoint
+overrides to perform additional identity operations.
+
+By creating an ``admin`` user and an identity endpoint deployers may
+authenticate to keystone and perform identity operations like creating
+additional services and endpoints using that ``admin`` user. This will preclude
+the need to ever use or configure the ``admin_token`` (described below).
+
+To test a proper configuration, a user can use OpenStackClient CLI:
+
+.. code-block:: bash
+
+ $ openstack project list --os-username admin --os-project-name admin \
+ --os-user-domain-id default --os-project-domain-id default \
+ --os-identity-api-version 3 --os-auth-url http://localhost:5000 \
+ --os-password s3cr3t
+
+Setting up credentials with Admin Token
+=======================================
Admin Token
-----------