+++ date = "2015-09-30" draft = false weight = 4 title = "Lab 04 - Keystone" +++
The objective of this lab is to further your understanding of OpenStack Identity service (Keystone). Having appropriate credentials is required if you wish to use any CLI tools to query on the OpenStack services.
To use an OpenStack cloud, you need to authenticate against the Identity service Keystone (which returns a Token and the Service Catalog). To request an authentication token, you must supply a payload of credentials in the authentication request. Credentials are usually a combination of your user name and password, and optionally, the name or ID of the tenant in which your cloud runs. When you send API requests, you include the token in an HTTP header called the "X-Auth-Token" header.
If you access multiple OpenStack services, you must get a token for each service. A token is valid for a limited time before it expires. A token can also become invalid for other reasons. For example, if the roles for a user change, existing tokens for that user are invalid. Credentials allow OpenStack services to determine where your service endpoints and your authentication information are located.
- SSH to your controller as root, you might use:
-
Your browser (https://sshproxy.alta3.training/)
Once logged into the browser, type
screen -x <last initial><first initial>
to return to your previous session -
Alternative, you may use PuTTY (Windows), or Terminal (Apple)
-
Once logged into the controller, type the following command (it won't work!):
[root@controller ~]#
nova flavor-list
This command will result in an error. Consider why. Nova doesn't know who you are.
- Does nova know that you have permissions to issue flavor-list?
- Consider how Horizon works. Does ALWAYS Horizon know who you are?
- HINT: To use Horizon, you have to login as a user (admin, aliceanderson, bobbarker, etc.)
-
Let's try another command that won't work!
[root@controller ~]#
keystone tenant-list
Another error!? That's alright... Keystone doesn't know who you are. Do you have permissions to view the current tenants?
-
At the moment, we are not focused on what the flavor-list command is. We are only focusing on the permissions required to issue that command successfully without an error.
[root@controller ~]#
nova --os-auth-url=http://192.168.0.10:5000/v2.0 --os-tenant-name=admin --os-user-name=admin --os-password=alta3 flavor-list
+----+----------------+-----------+------+-----------+------+-------+-------------+-----------+ | ID | Name | Memory_MB | Disk | Ephemeral | Swap | VCPUs | RXTX_Factor | Is_Public | +----+----------------+-----------+------+-----------+------+-------+-------------+-----------+ | 1 | m1.tiny | 512 | 1 | 0 | | 1 | 1.0 | True | | 2 | m1.small | 2048 | 20 | 0 | | 1 | 1.0 | True | | 3 | m1.medium | 4096 | 40 | 0 | | 2 | 1.0 | True | | 4 | m1.large | 8192 | 80 | 0 | | 4 | 1.0 | True | | 5 | m1.xlarge | 16384 | 160 | 0 | | 8 | 1.0 | True | +----+----------------+-----------+------+-----------+------+-------+-------------+-----------+
Only now should the available flavors be displayed. That is because the above command included values of environmental variables that disclose your permissions. Nova can use this information to make an API call to the Keystone service and determine if you (admin) have sufficient permissions to execute the command (flavor-list)
-
So it worked, but we had to include a long list of environmental variables. If you'd like, trying using just Nova flavor-list again (without the --flags).
[root@controller ~]#
nova flavor-list
Once again, it didn't work. What you're finding is that you need to include these environmental variables every time you issue commands to manipulate your OpenStack cloud.
-
Try typing the following commands to understand the above environmental variables better:
"nova -h" will display help for the nova command "grep" means "display only these lines that contain the following search string" Therefore, "nova -h | grep os-auth-url" means display help, and only display the lines that contain os-auth-url
[root@controller ~]#
nova -h
[root@controller ~]#
nova -h | grep os-auth-url
[root@controller ~]#
nova -h | grep os-tenant-name
[root@controller ~]#
nova -h | grep os-user-name
[root@controller ~]#
nova -h | grep os-password
The purpose of issuing these commands is so that you know what the flag are that you are setting
-
Let's go a step further and issue the same command, but this time include a debug flag and see if we can really dive deep into what is going on!
[root@controller ~]#
nova --os-auth-url=http://192.168.0.10:5000/v2.0 --os-tenant-name=admin --os-user-name=admin --os-password=alta3 --debug flavor-list
Debug attempts to display the processes that are going on in the background to make this possible. We'll spend some more time checking out some of the returned information in the next lab, for now, we just wanted you to be aware that it was possible.
So what we've all figured out by this point, is that setting flag on every CLI command involves far too much typing. Let's make our commands easier to issue by setting some environmental variables for our current bash session. NOTE: If environmental vs shell variables, and parent vs child sessions are new terms for you, that is OK. There is a small section at the conclusion of this lab that will make it more clear.
-
Display the contents of the
keystonerc_admin
file[root@controller ~]#
cat keystonerc_admin
Comments have been added to the output, your output will lack the comments (lines that begin with #).
# This is the user name export OS_USERNAME=admin # This is the tenant, or project export OS_TENANT_NAME=admin # Password for the above user export OS_PASSWORD=alta3 # The Identity API served through Keystone export OS_AUTH_URL=http://192.168.0.10:5000/v2.0/ # The OpenStack Region export OS_REGION_NAME=RegionOne # Appends the CLI prompt with keystone_admin export PS1='`[\u@\h \W(keystone_admin)]\$ '
The export commands within this file will mark each VAR for automatic export to the environment of subsequently executed commands (i.e. make the local shell variable VAR global). Essentially, we can set all of our permissions in this file, source this file, and then not have to ever type our permissions again as they'll always be available to the bash environment.
NOTE: The name of this file may change slightly depending on your environment. RDO deployments use the formatting structure keystonerc_$USER
For more info on regions: http://docs.openstack.org/openstack-ops/content/scaling.html#segregate_cloud
-
Display a list of the environmental variables currently set
[root@controller ~]#
printenv
Look over the displayed entries. Do you see any mention of the aforementioned credentials, such as
OS_TENANT_NAME
orOS_USERNAME
? (Feel free to use grep if you'd like.) -
Set the environmental variables found in keystonerc_admin
[root@controller ~]#
source keystonerc_admin
This is a bash shell built-in command that executes the content of the file passed as a argument in the current shell. It is synonymous with ' . ' (period). After executing the above command, the CLI line will change. This is just a reminder that you are now passing commands to the OpenStack services as some user (in this case admin).
Notice that your CLI prompt has changed to indicate that you are now 'sourced' with admin permissions
-
Once again, display a list of the environmental variables currently set.
[root@controller ~(keystone_admin)]#
printenv
Look over the displayed entries. Now you will see a listing for the variables contained within
keystonerc_admin
, such asOS_TENANT_NAME
andOS_USERNAME
. Just for your understanding, these entries are only set for this current bash session. If you type exit, then reconnect as root, these variables will unset themselves. If you want to remove them manually, use the unset command. -
Flex your new admin environmental-variable-given powers
[root@controller ~(keystone_admin)]#
nova flavor-list
This time it should just work without having to type the extra permissions. Try executing a few more commands to the other OpenStack services as well.
[root@controller ~(keystone_admin)]#
keystone tenant-create --name temp_tenant
[root@controller ~(keystone_admin)]#
keystone user-list
-
This should launch the python-openstackclient.
-
OpenStack is attempting to 'unite' all of the OpenStack commands inside of a common python 'wrapper', or a platform that allows you to issue a common set of commands for every OpenStack service. This is why some CLI commands are receiving depreciation warnings. Some people are using it, some are not, but we think it is important to know it exists.
[root@controller ~(keystone_admin)]#
openstack
(openstack)
help
(openstack)
exit
-
The permissions still apply! If you have sourced the
keystonerc_admin
file, then launch the python-openstackclient, then you are issuing commands to OpenStack as admin.
Remember our buddy Chester Copperpot of Vault Tek? You should see him when you issued the previous command keystone user-list.
Let's make it easy for us to execute OpenStack commands as Chester Copperpot who is part of the project vault_tek
at the CLI.
-
Set the environmental variables found in
keystonerc_admin
if this is not already done[root@controller ~(keystone_admin)]#
source keystonerc_admin
-
List the keystone users
[root@controller ~(keystone_admin)]#
keystone user-list
-
Look at the user chestercopperpot, and note his tenantID
[root@controller ~(keystone_admin)]#
keystone tenant-list
-
Search for chestercopperpot's tenantID value and note the name of the tenant he belongs to (should be vault_tek)
-
Make a copy of the keystonerc_admin file, then open it in nano so we can edit it.
(keystone_admin)#
cp keystonerc_admin keystonerc_chestercopperpot
(keystone_admin)#
nano keystonerc_chestercopperpot
-
Edit keystonerc_chestercopperpot so it looks like the following:
export OS_USERNAME=chestercopperpot export OS_TENANT_NAME=vault_tek export OS_PASSWORD=fa5tpa55w0rd export OS_AUTH_URL=http://192.168.0.10:5000/v2.0/ export OS_REGION_NAME=RegionOne export PS1='[\u@\h \W(keystone_chestercopperpot)]\$ '
- When you're done editing changes, do the following:
- press CTRL + O (to write out aka save)
- press ENTER (to confirm save)
- press CTRL + X (to exit)
-
Display the contents of keystonerc_chestecopperpot and verify that they are correct
[root@controller ~(keystone_admin)#
cat keystonerc_chestercopperpot
-
Set global variables in the current shell to correspond with the user chestercopperpot
[root@controller ~(keystone_admin)#
source keystonerc_chestercopperpot
-
Note the CLI changed. Run commands and see how the results differ from chester's perspective.
[root@controller ~(keystone_chestercopperpot)#
nova flavor-list
[root@controller ~(keystone_chestercopperpot)#
keystone tenant-list
This should result in an HTTP 403 failure, as the user chesetercopperpot does not have sufficient permissions to issue this keystone command.
-
Let's repeat the process for the user aliceanderson
[root@controller ~(keystone_admin)#
cp keystonerc_admin keystonerc_aliceanderson
[root@controller ~(keystone_admin)#
nano keystonerc_aliceanderson
-
Edit keystonerc_aliceanderson so it looks like the following (or copy and paste is fine):
export OS_USERNAME=aliceanderson export OS_TENANT_NAME=acme_inc export OS_PASSWORD=fa5tpa55w0rd export OS_AUTH_URL=http://192.168.0.10:5000/v2.0/ export OS_REGION_NAME=RegionOne export PS1='[\u@\h \W(keystone_aliceanderson)]\$ '
- When you're done editing changes, do the following:
- press CTRL + O (to write out aka save)
- press ENTER (to confirm save)
- press CTRL + X (to exit)
-
Display the contents of keystonerc_aliceanderson and verify that they are correct
[root@controller ~(keystone_admin)#
cat keystonerc_aliceanderson
-
Finally, lets repeat the process again for user bobbarker
[root@controller ~(keystone_admin)#
cp keystonerc_admin keystonerc_bobbarker
[root@controller ~(keystone_admin)#
nano keystonerc_bobbarker
-
Edit keystonerc_bobbarker so it looks like the following (copy and paste is fine):
export OS_USERNAME=bobbarker export OS_TENANT_NAME=acme_inc export OS_PASSWORD=fa5tpa55w0rd export OS_AUTH_URL=http://192.168.0.10:5000/v2.0/ export OS_REGION_NAME=RegionOne export PS1='[\u@\h \W(keystone_bobbarker)]\$ '
- When you're done editing changes, do the following:
- press CTRL + O (to write out aka save)
- press ENTER (to confirm save)
- press CTRL + X (to exit)
-
Display the contents of keystonerc_bobbarker and verify that they are correct
[root@controller ~(keystone_admin)]#
cat keystonerc_bobbarker
4. Using the OpenStack Horizon Dashboard to assist in creating a keystonerc file for new user Doris Day of Vault Tek
-
Log in to the OpenStack Horizon Dashboard as
chestercopperpot
//fa5tpa55w0rd
-
Click on Project > Compute > Access & Security
-
Click on the tab API Access
-
In the upper right corner, click on the button Download OpenStack RC File
-
This file will download locally. Open it in your favorite text editor. The file you open will look similar to the one shown below. If your "favorite" text editor is Microsoft Notepad or Microsoft Word, then it is recommended you take 2 minutes and go download Notepad++
bash #!/bin/bash # To use an OpenStack cloud you need to authenticate against the Identity # service named keystone, which returns a **Token** and **Service Catalog**. # The catalog contains the endpoints for all services the user/tenant has # access to - such as Compute, Image Service, Identity, Object Storage, Block # Storage, and Networking (code-named nova, glance, keystone, swift, # cinder, and neutron). # # # *NOTE*: Using the 2.0 *Identity API* does not necessarily mean any other # OpenStack API is version 2.0. For example, your cloud provider may implement # Image API v1.1, Block Storage API v2, and Compute API v2.0. OS_AUTH_URL is # only for the Identity API served through keystone. export OS_AUTH_URL=http://192.168.0.10:5000/v2.0 # # # With the addition of Keystone we have standardized on the term **tenant** # as the entity that owns the resources. export OS_TENANT_ID=57dc930957f243438e532163269138d1 export OS_TENANT_NAME="vault_tek" export OS_PROJECT_NAME="vault_tek" # # # In addition to the owning entity (tenant), OpenStack stores the entity # performing the action as the **user**. export OS_USERNAME="chestercopperpot" # # # # # LOOK AT THIS # # # # # With Keystone you pass the keystone password. echo "Please enter your OpenStack Password: " read -sr OS_PASSWORD_INPUT export OS_PASSWORD=$OS_PASSWORD_INPUT # # # # END LOOK AT THIS # # # # # # If your configuration has multiple regions, we set that information here. # OS_REGION_NAME is optional and only valid in certain environments. export OS_REGION_NAME="RegionOne" # # # Don't leave a blank variable, unset it if it was empty if [ -z "$OS_REGION_NAME" ]; then unset OS_REGION_NAME; fi
This file is a bit fancier than the previous one we studied, but it is well commented. There are two key differences between this file and ours:
-
The first is that this will file will require the user to enter their password instead of storing it locally as plain-text. In production, this is desirable, as asking users to enter their password will prevent admins from having to manage security and permissions on user files because they contain plain-text passwords.
-
The second difference is that this file also sets some additional environmental variables, which could be problematic, as our other keystonerc_.* files do NOT set these variables. If we source back to another user without first unsetting these variables, we might get ourselves into trouble. So instead of using this file, let's just borrow the piece of code that asks the user for the password. It is shown below for reference:
# With Keystone you pass the keystone password. echo "Please enter your OpenStack Password: " read -sr OS_PASSWORD_INPUT export OS_PASSWORD=$OS_PASSWORD_INPUT
-
-
We're done in Horizon for now. Return to your SSH session with the controller
-
Let's create a new user (Doris Day) within the vault_tek vault_tek project (tenant) and then create a source file that prompts for a password.
[root@controller ~(keystone_admin)]#
keystone user-create --name dorisday --tenant vault_tek --pass fa5tpa55w0rd --email dorisday@vault_tek.example
-
Create a file we can source for Doris Day of Vault Tek.
[root@controller ~(keystone_admin)]#
nano keystonerc_dorisday
-
Edit
keystonerc_dorisday
so it looks like the following:export OS_USERNAME=dorisday export OS_TENANT_NAME=vault_tek echo "Please enter your OpenStack Password: " read -sr OS_PASSWORD_INPUT export OS_PASSWORD=$OS_PASSWORD_INPUT export OS_AUTH_URL=http://192.168.0.10:5000/v2.0/ export OS_REGION_NAME=RegionOne export PS1='[\u@\h \W(keystone_dorisday)]\$ '
- When you're done editing changes, do the following:
- press CTRL + O (to write out aka save)
- press ENTER (to confirm save)
- press CTRL + X (to exit)
-
Confirm that the file was saved correctly, by displaying the output with cat, and then source keystonerc_dorisday
[root@controller ~(keystone_admin)]#
source keystonerc_dorisday
Please enter your OpenStack Password:
fa5tpa55w0rd
- QUESTION: Is this mechanism of prompting for a password more secure? Why or why not?
-
Make sure the file works. Test by issuing a CLI command requiring authentication.
[root@controller ~(keystone_dorisday)]#
nova flavor-list
If output is displayed, then it worked!
Great job! You are all done with this lab. If you are done early, go onto the next section. It will teach you a little bit more about what is going on when you run the
source
command.
In OpenStack, we learned that we could type out the --os-tenant-name
, --os-user-name
, --os-password
, and --os-auth-url
along with every command, or we could set these values so they persist. If you are not a master of the CLI, you might be curious about how this worked! Understanding how it works might also help you in troubleshooting. After all, what if you ran a source file (set environmental variables), and wish you could un-run that source file (unset environmental variables).
Variables can be of two basic types: shell variables, or environmental variables. Shell variables are only available within the current session, whereas environmental variables are available to the current session, as well as any spawned sessions. What is a session? You're in one right now. The Bash shell that you are sitting at is a 'session'. If you were to type bash
, you'd launch another session that would be considered a 'child' session, where your current session would be the 'parent'.
If a child session is spawned by a parent session, environmental variables will be made available to the child sessions, whereas a shell variable will not. To better understand the difference, perform this quick procedure; define a shell variable, and then an environmental variable within parent and child bash shells.
-
Create a shell variable within the current session. Convention says it should be all caps. Because the string we've defined includes a bang, we are using single quotes to surround 'Hello OpenStack!'.
[root@controller ~]#
LEARNING_VAR='Hello OpenStack!'
-
Great! We can confirm that this is a shell variable that will not be passed down to child processes by grepping within output from set
[root@controller ~]#
set | grep LEARNING_VAR
-
LEARNING_VAR='Hello OpenStack!' should be displayed. Now confirm it is not an environmental variable by performing the same procedure with printenv.
[root@controller ~]#
printenv | grep LEARNING_VAR
No output should be returned, as printenv will only print environmental variables.
-
Let's take a moment to demonstrate how to access any shell or environmental variable. When the shell encounters a
$
sign, it takes it to mean that it should substitute the value of the variable when it comes across it. Type the following command.[root@controller ~]#
echo $LEARNING_VAR
The string Hello OpenStack! should be displayed.
-
If you type 'bash', you'll spawn a child shell. Think of this as accessing a 'shell within a shell'. Within this child session our variable,
$LEARNING_VAR
, should not be available.[root@controller ~]#
bash
[root@controller ~]#
echo $LEARNING_VAR
No output should be displayed. Hopefully, why no output was display is clear. This is a child session, and was not passed the previous shell variables. Remember, shell variables are only good for the current shell. Type the following to test this assertion.
-
Type exit to close the child session and return to the original session.
[root@controller ~]#
exit
[root@controller ~]#
echo $LEARNING_VAR
Once again, the string Hello OpenStack! should be displayed, as we have returned to the parent shell (the shell we started in).
-
Now let's make LEARNING_VAR an environmental variable by using the export command.
[root@controller ~]#
export LEARNING_VAR='OpenStack Hello!'
[root@controller ~]#
printenv | grep LEARNING_VAR
-
Now, if we run the same experiment,
TEST_VAR=Hello OpenStack!
should be displayed. Once again, spawn a child shell.[root@controller ~]#
bash
[root@controller ~]#
echo $LEARNING_VAR
Hello OpenStack!
should be displayed. -
Confirm that it is still set as an environmental variable.
[root@controller ~]#
printenv | grep LEARNING_VAR
-
Now let's set an environmental variable from within our current child shell.
[root@controller ~]#
export NEW_LEARNING_VAR='Bonjour OpenStack!'
-
Confirm that it was indeed set as an environmental variable. Then exit the child session and return to the parent shell.
[root@controller ~]#
printenv | grep NEW_LEARNING_VAR
[root@controller ~]#
exit
-
Now see if the environmental variable NEW_LEARNING_VAR is still available.
[root@controller ~]#
printenv | grep NEW_LEARNING_VAR
No output is returned. This is because
NEW_LEARNING_VAR
was an environmental variable set in the child shell. Emphasis on the word 'was', because when we exited our child shell, that environmental variable was destroyed. -
The original variable, LEARNING_VAR can be changed back into a shell variable (demoted), by using export and the -n flag.
[root@controller ~]#
export -n LEARNING_VAR
-
Test that it is no longer a global variable, but still a shell variable
[root@controller ~]#
printenv | grep LEARNING_VAR
No output will be shown as LEARNING_VAR is no longer an environmental variable.
[root@controller ~]#
echo $LEARNING_VAR
Hello OpenStack! should be displayed, as LEARNING_VAR is now a shell variable.
[root@controller ~]#
set | grep LEARNING_VAR
LEARNING_VAR='Hello OpenStack!'
will be displayed, confirmingLEARNING_VAR
exists as a shell variable. -
A shell and environmental variable can be completely removed by issuing the unset command.
[root@controller ~]#
unset LEARNING_VAR
[root@controller ~]#
echo $LEARNING_VAR
Nothing will be displayed, as
LEARNING_VAR
has been unset[root@controller ~]#
set | grep LEARNING_VAR
Nothing will be displayed.