Running horizon/dashboard from git

Mark McLoughlin markmc at redhat.com
Tue Nov 29 16:14:16 UTC 2011 

Hey Cole,

I started going though your instructions, but got sidetracked a bit by
keystone ... seems we have a common theme here :-)

On Mon, 2011-11-28 at 11:34 -0500, Cole Robinson wrote:

> # First we need to set up keystone, since horizon requires it.
> sudo yum install -y openstack-keystone

Best to include --enablerepo=updates-testing

> # Clear any previous keystone config
> sudo rm /var/lib/keystone/keystone.sqlite
> sudo systemctl start openstack-keystone.service

Right, yes - although keystone-manage doesn't talk to the service, it's
best to let the service create the DB as owned by keystone:keystone
before trying to use keystone-manage. If you dive right in with
keystone-manage, it'll be owned by root:root and the service won't be
able to start.

> # These steps are derived from
> # http://keystone.openstack.org/configuringservices.html
> # Assumes that openstack, keystone, and dashboard are all on localhost
> 
> sudo keystone-manage service add nova compute "Nova Compute Service"
> sudo keystone-manage service add glance image "Glance Image Service"
> sudo keystone-manage service add keystone identity "Keystone Identity Service"
> 
> sudo keystone-manage endpointTemplates add RegionOne nova \
> http://localhost:8774/v1.1/ \
> http://localhost:8774/v1.1/ \
> http://localhost:8774/v1.1/ \
> 1 1

Wow, what a disgusting command!

(For my own reference, the args here are region, service, publicURL,
adminURL, internalURL, enabled and global)

> sudo keystone-manage endpointTemplates add RegionOne glance \
> http://localhost:9292/v1.1/ \
> http://localhost:9292/v1.1/ \
> http://localhost:9292/v1.1/ \
> 1 1
> 
> sudo keystone-manage endpointTemplates add RegionOne keystone \
> http://localhost:5000/v2.0 \
> http://localhost:35357/v2.0 \
> http://localhost:5000/v2.0 \
> 1 1
> 
> sudo keystone-manage user add admin admin
> sudo keystone-manage user add demo demo
> 
> sudo keystone-manage tenant add admin
> sudo keystone-manage tenant add demo
> 
> sudo keystone-manage role add Admin

One slightly surprising thing is that the Admin role has special
significance - see keystone-admin-role in keystone.conf. I wonder why
it's not added automatically if it's special?

> sudo keystone-manage role grant Admin admin admin
> sudo keystone-manage token add 999888777666 admin admin 2015-02-05T00:00

Rather than using keystone-manage to add a token, I think you can just
authenticate as admin and generate a token that way e.g.

  $> curl -v -d '{"auth": {"passwordCredentials": {"username": "admin", "password": "admin"}}}' \
             -H "Content-type: application/json" http://localhost:5000/v2.0/tokens
  {"access": {"token": {"expires": "2011-11-30T13:14:02.210014", "id": "a361aff4-2a65-480b-a77a-3c81c4ee02cc"}, "user": {"id": "1", "roles": [{"id": "1", "name": "Admin"}], "name": "admin"}}}

and then you can check that token works with e.g.

  $> curl -H 'X-Auth-Token: a361aff4-2a65-480b-a77a-3c81c4ee02cc' http://localhost:35357/v2.0/tenants
  {"tenants": {"values": [{"enabled": true, "description": "None", "name": "admin", "id": "1"}], "links": []}}

> sudo keystone-manage role add Member
> sudo keystone-manage role grant Member demo demo
> sudo keystone-manage role grant Admin admin demo
> 
> sudo keystone-manage endpoint add demo nova
> sudo keystone-manage endpoint add demo glance
> sudo keystone-manage endpoint add demo identity
> 
> sudo keystone-manage endpoint add admin nova
> sudo keystone-manage endpoint add admin glance
> sudo keystone-manage endpoint add admin identity

Okay, this sidetracked me a bit because you named the service for
keystone 'keystone' above, not 'identity' - so why does it appear to
work?

It turns out this arg should be an integer endpointTemplate ID. I've
filed a bug with a fix to validate the arg:

  https://bugs.launchpad.net/keystone/+bug/897749

But it looks like that because all the templates you added are
'global' (the second '1' arg to 'endpointTemplates add'), you don't need
to also explicitly add them to the tenants

To check the endpoints list, I'm looking at the serviceCatalog list in
the result from authenticating using that tenant:

  $> curl -v -d '{"auth": {"passwordCredentials": {"username": "admin", "password": "p4ssw0rd"}, "tenantName": "admin"}}' -H "Content-type: application/json" http://localhost:35357/v2.0/tokens

Cheers,
Mark.

More information about the cloud mailing list