看完keystone API文档后,接着就需要上阵操练啦!把自己的练习,放在这里,方便以后查看。那就从最开始入手吧!创建一个service先。keystone help service-create Optional arguments: --name <name> Name of new service (must be unique) --type <type> Service type (one of: identity, compute, network, image, or object-store) --description <service-description> Description of service当然了,我需要先看下已有的service,keystone service-list+----------------------------------+----------+----------+---------------------------+| id | name | type | description |+----------------------------------+----------+----------+---------------------------+| 14fec8aedfe043b3af6ca11a5589e27c | nova | compute | Nova Compute Service || 15408ce0160a418e9e5991fe92504f5d | glance | image | Glance Image Service || 1a8138a86bf24393a25f2fa080f47b50 | keystone | identity | Keystone Identity Service || f20041db95c4464883bcecdb6ed73fe7 | ec2 | ec2 | EC2 Compatibility Layer |+----------------------------------+----------+----------+---------------------------+keystone --debug service-create --name nova --type network --description 'Nova Network Service'curl -i http://10.120.34.51:35357/v2.0/OS-KSADM/services -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: c0cc90883bb147fe82066df2ca29b32a"REQ BODY: {"OS-KSADM:service": {"type": "network", "name": "nova", "description": "Nova Network Service"}}格式化输出结果:+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| description | Nova Network Service || id | 448a3a13f05e47ec8278c67b447d19fe || name | nova || type | network |+-------------+----------------------------------+service相关操作: service-create Add service to Service Catalog service-delete Delete service from Service Catalog service-get Display service from Service Catalog service-list List all services in Service Catalog创建了一个新的service---network后,接着就添加到endpoint,相关命令: endpoint-create Create a new endpoint associated with a service endpoint-delete Delete a service endpoint endpoint-get endpoint-list List configured service endpoints首先还是查看已有的endpoint信息:keystone --debug endpoint-listcurl -i http://10.120.34.51:35357/v2.0/endpoints -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: ce6316e335aa4b829b489c114c0f210e"+----------------------------------+-----------+-------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------+----------------------------------+| id | region | publicurl | internalurl | adminurl | service_id |+----------------------------------+-----------+-------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------+----------------------------------+| 3770102afa3b42eeb0937efac7a8a49e | RegionOne | http://10.120.34.51:$(compute_port)s/v2/$(tenant_id)s | http://10.120.34.51:$(compute_port)s/v2/$(tenant_id)s | http://10.120.34.51:$(compute_port)s/v2/$(tenant_id)s | 14fec8aedfe043b3af6ca11a5589e27c || 68e3b6105ae14829bbee65fd8d72e190 | RegionOne | http://10.120.34.51:9292 | http://10.120.34.51:9292 | http://10.120.34.51:9292 | 15408ce0160a418e9e5991fe92504f5d || 6e66aea94bac486a8331758e00b48c63 | RegionOne | http://10.120.34.51:$(public_port)s/v2.0 | http://10.120.34.51:$(public_port)s/v2.0 | http://10.120.34.51:$(admin_port)s/v2.0 | 1a8138a86bf24393a25f2fa080f47b50 || c1379aa288e04509bfaa94235a50b05d | RegionOne | http://10.120.34.51:8773/services/Cloud | http://10.120.34.51:8773/services/Cloud | http://10.120.34.51:8773/services/Admin | f20041db95c4464883bcecdb6ed73fe7 |+----------------------------------+-----------+-------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------+----------------------------------+把network添加到endpoint:keystone endpoint-create --region RegionOne --service-id 448a3a13f05e47ec8278c67b447d19fe --publicurl 'http://10.120.34.51:8773/services/Cloud' --adminurl 'http://10.120.34.51:8773/services/Admin' --internalurl 'http://10.120.34.51:8773/services/Cloud'+-------------+-----------------------------------------+| Property | Value |+-------------+-----------------------------------------+| adminurl | http://10.120.34.51:8773/services/Admin || id | da2bfde6736a44ff89b1fc75c6d52032 || internalurl | http://10.120.34.51:8773/services/Cloud || publicurl | http://10.120.34.51:8773/services/Cloud || region | RegionOne || service_id | 448a3a13f05e47ec8278c67b447d19fe |+-------------+-----------------------------------------+1. keystone --debug user-create --name ppt --tenant-id 5dd12337fcaf45a99269053caa8549f2 --pass ppt --email ppt@.com --enabled truecurl -i http://10.120.34.51:35357/v2.0/OS-KSADM/roles -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: 9c65a8d9fb0c49359b2cfcde76df5b33"REQ BODY: {"user": {"email": "ppt@.com", "password": "ppt", "enabled": true, "name": "ppt", "tenantId": "5dd12337fcaf45a99269053caa8549f2"}}2. keystone --debug role-create --name pptcurl -i http://10.120.34.51:35357/v2.0/OS-KSADM/roles -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: 9c65a8d9fb0c49359b2cfcde76df5b33"REQ BODY: {"role": {"name": "ppt"}}3.keystone --debug tenant-create --name ppt --description 'for ppt to test' --enabled truecurl -i http://10.120.34.51:35357/v2.0/tenants -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: ba015d9fb3b44a7290ca3a603f60a0d5"REQ BODY: {"tenant": {"enabled": true, "name": "ppt", "description": "for ppt to test"}}4.keystone --debug user-get 19145390e75e427992b768fc565f8c0b-----------pptcurl -i http://10.120.34.51:35357/v2.0/users/19145390e75e427992b768fc565f8c0b -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: 88068af9524d4a8da5a7a67c6c26cc34"5. keystone --debug user-role-add --user-id 19145390e75e427992b768fc565f8c0b --role-id e872b9ed4dfe4d6f827c7f1b37d66e34 --tenant-id 984eaf687e944a5fae43a77bd551c8fecurl -i http://10.120.34.51:35357/v2.0/tenants/984eaf687e944a5fae43a77bd551c8fe/users/19145390e75e427992b768fc565f8c0b/roles/OS-KSADM/e872b9ed4dfe4d6f827c7f1b37d66e34 PUT -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: f3c02d50984c402183881f4ca7abc840"把user关联到某个tenant:keystone user-role-add --user-id 346b8f13e037474989a91c562abdcfff --role-id 0ea7efdc0b204fcbab3b4bff2f9c014b --tenant-id 5dd12337fcaf45a99269053caa8549f2 keystone user-role-add --user-id 346b8f13e037474989a91c562abdcfff --role-id 0ea7efdc0b204fcbab3b4bff2f9c014b --tenant-id 984eaf687e944a5fae43a77bd551c8fe在这里我关联到两个tenant。下面查看关联后结果:keystone user-role-list --user-id 346b8f13e037474989a91c562abdcfff --tenant-id 984eaf687e944a5fae43a77bd551c8fe+----------------------------------+---------------+----------------------------------+----------------------------------+| id | name | user_id | tenant_id |+----------------------------------+---------------+----------------------------------+----------------------------------+| 0ea7efdc0b204fcbab3b4bff2f9c014b | KeystoneAdmin | 346b8f13e037474989a91c562abdcfff | 984eaf687e944a5fae43a77bd551c8fe |+----------------------------------+---------------+----------------------------------+----------------------------------+keystone user-role-list --user-id 346b8f13e037474989a91c562abdcfff --tenant-id 5dd12337fcaf45a99269053caa8549f2 +----------------------------------+---------------+----------------------------------+----------------------------------+| id | name | user_id | tenant_id |+----------------------------------+---------------+----------------------------------+----------------------------------+| 0ea7efdc0b204fcbab3b4bff2f9c014b | KeystoneAdmin | 346b8f13e037474989a91c562abdcfff | 5dd12337fcaf45a99269053caa8549f2 |+----------------------------------+---------------+----------------------------------+----------------------------------+说明:我们创建user时有个可选项,是否指定tenantid。若开始创建的user没有指定--tenant-id,那么我们通过keystone use-get xxxx :keystone user-get 0e08fcb9b05f4d84beab287dcc2610e4+----------+----------------------------------+| Property | Value |+----------+----------------------------------+| email | admin@example.com || enabled | True || id | 0e08fcb9b05f4d84beab287dcc2610e4 || name | admin || tenantId | |+----------+----------------------------------+ 看到tenantId为空。此时我们通过keystone user-role-add命令把这个user关联到一个tenant后,必须要通过keystone user-role-list 命令加上参数才能查看关联后的user信息。原因分析:1,设计的需要,或者说满足user更方便去操作,可以现创建一个“裸”的user,之后再关联到tenant。这样通过增加接口,就满足用户随时随地的创建user,关联user啦!