7.2. Creating Users

All OpenStack services will utilize Keystone for authentication. Start by creating an admin user, a tenant (a group of users), and role (an ID for a set of permissions).
$ keystone user-create --name admin --pass PASSWORD
+----------+-----------------------------------+
| Property |              Value                |
+----------+-----------------------------------+
| email    |                                   |
| enabled  |              True                 |
| id       | 94d659c3c9534095aba5f8475c87091a  |
| name     |              admin                |
| password |               ...                 |
| tenantId |                                   |
+----------+-----------------------------------+
$ keystone role-create --name admin
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| id       | 78035c5d3cd94e62812d6d37551ecd6a |
| name     |              admin               |
+----------+----------------------------------+
$ keystone tenant-create --name admin
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
| enabled     |              True                |
| id          | 6f8e3e36c4194b86b9a9b55d4b722af3 |
| name        |              admin               |
+-------------+----------------------------------+
Add the admin user to the admin tenant with a role of admin. (Note that the IDs used in this command come from the output of the previous three commands above.):
$ keystone user-role-add --user-id 94d659c3c9534095aba5f8475c87091a \
  --role-id 78035c5d3cd94e62812d6d37551ecd6a \
  --tenant-id 6f8e3e36c4194b86b9a9b55d4b722af3
The admin account is used to administer Keystone. To make it easy to set the admin user's credentials in the proper environment variables, create a keystonerc_admin file in your home directory with the following contents:
export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=PASSWORD
export OS_AUTH_URL=http://192.0.43.10:35357/v2.0/
export PS1='[\u@\h \W(keystone_admin)]\$ '
Test the keystonerc_admin file you created by running the command to list users. Only an administrator can perform this action:
$ unset SERVICE_TOKEN
$ unset SERVICE_ENDPOINT
$ source ~/keystonerc_admin
$ keystone user-list
+----------------------------------+-------+---------+-------+
|                id                |  name | enabled | email |
+----------------------------------+-------+---------+-------+
| 94d659c3c9534095aba5f8475c87091a | admin |  True   |       |
+----------------------------------+-------+---------+-------+
So far you have been using the admin user. Now it is time to create a regular user, tenant, and role. In this example, it will have a username of username. Feel free to make it something else if you prefer.
$ keystone user-create --name username --pass PASSWORD
+----------+-----------------------------------+
| Property |              Value                |
+----------+-----------------------------------+
| email    |                                   |
| enabled  |               True                |
| id       | 1d59c0bfef9b4ea9ab63e2a058e68ae0  |
| name     |             username              |
| password |                ...                |
| tenantId |                                   |
+----------+-----------------------------------+
$ keystone role-create --name user
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
| id       | 8261ac4eabcc4da4b01610dbad6c038a |
| name     |               user               |
+----------+----------------------------------+
$ keystone tenant-create --name rhos
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
| enabled     |               True               |
| id          | 05816b0106994f95a83b913d4ff995eb |
| name        |               rhos               |
+-------------+----------------------------------+
Add the new user to the rhos tenant with a role of user. The IDs used in this command come from the output of the previous three commands:
$ keystone user-role-add --user-id 1d59c0bfef9b4ea9ab63e2a058e68ae0 \
  --role-id 8261ac4eabcc4da4b01610dbad6c038a \
  --tenant-id 05816b0106994f95a83b913d4ff995eb
To make it easy to use the admin user's credentials, you created the ~/keystonerc_admin file. Now do the same thing for the new username user, create the file keystonerc_username in your home directory with the following contents:
export OS_USERNAME=username
export OS_TENANT_NAME=rhos
export OS_PASSWORD=PASSWORD
export OS_AUTH_URL=http://192.0.43.10:5000/v2.0/
export PS1='[\u@\h \W(keystone_username)]\$ '
Do a test using the new user. Source the keystonerc_username file and try some commands. The user-list command should fail since only an administrator can do that. However, retrieving a token should succeed.
$ source ~/keystonerc_username
$ keystone user-list
You are not authorized to perform the requested action: admin_required (HTTP 403)
$ keystone token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
| expires   |        2012-05-19T13:29:37Z      |
| id        | 0d709cb5840d4e53ba49fc0415b6a379 |
| tenant_id | 05816b0106994f95a83b913d4ff995eb |
| user_id   | 1d59c0bfef9b4ea9ab63e2a058e68ae0 |
+-----------+----------------------------------+