Red Hat Training

A Red Hat training course is available for Red Hat OpenStack Platform

3.5. Create an Administrator Account and the Identity Service Endpoint

The following procedure creates an administrative user and an associated tenant and role. The Identity service endpoint is created at the same time.
All steps in this procedure must be performed on the system hosting the Identity service.

Procedure 3.8. Creating an Administrator Account and the Identity Service Endpoint

  1. Create an admin user, role, and tenant:
    # keystone-manage bootstrap \
    --bootstrap-password PASSWORD \
    --bootstrap-username admin \
    --bootstrap-project-name admin \
    --bootstrap-role-name admin \
    --bootstrap-service-name keystone \
    --bootstrap-region-id RegionOne \
    --bootstrap-admin-url http://IP:35357 \
    --bootstrap-public-url http://IP:5000 \
    --bootstrap-internal-url http://IP:5000
    Replace PASSWORD with the password of the admin user, and replace IP with the IP address or host name of the Identity server.
  2. The newly-created admin account will be used for future management of the Identity service. To facilitate authentication, create a keystonerc_admin file in a secure location such as the home directory of the root user.
    Add these lines to the file to set the environment variables that will be used for authentication:
    export OS_USERNAME=admin
    export OS_TENANT_NAME=admin
    export OS_AUTH_URL=http://IP:35357/v2.0/
    export PS1='[\u@\h \W(keystone_admin)]\$ '
    Again, replace PASSWORD with the password of the admin user, and replace IP with the IP address or host name of the Identity server.
  3. Load the environment variables used for authentication:
    # source ~/keystonerc_admin


Red Hat recommends creating the administrator account using the keystone-manage bootstrap command, which obsoletes previously used administration tokens. If you still want to set up and use an administration token, see the instructions in the Create an Administrator Account section of the Installation Reference for Red Hat OpenStack Platform 8.

3.5.1. Service Regions

Each service cataloged in the Identity service is identified by its region, which typically represents a geographical location, and its endpoint. In a Red Hat OpenStack Platform environment with multiple Compute deployments, regions allow for the discrete separation of services, and are a robust way to share some infrastructure between Compute installations, while allowing for a high degree of failure tolerance.
Administrators determine which services are shared between regions and which services are used only with a specific region. By default, when an endpoint is defined and no region is specified, it is created in the region named RegionOne.
To begin using separate regions, specify the --region argument when adding service endpoints:
[(keystone_admin)]# openstack endpoint create --region REGION \
   --publicurl PUBLICURL \
   --adminurl ADMINURL \
   --internalurl INTERNALURL \
Replace REGION with the name of the region to which the endpoint belongs. When sharing an endpoint between regions, create an endpoint entry containing the same URLs for each applicable region. For information on setting the URLs for each service, see the Identity service configuration information of the service in question.

Example 3.1. Endpoints Within Discrete Regions

In this example, the APAC and EMEA regions share an Identity server ( endpoint, while providing region specific compute API endpoints:
$ openstack endpoint list --long
| ID     | Region    | Service Name | Service Type | PublicURL                                           |...
| b02... | APAC      | compute      | compute      |  |...
| c46... | APAC      | keystone     | identity     |                 |...
| 31d... | EMEA      | compute      | compute      |  |...
| 727... | EMEA      | keystone     | identity     |                 |...