keystone 命令参数

看完keystone API文档后，接着就需要上阵操练啦！把自己的练习，放在这里，方便以后查看。

那就从最开始入手吧！创建一个service先。

keystone help service-create 

Optional arguments:
  --name <name>         Name of new service (must be unique)
  --type <type>         Service type (one of: identity, compute, network,
                                  image, or object-store)
  --description <service-description>
                                 Description of service

当然了，我需要先看下已有的service，keystone service-list
+----------------------------------+----------+----------+---------------------------+
|                id                |   name   |   type   |        description        |
+----------------------------------+----------+----------+---------------------------+
| 14fec8aedfe043b3af6ca11a5589e27c |   nova   | compute  |    Nova Compute Service   |
| 15408ce0160a418e9e5991fe92504f5d |  glance  |  image   |    Glance Image Service   |
| 1a8138a86bf24393a25f2fa080f47b50 | keystone | identity | Keystone Identity Service |
| f20041db95c4464883bcecdb6ed73fe7 |   ec2    |   ec2    |  EC2 Compatibility Layer  |
+----------------------------------+----------+----------+---------------------------+

keystone --debug service-create --name nova --type network --description 'Nova Network Service'

curl -i http://10.120.34.51:35357/v2.0/OS-KSADM/services -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: c0cc90883bb147fe82066df2ca29b32a"

REQ BODY: {"OS-KSADM:service": {"type": "network", "name": "nova", "description": "Nova Network Service"}}
格式化输出结果：
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |       Nova Network Service       |
|      id     | 448a3a13f05e47ec8278c67b447d19fe |
|     name    |               nova               |
|     type    |             network              |
+-------------+----------------------------------+
service相关操作：
   service-create      Add service to Service Catalog
    service-delete      Delete service from Service Catalog
    service-get         Display service from Service Catalog
    service-list        List all services in Service Catalog

创建了一个新的service---network后，接着就添加到endpoint,相关命令：
   endpoint-create     Create a new endpoint associated with a service
    endpoint-delete     Delete a service endpoint
    endpoint-get
    endpoint-list       List configured service endpoints

首先还是查看已有的endpoint信息：
keystone --debug endpoint-list
curl -i http://10.120.34.51:35357/v2.0/endpoints -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: ce6316e335aa4b829b489c114c0f210e"
+----------------------------------+-----------+-------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------+----------------------------------+
|                id                |   region  |                       publicurl                       |                      internalurl                      |                        adminurl                       |            service_id            |
+----------------------------------+-----------+-------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------+----------------------------------+
| 3770102afa3b42eeb0937efac7a8a49e | RegionOne | http://10.120.34.51:$(compute_port)s/v2/$(tenant_id)s | http://10.120.34.51:$(compute_port)s/v2/$(tenant_id)s | http://10.120.34.51:$(compute_port)s/v2/$(tenant_id)s | 14fec8aedfe043b3af6ca11a5589e27c |
| 68e3b6105ae14829bbee65fd8d72e190 | RegionOne |                http://10.120.34.51:9292               |                http://10.120.34.51:9292               |                http://10.120.34.51:9292               | 15408ce0160a418e9e5991fe92504f5d |
| 6e66aea94bac486a8331758e00b48c63 | RegionOne |        http://10.120.34.51:$(public_port)s/v2.0       |        http://10.120.34.51:$(public_port)s/v2.0       |        http://10.120.34.51:$(admin_port)s/v2.0        | 1a8138a86bf24393a25f2fa080f47b50 |
| c1379aa288e04509bfaa94235a50b05d | RegionOne |        http://10.120.34.51:8773/services/Cloud        |        http://10.120.34.51:8773/services/Cloud        |        http://10.120.34.51:8773/services/Admin        | f20041db95c4464883bcecdb6ed73fe7 |
+----------------------------------+-----------+-------------------------------------------------------+-------------------------------------------------------+-------------------------------------------------------+----------------------------------+
把network添加到endpoint：
keystone endpoint-create  --region RegionOne --service-id  448a3a13f05e47ec8278c67b447d19fe --publicurl 'http://10.120.34.51:8773/services/Cloud' --adminurl 'http://10.120.34.51:8773/services/Admin' --internalurl 'http://10.120.34.51:8773/services/Cloud'
+-------------+-----------------------------------------+
|   Property  |                  Value                  |
+-------------+-----------------------------------------+
|   adminurl  | http://10.120.34.51:8773/services/Admin |
|      id     |     da2bfde6736a44ff89b1fc75c6d52032    |
| internalurl | http://10.120.34.51:8773/services/Cloud |
|  publicurl  | http://10.120.34.51:8773/services/Cloud |
|    region   |                RegionOne                |
|  service_id |     448a3a13f05e47ec8278c67b447d19fe    |
+-------------+-----------------------------------------+

1. keystone --debug user-create --name ppt --tenant-id 5dd12337fcaf45a99269053caa8549f2 --pass ppt --email [email protected] --enabled true

curl -i http://10.120.34.51:35357/v2.0/OS-KSADM/roles -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: 9c65a8d9fb0c49359b2cfcde76df5b33"
REQ BODY: {"user": {"email": "[email protected]", "password": "ppt", "enabled": true, "name": "ppt", "tenantId": "5dd12337fcaf45a99269053caa8549f2"}}

2. keystone --debug role-create --name ppt
curl -i http://10.120.34.51:35357/v2.0/OS-KSADM/roles -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: 9c65a8d9fb0c49359b2cfcde76df5b33"
REQ BODY: {"role": {"name": "ppt"}}

3.keystone --debug tenant-create --name ppt --description 'for ppt to test'  --enabled true
curl -i http://10.120.34.51:35357/v2.0/tenants -X POST -H "User-Agent: python-keystoneclient" -H "Content-Type: application/json" -H "X-Auth-Token: ba015d9fb3b44a7290ca3a603f60a0d5"
REQ BODY: {"tenant": {"enabled": true, "name": "ppt", "description": "for ppt to test"}}

4.keystone --debug user-get 19145390e75e427992b768fc565f8c0b-----------ppt
curl -i http://10.120.34.51:35357/v2.0/users/19145390e75e427992b768fc565f8c0b -X GET -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: 88068af9524d4a8da5a7a67c6c26cc34"

5. keystone --debug user-role-add --user-id 19145390e75e427992b768fc565f8c0b --role-id e872b9ed4dfe4d6f827c7f1b37d66e34 --tenant-id 984eaf687e944a5fae43a77bd551c8fe
curl -i http://10.120.34.51:35357/v2.0/tenants/984eaf687e944a5fae43a77bd551c8fe/users/19145390e75e427992b768fc565f8c0b/roles/OS-KSADM/e872b9ed4dfe4d6f827c7f1b37d66e34 PUT -H "User-Agent: python-keystoneclient" -H "X-Auth-Token: f3c02d50984c402183881f4ca7abc840"
把user关联到某个tenant：
keystone  user-role-add --user-id 346b8f13e037474989a91c562abdcfff --role-id 0ea7efdc0b204fcbab3b4bff2f9c014b --tenant-id 5dd12337fcaf45a99269053caa8549f2       
keystone  user-role-add --user-id 346b8f13e037474989a91c562abdcfff --role-id 0ea7efdc0b204fcbab3b4bff2f9c014b --tenant-id 984eaf687e944a5fae43a77bd551c8fe
在这里我关联到两个tenant。

下面查看关联后结果：
keystone user-role-list --user-id  346b8f13e037474989a91c562abdcfff --tenant-id 984eaf687e944a5fae43a77bd551c8fe
+----------------------------------+---------------+----------------------------------+----------------------------------+
|                id                |      name     |             user_id              |            tenant_id             |
+----------------------------------+---------------+----------------------------------+----------------------------------+
| 0ea7efdc0b204fcbab3b4bff2f9c014b | KeystoneAdmin | 346b8f13e037474989a91c562abdcfff | 984eaf687e944a5fae43a77bd551c8fe |
+----------------------------------+---------------+----------------------------------+----------------------------------+


keystone user-role-list --user-id  346b8f13e037474989a91c562abdcfff --tenant-id 5dd12337fcaf45a99269053caa8549f2       
+----------------------------------+---------------+----------------------------------+----------------------------------+
|                id                |      name     |             user_id              |            tenant_id             |
+----------------------------------+---------------+----------------------------------+----------------------------------+
| 0ea7efdc0b204fcbab3b4bff2f9c014b | KeystoneAdmin | 346b8f13e037474989a91c562abdcfff | 5dd12337fcaf45a99269053caa8549f2 |
+----------------------------------+---------------+----------------------------------+----------------------------------+

说明：我们创建user时有个可选项，是否指定tenantid。若开始创建的user没有指定--tenant-id，那么我们通过keystone use-get xxxx ：
keystone user-get 0e08fcb9b05f4d84beab287dcc2610e4
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |        [email protected]         |
| enabled  |               True               |
|    id    | 0e08fcb9b05f4d84beab287dcc2610e4 |
|   name   |              admin               |
| tenantId |                                  |
+----------+----------------------------------+      
看到tenantId为空。此时我们通过keystone user-role-add命令把这个user关联到一个tenant后，必须要通过keystone user-role-list 命令加上参数才能查看关联后的user信息。


原因分析：1，设计的需要，或者说满足user更方便去操作，可以现创建一个“裸”的user，之后再关联到tenant。这样通过增加接口，就满足用户随时随地的创建user，关联user啦！