1)Goto Horizon and login as Admin
2)
* Create a new role named "create_user_role"
* Create a new user "saju1" with role "create_user_role" and project "any_project"
3)
* Logout from horizon
* Try to login as "saju1". That will not work.
4)
Goto any restclient. I am using "advanced rest client" extension of google chrome.
5)
User Authentication With Scope and get token
URL: http://192.168.56.102:5000/v3/auth/tokens
Method: POST
Request Headers:
Content-type : application/json
Request Body:
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"name": "saju1",
"password": "saju1",
"domain": {
"name":"Default"
}
}
}
},
"scope": {
"project": {
"domain": {
"name": "Default"
},
"name": "project_name_of_saju1_selected_in_step_2"
}
}
}
}
6)
Create a user
URL: http://192.168.56.102:5000/v3/users
Method: POST
Request Headers:
Content-type : application/json
X-Auth-Token : c999bef3667c48739e39deca2f3dc6c7
Request Body:
{
"user": {
"default_project_id": "",
"description": "new user",
"domain_id": "default",
"email": "sam@ss.com",
"enabled": true,
"name": "saju2",
"password": "saju2"
}
}
7)
* Step-6 should fail, since we haven't edit /etc/keystone/policy.json file.
* Goto /etc/keystone/policy.json and make following changes
##Add new rule "create_user_rule"
"create_user_rule": [["role:create_user_role"]],
##Apply the new rule "create_user_rule" to action create_user.
##So users belong to the role "create_user_role" can do "create_user" action.
"identity:create_user": [["rule:admin_required"], ["rule:create_user_rule"]],
##Apply the new rule "create_user_rule" to action list_projects
##So users belong to the role "create_user_role" can do "list_projects" action.
"identity:list_projects": [["rule:admin_required"], ["rule:create_user_rule"]],
##Apply the new rule "create_user_rule" to action list_roles
##So users belong to the role "create_user_role" can do "list_roles" action.
"identity:list_roles": [["rule:admin_required"], ["rule:create_user_rule"]],
##Apply the new rule "create_user_rule" to action create_grant
##So users belong to the role "create_user_role" can do "create_grant" action.
"identity:create_grant": [["rule:admin_required"], ["rule:create_user_rule"]],
8)
Repeat the step-6 again and copy the id of new user "saju2"
9)
Find id of project "project_name_of_saju1_selected_in_step_2" and id of role "Member" with following API requests.
http://192.168.56.102:5000/v3/projects/
http://192.168.56.102:5000/v3/roles/
10)
Grant role to user on project:
PUT /projects/{project_id}/users/{user_id}/roles/{role_id}
Method: PUT
URL: http://192.168.56.102:5000/v3/projects/b831390e0cb04f1eafbdd39bfddb7bd6/users/57bcea432f824f11b7daf2b287adad55/roles/5ef7a5ed13e843358655c1f7568144cd
Request Headers:
X-Auth-Token : c999bef3667c48739e39deca2f3dc6c7
11)
Goto horizon and login as saju2 and provision a VM. :) :) :)
Ref Sites:
http://adam.younglogic.com/2013/09/keystone-v3-api-examples/
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md <== API
2)
* Create a new role named "create_user_role"
* Create a new user "saju1" with role "create_user_role" and project "any_project"
3)
* Logout from horizon
* Try to login as "saju1". That will not work.
4)
Goto any restclient. I am using "advanced rest client" extension of google chrome.
5)
User Authentication With Scope and get token
URL: http://192.168.56.102:5000/v3/auth/tokens
Method: POST
Request Headers:
Content-type : application/json
Request Body:
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"name": "saju1",
"password": "saju1",
"domain": {
"name":"Default"
}
}
}
},
"scope": {
"project": {
"domain": {
"name": "Default"
},
"name": "project_name_of_saju1_selected_in_step_2"
}
}
}
}
6)
Create a user
URL: http://192.168.56.102:5000/v3/users
Method: POST
Request Headers:
Content-type : application/json
X-Auth-Token : c999bef3667c48739e39deca2f3dc6c7
Request Body:
{
"user": {
"default_project_id": "",
"description": "new user",
"domain_id": "default",
"email": "sam@ss.com",
"enabled": true,
"name": "saju2",
"password": "saju2"
}
}
7)
* Step-6 should fail, since we haven't edit /etc/keystone/policy.json file.
* Goto /etc/keystone/policy.json and make following changes
##Add new rule "create_user_rule"
"create_user_rule": [["role:create_user_role"]],
##Apply the new rule "create_user_rule" to action create_user.
##So users belong to the role "create_user_role" can do "create_user" action.
"identity:create_user": [["rule:admin_required"], ["rule:create_user_rule"]],
##Apply the new rule "create_user_rule" to action list_projects
##So users belong to the role "create_user_role" can do "list_projects" action.
"identity:list_projects": [["rule:admin_required"], ["rule:create_user_rule"]],
##Apply the new rule "create_user_rule" to action list_roles
##So users belong to the role "create_user_role" can do "list_roles" action.
"identity:list_roles": [["rule:admin_required"], ["rule:create_user_rule"]],
##Apply the new rule "create_user_rule" to action create_grant
##So users belong to the role "create_user_role" can do "create_grant" action.
"identity:create_grant": [["rule:admin_required"], ["rule:create_user_rule"]],
8)
Repeat the step-6 again and copy the id of new user "saju2"
9)
Find id of project "project_name_of_saju1_selected_in_step_2" and id of role "Member" with following API requests.
http://192.168.56.102:5000/v3/projects/
http://192.168.56.102:5000/v3/roles/
10)
Grant role to user on project:
PUT /projects/{project_id}/users/{user_id}/roles/{role_id}
Method: PUT
URL: http://192.168.56.102:5000/v3/projects/b831390e0cb04f1eafbdd39bfddb7bd6/users/57bcea432f824f11b7daf2b287adad55/roles/5ef7a5ed13e843358655c1f7568144cd
Request Headers:
X-Auth-Token : c999bef3667c48739e39deca2f3dc6c7
11)
Goto horizon and login as saju2 and provision a VM. :) :) :)
Ref Sites:
http://adam.younglogic.com/2013/09/keystone-v3-api-examples/
https://github.com/openstack/identity-api/blob/master/openstack-identity-api/v3/src/markdown/identity-api-v3.md <== API
No comments:
Post a Comment