Portal:Cloud VPS/Admin/Neutron Notes/ldap

From Wikitech
Jump to navigation Jump to search

Open Questions

  -  "service_role": "role:service", exists in /etc/keystone/policy.json but we don't define a service role?


Do we use keystone groups for anything?

Glance admin role?

General service user roles and assignments?

What's our domain? multiple domains?

What roles do we have and where are they assigned?

  • The possibility of having multiple domains came with version 3 of the Keystone API.

What version of keystone api? (v2 or v3)

  • keystone has the concept of groups?

"Keystone added a new abstraction, called a Domain, that could provide the ability to isolate the visibility of a set of Projects and Users (and User Groups) to a specific organization."

As of the Juno release, Keystone supports multiple Identity backends for the V3 Identity API.

As of Liberty, roles are not domain scoped, but this could change in the future.

  • getting keystone cli util to work
    • Authorization Failed: The resource could not be found. (HTTP 404) (Request-ID: req-a170d956-c868-48e0-98da-26d368b03798)



LDAP Groups





root@labtestcontrol2001:~# openstack role list

| ID                               | Name         |
| 7db0d1d2a27f4e7f8afc45bdf19aaf59 | observer     |
| 8284c7e1155a464c818cf1eacf008c23 | user         |
| 8e86568d85984eda8ff44532f99e9304 | admin        |
| cb17fb40e2ef4cdd99956cd771b1799a | projectadmin |
| eb3fb807ab684f3d9fa77eed65bc0817 | glanceadmin  |

LDAP vs Keystone: identify and assignemnt



openstack role assignment list -- bastion vs non?


ldap assignment (we don't use this)



1 ou=people,dc=wikimedia,dc=org

2 ou=netgroup,dc=wikimedia,dc=org

3 ou=sudoers,dc=wikimedia,dc=org

4 ou=hosts,dc=wikimedia,dc=org

5 ou=profile,dc=wikimedia,dc=org

9 ou=groups,dc=wikimedia,dc=org

43 ou=projects,dc=wikimedia,dc=org

172 ou=roles,dc=wikimedia,dc=org

496 ou=servicegroups,dc=wikimedia,dc=org

497 ou=people,ou=servicegroups,dc=wikimedia,dc=org

LDAP (via wikitech) Creation


+8391 uid=neutronone,ou=people,dc=wikimedia,dc=org

+uid: neutronone

+sn: Neutronone

+cn: Neutronone

+userPassword: {SHA}xT+zGZAmaKGFkoAWtJLlcA8dnYA=

+objectClass: inetOrgPerson

+objectClass: person

+objectClass: ldapPublicKey

+objectClass: posixAccount

+objectClass: shadowAccount

+uidNumber: 14005

+gidNumber: 500

+homeDirectory: /home/neutronone

+loginShell: /bin/bash

+mail: cpettet+neutronone@wikimedia.org


root@labtestcontrol2001:~# openstack user create --domain default --password-prompt neutronone

User Password:

Repeat User Password:

Conflict occurred attempting to store user - Duplicate name, neutronone. (HTTP 409) (Request-ID: req-c9d0fca0-07ca-4057-9e9d-043a721b6d44)

root@labtestcontrol2001:~#  openstack role add --project service --user neutronone admin

No project with a name or ID of 'service' exists.

root@labtestcontrol2001:~# openstack role add --project admin --user neutronone admin


root@labtestcontrol2001:~# openstack service create --name neutron \

>   --description "OpenStack Networking" network

| Field       | Value                            |
| description | OpenStack Networking             |
| enabled     | True                             |
| id          | 21777ec0152245919cea3bfd17781d98 |
| name        | neutron                          |
| type        | network                          |

openstack endpoint create --region codfw \

  network public <nowiki>http://labtestnet2001.codfw.wmnet:9696</nowiki>

openstack endpoint create --region codfw \

  network internal <nowiki>http://labtestnet2001.codfw.wmnet:9696</nowiki>

openstack endpoint create --region codfw \

  network admin <nowiki>http://labtestnet2001.codfw.wmnet:9696</nowiki>

openstack endpoint list | grep network