My previous example showed how to create a user using the V3 API. But what if you don’t even have an admin user in your database? How are you going to perform admin operations in a bootstrap scenario? Here’s how to do operations with no user in the database, and to get the database up to the point where you can perform operations directly.
Second of Three Articles: Examples. Policy
There is a special value in the keystone config file that is used for the early stages of setting up Keystone: admin_token. For my examples, I use my favorite standby not-so-secret-password:
[DEFAULT] admin_token = freeipa4all
When Keystone is restarted, you should be able to perform admin operations using:
curl -H"X-Auth-Token:freeipa4all" localhost:35357/v3/users | python -mjson.tool
So the previous example to create a user will work if you do
export TOKEN=freeipa4all
To create a project, create a sample file named create_project.json :
{
"project": {
"description": "demo-project",
"domain_id": "default",
"enabled": true,
"name": "Demonstration"
}
}
And create it using:
curl -si -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects -d @create_project.json
Check to see it was created with:
curl -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects | python -mjson.tool
Now lets work towards providing access to that user. We want to give the user a role on that project, but first we need to see what roles are available:
curl -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/roles | python -mjson.tool
If you ran the SQL migrations, you should see the role that is used by the V2 API when doing “add user to project”
curl -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab | python -mjson.tool
{
"role": {
"description": "Default role for project membership",
"enabled": "True",
"id": "9fe2ff9ee4384b1894a90878d3e92bab",
"links": {
"self": "http://127.0.0.1:5000/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab"
},
"name": "_member_"
}
}
curl -X PUT -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles/9fe2ff9ee4384b1894a90878d3e92bab
This produces no output. TO check to see what happened:
curl -H"X-Auth-Token:$TOKEN" -H "Content-type: application/json" http://localhost:35357/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles | python -mjson.tool
{
"links": {
"next": null,
"previous": null,
"self": "http://127.0.0.1:5000/v3/projects/e15bab932d9349f7b2cbe6f1ae62cc8c/users/d36f803edcc74fae99428efe696c431d/roles"
},
"roles": [
{
"description": "Default role for project membership",
"enabled": "True",
"id": "9fe2ff9ee4384b1894a90878d3e92bab",
"links": {
"self": "http://127.0.0.1:5000/v3/roles/9fe2ff9ee4384b1894a90878d3e92bab"
},
"name": "_member_"
}
]
}
Now, lets test out that we can create a token as this user. Here is token_request.json
{
"auth": {
"identity": {
"methods": [
"password"
],
"password": {
"user": {
"id": "d36f803edcc74fae99428efe696c431d",
"password": "changeme"
}
}
},
"scope": {
"project": {
"id": "e15bab932d9349f7b2cbe6f1ae62cc8c"
}
}
}
}
And execute it with:
curl -d @token-request.json -H "Content-type: application/json" http://localhost:35357/v3/auth/tokens
The return code should tell you if it is successful or not.
To make an admin user, follow the same general path, but use the admin role instead of _member_.
To create a new role named usermanager, use the admin_token again:
curl -H"X-Auth-Token:$TOKEN" -d '{"role":{"name":"usermanager"}}' -H "Content-type: application/json" http://localhost:35357/v3/roles
Hi, how can I get a domain scoped token? I didn’t find that in the documentation and any other examples. Could you help me?
Regards.