2404d486ac
Adds the status upgrade check for the JSON to YAML migration effort and updates the documentation where it seems appropriate to move from "policy.json" to "policy.yaml" Mostly shamelessly copied from https://review.opendev.org/#/c/748059/ however is in-line with ironic's configuration and patching methods. Related Blueprint: policy-json-to-yaml Change-Id: I1d5b3892451579ebfd4d75a0f7185e0ef3c984c8
81 lines
3.5 KiB
ReStructuredText
81 lines
3.5 KiB
ReStructuredText
Configure the Identity service for the Bare Metal service
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
#. Create the Bare Metal service user (for example, ``ironic``).
|
|
The service uses this to authenticate with the Identity service.
|
|
Use the ``service`` tenant and give the user the ``admin`` role:
|
|
|
|
.. code-block:: console
|
|
|
|
$ openstack user create --password IRONIC_PASSWORD \
|
|
--email ironic@example.com ironic
|
|
$ openstack role add --project service --user ironic admin
|
|
|
|
#. You must register the Bare Metal service with the Identity service so that
|
|
other OpenStack services can locate it. To register the service:
|
|
|
|
.. code-block:: console
|
|
|
|
$ openstack service create --name ironic --description \
|
|
"Ironic baremetal provisioning service" baremetal
|
|
|
|
#. Use the ``id`` property that is returned from the Identity service when
|
|
registering the service (above), to create the endpoint,
|
|
and replace ``IRONIC_NODE`` with your Bare Metal service's API node:
|
|
|
|
.. code-block:: console
|
|
|
|
$ openstack endpoint create --region RegionOne \
|
|
baremetal admin http://$IRONIC_NODE:6385
|
|
$ openstack endpoint create --region RegionOne \
|
|
baremetal public http://$IRONIC_NODE:6385
|
|
$ openstack endpoint create --region RegionOne \
|
|
baremetal internal http://$IRONIC_NODE:6385
|
|
|
|
#. You may delegate limited privileges related to the Bare Metal service
|
|
to your Users by creating Roles with the OpenStack Identity service. By
|
|
default, the Bare Metal service expects the "baremetal_admin" and
|
|
"baremetal_observer" Roles to exist, in addition to the default "admin"
|
|
Role. There is no negative consequence if you choose not to create these
|
|
Roles. They can be created with the following commands:
|
|
|
|
.. code-block:: console
|
|
|
|
$ openstack role create baremetal_admin
|
|
$ openstack role create baremetal_observer
|
|
|
|
If you choose to customize the names of Roles used with the Bare Metal
|
|
service, do so by changing the "is_member", "is_observer", and "is_admin"
|
|
policy settings in ``/etc/ironic/policy.yaml``.
|
|
|
|
More complete documentation on managing Users and Roles within your
|
|
OpenStack deployment are outside the scope of this document, but may be
|
|
found :keystone-doc:`here <admin/identity-concepts.html#user-management>`.
|
|
|
|
#. You can further restrict access to the Bare Metal service by creating a
|
|
separate "baremetal" Project, so that Bare Metal resources (Nodes, Ports,
|
|
etc) are only accessible to members of this Project:
|
|
|
|
.. code-block:: console
|
|
|
|
$ openstack project create baremetal
|
|
|
|
At this point, you may grant read-only access to the Bare Metal service API
|
|
without granting any other access by issuing the following commands:
|
|
|
|
.. code-block:: console
|
|
|
|
$ openstack user create \
|
|
--domain default --project-domain default --project baremetal \
|
|
--password PASSWORD USERNAME
|
|
$ openstack role add \
|
|
--user-domain default --project-domain default --project baremetal \
|
|
--user USERNAME baremetal_observer
|
|
|
|
#. Further documentation is available elsewhere for the ``openstack``
|
|
:python-openstackclient-doc:`command-line client <cli/authentication.html>`
|
|
and the :keystone-doc:`Identity <admin/cli-manage-projects-users-and-roles.html>`
|
|
service. A :doc:`policy.yaml.sample </configuration/sample-policy>`
|
|
file, which enumerates the service's default policies, is provided for
|
|
your convenience with the Bare Metal Service.
|