1340220 – [Docs] [Installation Reference] Need to document 'keystone-manage bootstrap' command in 'Installation Reference' guide

Bug 1340220 - [Docs] [Installation Reference] Need to document 'keystone-manage bootstrap' command in 'Installation Reference' guide

Summary: [Docs] [Installation Reference] Need to document 'keystone-manage bootstrap' ...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Red Hat OpenStack
Classification:	Red Hat
Component:	documentation
Sub Component:
Version:	9.0 (Mitaka)
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	ga
Target Release:	9.0 (Mitaka)
Assignee:	Radek Bíba
QA Contact:	Martin Lopes
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-05-26 18:29 UTC by Nathan Kinder
Modified:	2016-08-22 23:32 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-08-22 23:32:52 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Nathan Kinder 2016-05-26 18:29:56 UTC

A new 'bootstrap' command has been added to the 'keystone-manage' CLI in Mitaka/OSP9.  This command is designed to avoid using a special 'admin_token'.

This command is used underneath the covers in a TripleO deployment, but end users performing a manual installation will need documentation changes to know how to use it.  Specifically, the 'Installation Reference' guide needs changes in this area:

  https://access.redhat.com/documentation/en/red-hat-openstack-platform/8/installation-reference/33-configure-the-identity-service

Upstream documentation for this exists here, which we should use as a basis for our own documentation:

  http://docs.openstack.org/developer/keystone/configuringservices.html#setting-up-credentials-with-keystone-manage-bootstrap

Comment 2 Andrew Dahms 2016-05-30 07:17:17 UTC

Assigning to Radek for review.

Comment 3 Radek Bíba 2016-06-06 13:17:03 UTC

Nathan,

Is the bootstrap command supposed to obsolete the token-based authentication completely or can we still leave the old instructions in the documentation as an alternative way?

Also, I get lots of deprecation warnings from the keystone commands used later in the docs. In fact, they don't seem to work at all on a Mitaka test box where the bootstrap command has been used. The openstack(1) client works, though. For example:

[root@mitaka ~(keystone_admin)]# keystone user-list 
/usr/lib/python2.7/site-packages/keystoneclient/shell.py:64: DeprecationWarning: The keystone CLI is deprecated in favor of python-openstackclient. For a Python library, continue using python-keystoneclient.
  'python-keystoneclient.', DeprecationWarning)
/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:145: DeprecationWarning: Constructing an instance of the keystoneclient.v2_0.client.Client class without a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
  'the 2.0.0 release.', DeprecationWarning)
/usr/lib/python2.7/site-packages/keystoneclient/v2_0/client.py:147: DeprecationWarning: Using the 'tenant_name' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_name' argument instead
  super(Client, self).__init__(**kwargs)
/usr/lib/python2.7/site-packages/debtcollector/renames.py:45: DeprecationWarning: Using the 'tenant_id' argument is deprecated in version '1.7.0' and will be removed in version '2.0.0', please use the 'project_id' argument instead
  return f(*args, **kwargs)
/usr/lib/python2.7/site-packages/keystoneclient/httpclient.py:371: DeprecationWarning: Constructing an HTTPClient instance without using a session is deprecated as of the 1.7.0 release and may be removed in the 2.0.0 release.
  'the 2.0.0 release.', DeprecationWarning)
/usr/lib/python2.7/site-packages/keystoneclient/session.py:140: DeprecationWarning: keystoneclient.session.Session is deprecated as of the 2.1.0 release in favor of keystoneauth1.session.Session. It will be removed in future releases.
  DeprecationWarning)
/usr/lib/python2.7/site-packages/keystoneclient/auth/identity/base.py:56: DeprecationWarning: keystoneclient auth plugins are deprecated as of the 2.1.0 release in favor of keystoneauth1 plugins. They will be removed in future releases.
  'in future releases.', DeprecationWarning)
The resource could not be found. (HTTP 404)

Versus:

[root@mitaka ~(keystone_admin)]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 23c56d02d3bc4b88b034e0b3720fcd1b | admin |
+----------------------------------+-------+

Do we need to convert all the keystone CLI commands to openstack CLI commands, too? Or is this something that only occurs with the current builds of the Mitaka packages and will be fixed for Beta/GA?

Comment 4 Nathan Kinder 2016-06-13 14:47:08 UTC

(In reply to Radek Bíba from comment #3)
> Is the bootstrap command supposed to obsolete the token-based authentication
> completely or can we still leave the old instructions in the documentation
> as an alternative way?

Yes, it is supposed to be a more secure way of bootstrapping things without the need for a hardcoded token.  You can leave the old instructions as an alternate way, but we should recommend the bootstrap method be used.

> Do we need to convert all the keystone CLI commands to openstack CLI
> commands, too? Or is this something that only occurs with the current builds
> of the Mitaka packages and will be fixed for Beta/GA?

We should be using the 'openstack' CLI in our examples.  The 'keystone' CLI is deprecated as mentioned in the warnings, and will be going away.

Comment 8 Andrew Dahms 2016-08-22 23:32:52 UTC

This content is now live on the Customer Portal.

Closing.

Note You need to log in before you can comment on or make changes to this bug.