Bug 965943 - Tenant creation needs to be clarified.
Tenant creation needs to be clarified.
Status: CLOSED CURRENTRELEASE
Product: Red Hat OpenStack
Classification: Red Hat
Component: doc-Installation_and_Configuration_Guide (Show other bugs)
3.0
Unspecified Unspecified
high Severity high
: async
: 3.0
Assigned To: Summer Long
ecs-bugs
: Documentation, Triaged, ZStream
: 977452 (view as bug list)
Depends On:
Blocks: 1011085
  Show dependency treegraph
 
Reported: 2013-05-22 02:32 EDT by Summer Long
Modified: 2014-01-05 23:25 EST (History)
3 users (show)

See Also:
Fixed In Version: Red_Hat_OpenStack-Installation_and_Configuration_Guide-3-web-en-US-3-31.el6eng
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-01-05 23:25:23 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 3 Stephen Gordon 2013-06-12 14:36:09 EDT
Description without internal link:

Describe the issue: 
Per Flavio Percoco on tenant creation in the Image Service section-
A tenant per service is not actually needed. This documentation aims to install each service independently, right? If so, then it's ok. Is it possible to highlight that somewhere? Or perhaps use something different than "glance" for the tenant name - SuperProject, for example. 

Suggestions for improvement: 
Redo doc to create one generic/project tenant, and have all service creations use it.
Ensure that the concept of a tenant is clear, and why one vs separate might be used.

Additional information:
Comment 4 Stephen Gordon 2013-06-12 14:38:59 EDT
Comment # 2 without internal link:

In other material I've seen that creating a "service" tenant is relatively common so we can go down that path. I would suggest a section/note in the identity service chapter to explain this choice is necessary as well because we're just picking a (different) combination out of the hat.
Comment 5 Stephen Gordon 2013-06-12 14:40:32 EDT
Moved to 4.0 so that we can take the time to address this properly, in particular:

- The "default" path provided should be to create a generic "services" tenant shared by all of the services.

- A wider ranging discussion of how tenants work and how they are used to effect access control should be put in the keystone chapter.
Comment 6 Stephen Gordon 2013-06-24 11:09:20 EDT
Flagging 3.0.z as the inconsistency here is wider ranging than I originally thought. Some writers used a "services" tenant, some (most?) used a tenant per service.

To fix this up we need to:

- Ensure a "services" tenant is created as part of the Keystone chapter (instead of the "keystone" tenant).
- Remove steps that create service specific tenants throughout the guide.
- Update steps that create endpoint entries to guide users on where the tenant id is supposed to come from (probably adding an additional step to run `keystone tenant-list`).
Comment 8 Summer Long 2013-06-28 02:49:20 EDT
Changes:
1.3.2. Identity Service -  Removed comment about special tenant 'service' for 'glance' user, since this is not an automatic def. when manually installing. (NOTE: needs to be replicated in the GSG).
5.6 Creating the Identity Service Endpoint - Updated next-sections intro to include 'tenants'.
5.7 Creating the Services Tenant - New topic with introduction and creation of the tenant.
6.5.1 Configuring the Identity Service to work with the Object Storage Service
Changed tenant line to standard 'services' usage. Lots of reformatting using <systemitem>.
7.4.2. Creating the Image Identity Records
Now uses the 'services' tenant. Reformatted section to sync with earlier sections.

...still working on it.....
Comment 9 Summer Long 2013-06-30 23:51:13 EDT
More changes:
'Creating the Services Tenant' is now 5.9

5.7 Creating an Administrator Account
Updated section syntax to match other sections doing the same work with role, service, and tenant creation.
5.8. Creating a Regular User Account
Updated section syntax to match other sections doing the same work with role, service, and tenant creation.
8.2.2. Creating the Block Storage Identity Records
Now uses the 'services' tenant. Reformatted section to sync with earlier sections.
9.2.2. Creating the OpenStack Networking Identity Records
Now uses the 'services' tenant. Reformatted section to sync with earlier sections.
10.3.2. Creating the Red Hat OpenStack Compute Identity Records
Now uses the 'services' tenant. Reformatted section to sync with earlier sections.
Comment 11 Summer Long 2013-07-01 21:33:26 EDT
Next changes for the 'keystone_authtoken admin_tenant' issue....
7.4.4. Configuring the use of the Identity Service (Image service)
Section now uses 'glance' and 'services' for user/tenant. Also restructured section to make usage clearer.

8.3.2. Configuring Authentication (Block Storage)
Updated to use 'services' tenant, and made clear that cinder user and services tenant are guide examples.

9.4. Configuring the Networking Service
Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples. Updated instances of 'networking services' to 'OpenStack Networking service'.

9.5. Configuring the DHCP Agent
Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples.

9.7. Configuring the L3 Agent
Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples.

Ok, hopefully I've caught it all. Steve, same question as before, are you ok to do the tech review?
Comment 12 Summer Long 2013-07-01 22:39:29 EDT
And more:
6.5.3.  Configuring the Object Storage Service Proxy Service
Added explanations for replaceable parameters in step one. Reformatted to match other sections.

7.4.5 Using the Object Storage Service for Image Storage
Updated the tenant 'service' to 'services'. Reformatted to match other sections.

10.3.4.5.2 Updating the Compute Configuration
Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples.

D.5.1. glance-registry.conf
Updated tenant to 'services', user to 'glance', and 'secrete' to 'secret'.

D.5.2. glance-registry-paste.ini
Updated tenant 'service' to 'services'.

D.5.3. glance-api.conf
Updated tenant 'service' to 'services', and 'secrete' to 'secret'.
Comment 13 Stephen Gordon 2013-07-02 17:46:03 EDT
I can look at it, I would also ask adarazs.
Comment 14 Summer Long 2013-07-02 18:39:32 EDT
*** Bug 977452 has been marked as a duplicate of this bug. ***
Comment 15 Summer Long 2013-07-02 18:46:56 EDT
From Attila on updates for '7.4.3.Setting the Database Connection String': 
The usage of services tenant seems consistent now. Thanks. 
(Specifically for 977452, which was updated as a result of this task.)
Comment 16 Summer Long 2013-07-17 20:46:13 EDT
Looks like Steve has looked at it, moving to MODIFIED for QA.
Comment 17 Stephen Gordon 2013-07-24 14:23:40 EDT
Global change to use "services" tenant for services rather than per-service tenants like "glance", "cinder", etc.
Comment 19 Summer Long 2013-07-25 01:04:24 EDT
[comment] In other sections (9.5, 9.7), the names services and quantum are in italics.
FIX: Switched out <systemitem> for <replaceable> for example options in 9.4 and 10.3.4.6
------------------------------------------------------
[comment] Should the pwd be the same? (we use glance/secret in D5.1 and D5.3)
FIX: Changed admin_password from 'glance' to 'secret' in D.5.2 (to match previous file example).

Can be moved to QA with next doc release.
Comment 20 Stephen Gordon 2013-08-06 13:28:21 EDT
Returning to QA as an updated build is now on the stage.

Note You need to log in before you can comment on or make changes to this bug.