Description without internal link: Describe the issue: Per Flavio Percoco on tenant creation in the Image Service section- A tenant per service is not actually needed. This documentation aims to install each service independently, right? If so, then it's ok. Is it possible to highlight that somewhere? Or perhaps use something different than "glance" for the tenant name - SuperProject, for example. Suggestions for improvement: Redo doc to create one generic/project tenant, and have all service creations use it. Ensure that the concept of a tenant is clear, and why one vs separate might be used. Additional information:
Comment # 2 without internal link: In other material I've seen that creating a "service" tenant is relatively common so we can go down that path. I would suggest a section/note in the identity service chapter to explain this choice is necessary as well because we're just picking a (different) combination out of the hat.
Moved to 4.0 so that we can take the time to address this properly, in particular: - The "default" path provided should be to create a generic "services" tenant shared by all of the services. - A wider ranging discussion of how tenants work and how they are used to effect access control should be put in the keystone chapter.
Flagging 3.0.z as the inconsistency here is wider ranging than I originally thought. Some writers used a "services" tenant, some (most?) used a tenant per service. To fix this up we need to: - Ensure a "services" tenant is created as part of the Keystone chapter (instead of the "keystone" tenant). - Remove steps that create service specific tenants throughout the guide. - Update steps that create endpoint entries to guide users on where the tenant id is supposed to come from (probably adding an additional step to run `keystone tenant-list`).
Changes: 1.3.2. Identity Service - Removed comment about special tenant 'service' for 'glance' user, since this is not an automatic def. when manually installing. (NOTE: needs to be replicated in the GSG). 5.6 Creating the Identity Service Endpoint - Updated next-sections intro to include 'tenants'. 5.7 Creating the Services Tenant - New topic with introduction and creation of the tenant. 6.5.1 Configuring the Identity Service to work with the Object Storage Service Changed tenant line to standard 'services' usage. Lots of reformatting using <systemitem>. 7.4.2. Creating the Image Identity Records Now uses the 'services' tenant. Reformatted section to sync with earlier sections. ...still working on it.....
More changes: 'Creating the Services Tenant' is now 5.9 5.7 Creating an Administrator Account Updated section syntax to match other sections doing the same work with role, service, and tenant creation. 5.8. Creating a Regular User Account Updated section syntax to match other sections doing the same work with role, service, and tenant creation. 8.2.2. Creating the Block Storage Identity Records Now uses the 'services' tenant. Reformatted section to sync with earlier sections. 9.2.2. Creating the OpenStack Networking Identity Records Now uses the 'services' tenant. Reformatted section to sync with earlier sections. 10.3.2. Creating the Red Hat OpenStack Compute Identity Records Now uses the 'services' tenant. Reformatted section to sync with earlier sections.
Next changes for the 'keystone_authtoken admin_tenant' issue.... 7.4.4. Configuring the use of the Identity Service (Image service) Section now uses 'glance' and 'services' for user/tenant. Also restructured section to make usage clearer. 8.3.2. Configuring Authentication (Block Storage) Updated to use 'services' tenant, and made clear that cinder user and services tenant are guide examples. 9.4. Configuring the Networking Service Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples. Updated instances of 'networking services' to 'OpenStack Networking service'. 9.5. Configuring the DHCP Agent Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples. 9.7. Configuring the L3 Agent Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples. Ok, hopefully I've caught it all. Steve, same question as before, are you ok to do the tech review?
And more: 6.5.3. Configuring the Object Storage Service Proxy Service Added explanations for replaceable parameters in step one. Reformatted to match other sections. 7.4.5 Using the Object Storage Service for Image Storage Updated the tenant 'service' to 'services'. Reformatted to match other sections. 10.3.4.5.2 Updating the Compute Configuration Updated to use 'services' tenant, and made clear that quantum user and services tenant are guide examples. D.5.1. glance-registry.conf Updated tenant to 'services', user to 'glance', and 'secrete' to 'secret'. D.5.2. glance-registry-paste.ini Updated tenant 'service' to 'services'. D.5.3. glance-api.conf Updated tenant 'service' to 'services', and 'secrete' to 'secret'.
I can look at it, I would also ask adarazs.
*** Bug 977452 has been marked as a duplicate of this bug. ***
From Attila on updates for '7.4.3.Setting the Database Connection String': The usage of services tenant seems consistent now. Thanks. (Specifically for 977452, which was updated as a result of this task.)
Looks like Steve has looked at it, moving to MODIFIED for QA.
Global change to use "services" tenant for services rather than per-service tenants like "glance", "cinder", etc.
[comment] In other sections (9.5, 9.7), the names services and quantum are in italics. FIX: Switched out <systemitem> for <replaceable> for example options in 9.4 and 10.3.4.6 ------------------------------------------------------ [comment] Should the pwd be the same? (we use glance/secret in D5.1 and D5.3) FIX: Changed admin_password from 'glance' to 'secret' in D.5.2 (to match previous file example). Can be moved to QA with next doc release.
Returning to QA as an updated build is now on the stage.