Tripleo uses Puppet to manage the resources in a deployment. Puppet has a command line tool to look at resources.

On my deployed Overcloud, I have:

ls /etc/puppet/modules/keystone/lib/puppet/provider keystone keystone_domain_config keystone_paste_ini keystone_service keystone_user_role keystone_config keystone_endpoint keystone.rb keystone_tenant keystone_domain keystone_identity_provider keystone_role keystone_user

So I can use the puppet CLI to query the state of my system, or make changes:

To look at the config:

sudo puppet resource keystone_config keystone_config { 'DEFAULT/admin_bind_host': ensure => 'present', value => '10.149.2.13', } keystone_config { 'DEFAULT/admin_port': ensure => 'present', value => '35357', } keystone_config { 'DEFAULT/admin_token': ensure => 'present', value => 'vtNheM6drk4mgKgbAtWQPrYJe', } keystone_config { 'DEFAULT/log_dir': ensure => 'present', value => '/var/log/keystone', } ...

OK, Admin Token is gross.

$ sudo puppet resource keystone_config DEFAULT/admin_token keystone_config { 'DEFAULT/admin_token': ensure => 'present', value => 'vtNheM6drk4mgKgbAtWQPrYJe', }

Let’s get rid of that:

sudo puppet resource keystone_config DEFAULT/admin_token ensure=absent Notice: /Keystone_config[DEFAULT/admin_token]/ensure: removed keystone_config { 'DEFAULT/admin_token': ensure => 'absent', }

Let’s add a user:

$ sudo puppet resource keystone_users Error: Could not run: Could not find type keystone_users [heat-admin@overcloud-controller-0 ~]$

Uh oh…what did I do?

[heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_config DEFAULT/admin_token ensure=present value=vtNheM6drk4mgKgbAtWQPrYJe Notice: /Keystone_config[DEFAULT/admin_token]/ensure: created keystone_config { 'DEFAULT/admin_token': ensure => 'present', value => 'vtNheM6drk4mgKgbAtWQPrYJe', } [heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_user keystone_user { 'admin': ensure => 'present', email => 'admin@example.com', enabled => 'true', id => '7cbc569993ae41e7b2736ed2aa727644', } ...

So it looks like the Puppet modules use the Admin token to do operations.

But I really want to get rid of that admin token…

Back on the undercloud, I have created a Keystone V3 RC file. I’m going to copy that to /root/openrc on the overcloud controller.

[stack@undercloud ~]$ scp overcloudrc.v3 heat-admin@10.149.2.13: [stack@undercloud ~]$ ssh heat-admin@10.149.2.13 [heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_config DEFAULT/admin_token ensure=absent keystone_config { 'DEFAULT/admin_token': ensure => 'absent', } [heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_user Error: Could not run: Insufficient credentials to authenticate [heat-admin@overcloud-controller-0 ~]$ sudo cp overcloudrc.v3 /root/openrc [heat-admin@overcloud-controller-0 ~]$ sudo puppet resource keystone_user keystone_user { 'admin': ensure => 'present', email => 'admin@example.com', enabled => 'true', id => '7cbc569993ae41e7b2736ed2aa727644', } ...

Now let’s add a user:

$ sudo puppet resource keystone_user ayoung ensure=present email=ayoung@redhat.com enabled=true password=FreeIPA4All Notice: /Keystone_user[ayoung]/ensure: created keystone_user { 'ayoung': ensure => 'present', email => 'ayoung@redhat.com', enabled => 'false', }

Big Shout out to Emilien Macchi who is the Master of Keystone Puppets and taught me about the openrc file.