Documentation
Resource
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Installing, Configuring, and Verifying Keystone

Keystone provides identity authentication and authorization for other service components in the OpenStack project.

Install, configure, and verify Keystone on the controller node.

Creating the Keystone Database

  1. Access the MySQL database.
    1
    		 
    mysql -u root -p
  2. Create a database for Keystone.
    1
    		 
    CREATE DATABASE keystone;
  3. Authorize the local and remote servers to access MySQL. PASSWORD indicates the password of the root database user.
    1
2
    		 
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '<PASSWORD>';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '<PASSWORD>';

    Change the value of PASSWORD to the actual password. OpenStack user passwords support special characters & = $ - _ . + ! * ( ) excluding the number sign (#). OpenStack has no requirements on password complexity, and you can set a password without special characters.

  4. Exit the database.
    1
    		 
    exit

Installing Keystone

  1. Install the Keystone package.
    1
2
    		 
    yum config-manager update --set-enabled
yum -y install openstack-keystone httpd python2-mod_wsgi
  2. Open the /etc/keystone/keystone.conf file in insert mode.

    Add the following to the [database] section:

    1
    		 
    connection = mysql+pymysql://keystone:<PASSWORD>@controller/keystone

    Add the following to the [token] section:

    1
    		 
    provider = fernet

    PASSWORD indicates the password set for the database.

  3. Populate the Identity service database.
    1
    		 
    su -s /bin/sh -c "keystone-manage db_sync" keystone
  4. Initialize Fernet key repositories.
    1
2
    		 
    keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
  5. Bootstrap the Identity service.
    1
2
3
4
5
    		 
    keystone-manage bootstrap --bootstrap-password <PASSWORD> \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne

    Change the value of PASSWORD to the password of the admin user.

Configuring the Apache HTTP Service

  1. Edit the /etc/httpd/conf/httpd.conf file and configure ServerName to reference the controller node.

    This option is commented out by default. You need to locate and modify it.

  2. Create a link to the /usr/share/keystone/wsgi-keystone.conf file.
    1
    		 
    ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
  3. Enable the Apache HTTP service and configure it to start as the system boots.
    1
2
    		 
    systemctl enable httpd.service
systemctl start httpd.service
  4. Create an OpenStack client environment script.
    cat << EOF >> /etc/keystone/admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default 
export OS_USER_DOMAIN_NAME=Default 
export OS_PROJECT_NAME=admin 
export OS_USERNAME=admin 
export OS_PASSWORD=ADMIN_PASSWORD 
export OS_AUTH_URL=http://controller:5000/v3 
export OS_IDENTITY_API_VERSION=3 
export OS_IMAGE_API_VERSION=2 
EOF

    Replace ADMIN_PASSWORD with the password of the admin user.

Creating Domains, Projects, Users, and Roles

  1. Import the environment variable.
    source /etc/keystone/admin-openrc
  2. Create a domain.
    1
    		 
    openstack domain create --description "An Example Domain" example

    This section describes how to create a domain. The default domain has been created in 5 in Installing Keystone.

  3. Create the service project.
    1
    		 
    openstack project create --domain default --description "Service Project" service

  4. Create a common project myproject for common tasks.
    1
    		 
    openstack project create --domain default --description "Demo Project" myproject

  5. Create a common user myuser.
    1
    		 
    openstack user create --domain default --password-prompt myuser

    Set the password for the myuser user.

  6. Create a role.
    1
    		 
    openstack role create myrole

  7. Add the myrole role to the myproject project and myuser user.
    1
    		 
    openstack role add --project myproject --user myuser myrole

Verifying Keystone

  1. Cancel environment variables.
    1
    		 
    unset OS_AUTH_URL OS_PASSWORD
  2. Request an authentication token as user admin.
    1
2
3
    		 
    openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue

    Enter the password: PASSWORD

    The password is user-defined. To ease description, this document uses PASSWORD. Here, PASSWORD is the password of the admin user.

  3. Request an authentication token as user myuser.
    1
2
3
    		 
    openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue

    Enter the password: PASSWORD

  4. Run the script.
    1
2
    		 
    source /etc/keystone/admin-openrc
openstack token issue

This site uses cookies to improve your browsing experience. By continuing to browse this site, you agree to our use of cookies.View Details