Installing Keystone

Keystone provides identity authentication and authorization for other service components in the OpenStack project. Install Keystone on the controller node.

Create a Keystone database and grant permissions.
1. Log in to the database as the root user.
```
mysql -u root -p 
```
2. In the database, create a Keystone database and grant permissions.
```
CREATE DATABASE keystone; 
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; 
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS'; 
```
  Replace KEYSTONE_DBPASS with the password of the Keystone database user. The password cannot contain the characters including #@$ and can contain the special characters including &=-_.+!*()
3. Exit the database.
```
exit
```

Install the software package.

yum install openstack-keystone httpd mod_wsgi

Configure the Keystone configuration file.
1. Open the /etc/keystone/keystone.conf file.
```
vi /etc/keystone/keystone.conf
```
2. Press i to enter the insert mode and add the following content:
```
[database] 
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
 
[token] 
provider = fernet
```
  The [database] field is used to configure the database parameters.
  
  The [token] field is used to configure the token provider.
  
  Replace KEYSTONE_DBPASS with the password of the Keystone database user.
1. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.

Synchronize the database.

su -s /bin/sh -c "keystone-manage db_sync" keystone

Initialize the Fernet keystore.

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Start the service.
```
keystone-manage bootstrap --bootstrap-password ADMIN_PASSWORD --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
```
- Replace ADMIN_PASSWORD with the admin user password. Note that the password must be the same as OS_PASSWORD=ADMIN_PASSWORD set in 9.
- The password cannot contain the characters including #@$ and can contain the special characters including &=-_.+!*()
Configure the Apache HTTP server.
1. Open the httpd.conf file.
```
vi /etc/httpd/conf/httpd.conf
```
2. Press i to enter the insert mode and add the following content:
```
ServerName controller
```
  Configure ServerName to use the controller node.
  
  If ServerName does not exist in the file, create one.
1. Press Esc to exit the insert mode. Type :wq! and press Enter to save the file and exit.
2. Create a soft link.
```
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
```

Start the Apache HTTP service.

systemctl enable httpd.service 
systemctl start httpd.service

Create an environment variable configuration file.

cat << EOF >> ~/.admin-openrc 
export OS_PROJECT_DOMAIN_NAME=Default 
export OS_USER_DOMAIN_NAME=Default 
export OS_PROJECT_NAME=admin 
export OS_USERNAME=admin 
export OS_PASSWORD=ADMIN_PASSWORD 
export OS_AUTH_URL=http://controller:5000/v3 
export OS_IDENTITY_API_VERSION=3 
export OS_IMAGE_API_VERSION=2 
EOF

Replace ADMIN_PASSWORD with the admin user password.

Install the OpenStack client.
```
yum install python3-openstackclient
```

Create domains, projects, users, and roles in sequence.

Import environment variables.
```
source ~/.admin-openrc
```

Create a project service. domain default has been created during keystone-manage bootstrap.

openstack domain create --description "An Example Domain" example 
openstack project create --domain default --description "Service Project" service

Create a non-admin project (myproject), user (myuser), and role (myrole), and add myrole to myproject and myuser.

openstack project create --domain default --description "Demo Project" myproject 
openstack user create --domain default --password-prompt myuser 
openstack role create myrole 
openstack role add --project myproject --user myuser myrole

Check whether Keystone is successfully installed.

Cancel the temporary environment variables OS_AUTH_URL and OS_PASSWORD.
```
source ~/.admin-openrc 
unset OS_AUTH_URL OS_PASSWORD
```

Request a token for the admin user.

openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue

Request a token for the myuser user.

openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue

Parent topic: Deployment and Verification