Keystone is the OpenStack identity service, it provides the functionality of tracking users and their permissions; catalog functions via API endpoints. It doesn’t actually provide you any user management functions, rather, it provides plug-in interfaces to choose between current authentication service or third-party identity services that are available on the market.
Before going ahead, take a look at our Infrastructure design in previous article.
This guide shows you how to install and configure OpenStack Identity service, code-named keystone, on the controller node.
Prerequisites:
Before installing OpenStack identity service, you must create a database and administration token.
# mysql -u root -p
create the keystone database.
CREATE DATABASE keystone;
Set proper access to keystone database.
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'PASSWD'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'PASSWD';
Replace PASSWD with a suitable password.
Generate a random value and that can be used as an administration token for initial configuration.
# openssl rand -hex 10
Install and Configure KeyStone:
Disable keystone service from starting automatically after installation.
# echo "manual" > /etc/init/keystone.override
* In Kilo, Apache HTTP server is used to serve keystone requests on ports 5000 and 35357 with help of mod_wsgi instead of Eventlet which is depreciated in this version OpenStack.
Install keystone.
# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
Edit keystone configuration file.
# nano /etc/keystone/keystone.conf
Place the following entries in proper section of the above file.
[DEFAULT] ... admin_token = 43405b090eda983ddde2 ## Replace 43405b090eda983ddde2 with a random that you generated earlier verbose = True [database] ... connection = mysql://keystone:PASSWD@controller/keystone ## Replace PASSWD with your KeyStone DB password [memcache] ... servers = localhost:11211 [token] ... provider = keystone.token.providers.uuid.Provider driver = keystone.token.persistence.backends.memcache.Token [revoke] ... driver = keystone.contrib.revoke.backends.sql.Revoke
Run the following command to populate the identity service database.
# keystone-manage db_sync
Configure Apache HTTP server:
Edit /etc/apache2/apache2.conf and configure ServerName option to reference the controller node.
ServerName controller
Create the below file.
# nano /etc/apache2/sites-enabled/wsgi-keystone.conf
Paste the following content on to above file.
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
Create the directory for WSGI components.
# mkdir -p /var/www/cgi-bin/keystone
Run the following command to download WSGI components from upstream repository.
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo | tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
Change ownership and permissions.
# chown -R keystone:keystone /var/www/cgi-bin/keystone # chmod 755 /var/www/cgi-bin/keystone/*
Restart the Apache service.
# service apache2 restart
Remove SQLite database as we are using MySQL database.
# rm -f /var/lib/keystone/keystone.db
Next is to Create the service entity and API endpoints.