Saturday, January 11, 2014

OpenStack 101: How to Setup OpenStack Keystone (OpenStack Identity Service)

OpenStack Keystone is an identity or authorization service. Before we can do anything on other OpenStack components, we have to authorize ourselves and only then the operation can proceed. Let us get acquainted with some terminologies before we proceed.
  • Token: An alphanumeric string which allows access to certain set of services depending up on the access level (role) of the user.
  • Service: An OpenStack service like Nova, Swift and Keystone itself.
  • Tenant: A group of users. 
  • Endpoint: A URL (may be private) used to access the service.
  • Role: The authorization level of a user.
Let us go ahead and build the Keystone service for our use.

Step 1: Fedora 20 has OpenStack Havan in its repositories so install it is not a pain at all. Additionally, we need MySQL (replaced by MariaDB in Fedora 20) where Keystone will save its data.
# yum install openstack-utils openstack-keystone mysql-server

Step 2: Once the packages above are installed, we need to set a few things in keystone config. Find the lines and edit them to look like these:
# vim /etc/keystone/keystone.conf
admin_token = ADMIN_TOKEN
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone

Note that ADMIN_TOKEN and KEYSTONE_DBPASS should be long and difficult to guess. Remember that ADMIN_TOKEN is the almighty token which will have full access to create and destroy users and services. Also several tutorials and the official docs use command openstack-config --set /etc/keystone/keystone.conf to do the changes that we just did manually. I do not recommend using the command. It created duplicate sections and entries for me which can be confusing down the line. 

Step 3: Set up MySQL/MariaDB (only required for the first run of MySQL) to set root password. 
# mysql_secure_installation

Now we need to create the required database and tables for Keystone to work. The command below will do that for us. It will ask us for root password to create the keystone use and the database.
# openstack-db --service keystone --init --password KEYSTONE_DBPASS

Step 4: Create the signing keys and certificates for the tokens.
# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

Step 5: Set the file owners, just in case something messed up and start the service.
# chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
# service openstack-keystone start
# chkconfig openstack-keystone on

Step 6: Setup the required environment variables. This will save the effort of supplying all the information every time a Keystone command is executed. Note that by default the Keystone admin port is 35357. This can be changed in /etc/keystone/keystone.conf.
# cat > ~/.keystonerc <<EOF

> export OS_USERNAME=admin
> export OS_TENANT_NAME=admin
> export OS_AUTH_URL=
# . ~/.keystonerc

Step 7: Create the tenants, users and the Keystone service with endpoint.
Creating the tenant:
# keystone tenant-create --name=admin --description="Admin Tenant"

Creating the admin user:
# keystone user-create --name=admin --pass=ADMIN_PASS

Creating and adding admin user to admin role:
# keystone role-create --name=admin
# keystone user-role-add --user=admin --tenant=admin --role=admin

Creating Keystone service and endpoint:
# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
| Property    | Value                                |
| description | Keystone Identity Service            |
| id          | c3dbb8aa4b27492f9c4a663cce0961a3     |
| name        | keystone                             |
| type        | identity                             |

Copy the id from the command above and use it in the command below:
# keystone endpoint-create --service-id=c3dbb8aa4b27492f9c4a663cce0961a3 --publicurl= --internalurl= --adminurl=

Step 8: Test the keystone service.
# keystone --os-username=admin --os-password=ADMIN_PASS --os-auth-url= token-get

A token with id, validity and other information will be returned.

Keystone is up and running. We'll create some services next tutorial.


  1. Hey, I tried doing this on CentOS 6.5 64bit but when I get to
    openstack-db --service keystone --init --password $KEYSTONE_DBPASS
    It fails with
    ERROR 1146 (42S02) at line 1: Table 'keystone.migrate_version' doesn't exist
    Final sanity check failed.
    Do you know how to workaround this?

  2. Im getting this error when executing "keystone-manage pki_setup --keystone-user keystone --keystone-group keystone"

    Usage: keystone-manage COMMAND

    keystone-manage: error: no such option: --keystone-user

    How to fix this? thanks

  3. Hi Aditya,

    This post helped me install/configure keystone successfully.


  4. Helps! thanks a lot ... couple of issues I faced drafting it here so that it helps others...
    WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored). 'NoneType' object has no attribute 'has_service_catalog'

    For some reason ADMIN_TOKEN (random number generated through openssl) didn't work in my case, so I left it default to ADMIN in the keystone.conf file.


Note: Only a member of this blog may post a comment.