OpenStack Keystone is an identity or authorization service. Before we can do anything on other OpenStack components, we have to authorize ourselves and only then the operation can proceed. Let us get acquainted with some terminologies before we proceed.
- Token: An alphanumeric string which allows access to certain set of services depending up on the access level (role) of the user.
- Service: An OpenStack service like Nova, Swift and Keystone itself.
- Tenant: A group of users.
- Endpoint: A URL (may be private) used to access the service.
- Role: The authorization level of a user.
Let us go ahead and build the Keystone service for our use.
Step 1: Fedora 20 has OpenStack Havan in its repositories so install it is not a pain at all. Additionally, we need MySQL (replaced by MariaDB in Fedora 20) where Keystone will save its data.
# yum install openstack-utils openstack-keystone mysql-server
Step 2: Once the packages above are installed, we need to set a few things in keystone config. Find the lines and edit them to look like these:
# vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = ADMIN_TOKEN
.
.
.
[sql]
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
Note that ADMIN_TOKEN and KEYSTONE_DBPASS should be long and difficult to guess. Remember that ADMIN_TOKEN is the almighty token which will have full access to create and destroy users and services. Also several tutorials and the official docs use command openstack-config --set /etc/keystone/keystone.conf
to do the changes that we just did manually. I do not recommend using the command. It created duplicate sections and entries for me which can be confusing down the line.
Step 3: Set up MySQL/MariaDB (only required for the first run of MySQL) to set root password.
# mysql_secure_installation
Now we need to create the required database and tables for Keystone to work. The command below will do that for us. It will ask us for root password to create the keystone use and the database.
# openstack-db --service keystone --init --password KEYSTONE_DBPASS
Step 4: Create the signing keys and certificates for the tokens.
# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
Step 5: Set the file owners, just in case something messed up and start the service.
# chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
# service openstack-keystone start
# chkconfig openstack-keystone on
Step 6: Setup the required environment variables. This will save the effort of supplying all the information every time a Keystone command is executed. Note that by default the Keystone admin port is 35357. This can be changed in /etc/keystone/keystone.conf.
# cat > ~/.keystonerc <<EOF
> export OS_SERVICE_TOKEN=ADMIN_TOKEN
> export OS_SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0
> export OS_USERNAME=admin
> export OS_PASSWORD=ADMIN_PASS
> export OS_TENANT_NAME=admin
> export OS_AUTH_URL=http://127.0.0.1:35357/v2.0
> EOF
# . ~/.keystonerc
Step 7: Create the tenants, users and the Keystone service with endpoint.
Creating the tenant:
# keystone tenant-create --name=admin --description="Admin Tenant"
Creating the admin user:
# keystone user-create --name=admin --pass=ADMIN_PASS --email=admin@example.com
Creating and adding admin user to admin role:
# keystone role-create --name=admin
# keystone user-role-add --user=admin --tenant=admin --role=admin
Creating Keystone service and endpoint:
# keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| description | Keystone Identity Service |
| id | c3dbb8aa4b27492f9c4a663cce0961a3 |
| name | keystone |
| type | identity |
+-------------+--------------------------------------+
Copy the id from the command above and use it in the command below:
# keystone endpoint-create --service-id=c3dbb8aa4b27492f9c4a663cce0961a3 --publicurl=http://127.0.0.1:5000/v2.0 --internalurl=http://127.0.0.1:5000/v2.0 --adminurl=http://127.0.0.1:35357/v2.0
Step 8: Test the keystone service.
# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
# keystone --os-username=admin --os-password=ADMIN_PASS --os-auth-url=http://127.0.0.1:35357/v2.0 token-get
A token with id, validity and other information will be returned.
Keystone is up and running. We'll create some services next tutorial.