The OpenStack Identity service provides a single point of integration for managing authentication, authorization, and service catalog services.
It doesn’t actually provide you any user management functions, rather, it provides plug-in interfaces to choose between current authentication service or third-party identity services that are available on the market.
When installing OpenStack Identity service, you must register each service in your OpenStack installation. Identity service can then track which OpenStack services are installed, and where they are located on the network.
Before going ahead, take a look at our Infrastructure design in previous article.
This guide shows you how to install and configure OpenStack Identity service (keystone) on the controller node.
Prerequisites:
Before installing OpenStack identity service, you must create a database and administration token.
# mysql -u root -p
create the keystone database.
CREATE DATABASE keystone;
Set proper access to keystone database.
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'PASSWD'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'PASSWD';
Exit the database access client.
* Replace PASSWD with a suitable password.
Generate a random value and that can be used as an administration token for initial configuration.
# openssl rand -hex 10
Install and Configure KeyStone:
Disable keystone service from starting automatically after installation.
# echo "manual" > /etc/init/keystone.override
* In Kilo and Liberty, Apache HTTP server is used to serve keystone requests on ports 5000 and 35357 with help of mod_wsgi instead of Eventlet which is depreciated in this version OpenStack.
Install keystone package.
# apt-get install keystone apache2 libapache2-mod-wsgi memcached python-memcache
Edit keystone configuration file.
# nano /etc/keystone/keystone.conf
Place following entries in proper section of the above file.
[DEFAULT] ... admin_token = 43405b090eda983ddde2 ## Replace 43405b090eda983ddde2 with a random that you generated earlier verbose = True [database] ... ## Replace PASSWD with your KeyStone DB password and Controller with your controller node IP or Hostname ## If you found any other MySQL connection entry comment it out. connection = mysql+pymysql://keystone:PASSWD@controller/keystone [memcache] ... servers = localhost:11211 [token] ... provider = uuid driver = memcache [revoke] ... driver = sql
Run the following command to populate the identity service database.
# su -s /bin/sh -c "keystone-manage db_sync" keystone
Configure Apache HTTP server:
Edit /etc/apache2/apache2.conf and configure ServerName option to reference the controller node, add it in Global configuration section.
ServerName controller
Create the below file.
# nano /etc/apache2/sites-enabled/wsgi-keystone.conf
Paste the following content on to above file.
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Restart the Apache service.
# service apache2 restart
Remove SQLite database as we are using MySQL database.
# rm -f /var/lib/keystone/keystone.db
Next is to Create the service entity and API endpoints.
