diff --git a/doc/install-guide/source/keystone-install.rst b/doc/install-guide/source/keystone-install.rst index e47564d10f..f61d25f419 100644 --- a/doc/install-guide/source/keystone-install.rst +++ b/doc/install-guide/source/keystone-install.rst @@ -8,55 +8,53 @@ Identity service, code-named keystone, on the controller node. For performance, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests. -.. only:: obs or rdo or ubuntu +Prerequisites +------------- - Prerequisites - ------------- +Before you configure the OpenStack Identity service, you must create a +database and an administration token. - Before you configure the OpenStack Identity service, you must create a - database and an administration token. +#. To create the database, complete the following actions: - #. To create the database, complete the following actions: + * Use the database access client to connect to the database server as the + ``root`` user: - * Use the database access client to connect to the database server as the - ``root`` user: + .. code-block:: console - .. code-block:: console + $ mysql -u root -p - $ mysql -u root -p + * Create the ``keystone`` database: - * Create the ``keystone`` database: + .. code-block:: console - .. code-block:: console + CREATE DATABASE keystone; - CREATE DATABASE keystone; + * Grant proper access to the ``keystone`` database: - * Grant proper access to the ``keystone`` database: + .. code-block:: console - .. code-block:: console + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; + GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ + IDENTIFIED BY 'KEYSTONE_DBPASS'; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ - IDENTIFIED BY 'KEYSTONE_DBPASS'; - GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ - IDENTIFIED BY 'KEYSTONE_DBPASS'; + Replace ``KEYSTONE_DBPASS`` with a suitable password. - Replace ``KEYSTONE_DBPASS`` with a suitable password. + * Exit the database access client. - * Exit the database access client. +#. Generate a random value to use as the administration token during + initial configuration: - #. Generate a random value to use as the administration token during - initial configuration: + .. code-block:: console - .. code-block:: console + $ openssl rand -hex 10 - $ openssl rand -hex 10 +Install and configure components +-------------------------------- -.. only:: obs or rdo or ubuntu +.. include:: shared/note_configuration_vary_by_distribution.rst - Install and configure components - -------------------------------- - - .. include:: shared/note_configuration_vary_by_distribution.rst +.. only:: obs or rdo .. note:: @@ -65,96 +63,15 @@ HTTP server to handle requests. keystone service still listens on these ports. Therefore, this guide manually disables the keystone service. - .. only:: ubuntu +.. only:: ubuntu or debian - #. Disable the keystone service from starting automatically after - installation: + .. note:: - .. code-block:: console - - # echo "manual" > /etc/init/keystone.override - - #. Run the following command to install the packages: - - .. only:: ubuntu - - .. code-block:: console - - # apt-get install keystone apache2 libapache2-mod-wsgi - - .. only:: obs or rdo - - #. Run the following command to install the packages: - - .. only:: rdo - - .. code-block:: console - - # yum install openstack-keystone httpd mod_wsgi - - .. only:: obs - - .. code-block:: console - - # zypper install openstack-keystone apache2-mod_wsgi - - .. only:: obs or rdo or ubuntu - - 3. Edit the ``/etc/keystone/keystone.conf`` file and complete the following - actions: - - * In the ``[DEFAULT]`` section, define the value of the initial - administration token: - - .. code-block:: ini - - [DEFAULT] - ... - admin_token = ADMIN_TOKEN - - Replace ``ADMIN_TOKEN`` with the random value that you generated in a - previous step. - - * In the ``[database]`` section, configure database access: - - .. code-block:: ini - - [database] - ... - connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone - - Replace ``KEYSTONE_DBPASS`` with the password you chose for the database. - - * In the ``[token]`` section, configure the Fernet token provider: - - .. code-block:: ini - - [token] - ... - provider = fernet - - .. only:: rdo or ubuntu or obs - - 4. Populate the Identity service database: - - .. code-block:: console - - # su -s /bin/sh -c "keystone-manage db_sync" keystone - - .. note:: - - Ignore any deprecation messages in this output. - - 5. Initialize Fernet keys: - - .. code-block:: console - - # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone - -.. only:: debian - - Install and configure the components - ------------------------------------ + This guide uses the Apache HTTP server with ``mod_wsgi`` to serve + Identity service requests on ports 5000 and 35357. By default, the + keystone service still listens on these ports. The package handles + all of the Apache configuration for you (including the activation of + the ``mod_wsgi`` apache2 module and keystone configuration in Apache). #. Run the following command to install the packages: @@ -162,150 +79,70 @@ HTTP server to handle requests. # apt-get install keystone - #. Respond to prompts for debconf, - which will fill the below database access directive. +.. only:: obs or rdo - .. :doc:`debconf/debconf-dbconfig-common`, - which will fill the below database access directive. + #. Run the following command to install the packages: - .. code-block:: ini + .. only:: rdo - [database] - ... - connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone + .. code-block:: console - If you decide to not use ``dbconfig-common``, then you have to - create the database and manage its access rights yourself, and run the - following by hand. + # yum install openstack-keystone httpd mod_wsgi - .. code-block:: console + .. only:: obs - # keystone-manage db_sync + .. code-block:: console - #. Generate a random value to use as the administration token during - initial configuration: + # zypper install openstack-keystone apache2-mod_wsgi - .. code-block:: console +2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following + actions: - $ openssl rand -hex 10 + * In the ``[DEFAULT]`` section, define the value of the initial + administration token: - #. Configure the initial administration token: + .. code-block:: ini - .. image:: figures/debconf-screenshots/keystone_1_admin_token.png - :scale: 50 + [DEFAULT] + ... + admin_token = ADMIN_TOKEN - Use the random value that you generated in a previous step. If you - install using non-interactive mode or you do not specify this token, the - configuration tool generates a random value. + Replace ``ADMIN_TOKEN`` with the random value that you generated in a + previous step. - Later on, the package will configure the below directive with the value - you entered: + * In the ``[database]`` section, configure database access: - .. code-block:: ini + .. code-block:: ini - [DEFAULT] - ... - admin_token = ADMIN_TOKEN + [database] + ... + connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone - #. Create the ``admin`` project and user: + Replace ``KEYSTONE_DBPASS`` with the password you chose for the database. - During the final stage of the package installation, it is possible to - automatically create an ``admin`` and ``service`` project, and an ``admin`` user. - This can later be used for other OpenStack services to contact the - Identity service. This is the equivalent of running the below commands: + * In the ``[token]`` section, configure the Fernet token provider: - .. code-block:: console + .. code-block:: ini - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - project create --or-show \ - admin --domain default \ - --description "Default Debian admin project" + [token] + ... + provider = fernet - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - project create --or-show \ - service --domain default \ - --description "Default Debian admin project" +3. Populate the Identity service database: - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - user create --or-show \ - --password ADMIN_PASS \ - --project admin \ - --email root@localhost \ - --enable \ - admin \ - --domain default \ - --description "Default Debian admin user" + .. code-block:: console - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - role create --or-show admin + # su -s /bin/sh -c "keystone-manage db_sync" keystone - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - role add --project admin --user admin admin + .. note:: - .. image:: figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png - :scale: 50 + Ignore any deprecation messages in this output. - .. image:: figures/debconf-screenshots/keystone_3_admin_user_name.png - :scale: 50 +4. Initialize Fernet keys: - .. image:: figures/debconf-screenshots/keystone_4_admin_user_email.png - :scale: 50 + .. code-block:: console - .. image:: figures/debconf-screenshots/keystone_5_admin_user_pass.png - :scale: 50 - - .. image:: figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png - :scale: 50 - - In Debian, the Keystone package offers automatic registration of - Keystone in the service catalogue. This is equivalent of running the - below commands: - - .. code-block:: console - - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - service create \ - --name keystone \ - --description "OpenStack Identity" \ - identity - - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - keystone public http://controller:5000/v2.0 - - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - keystone internal http://controller:5000/v2.0 - - # openstack --os-token ${AUTH_TOKEN} \ - --os-url=http://127.0.0.1:35357/v3/ \ - --os-domain-name default \ - --os-identity-api-version=3 \ - keystone admin http://controller:35357/v2.0 - - .. image:: figures/debconf-screenshots/keystone_7_register_endpoint.png + # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone .. only:: obs or rdo or ubuntu