From 9f9681ac5a451966e3a212834b16dd6242b12e90 Mon Sep 17 00:00:00 2001 From: Lance Bragstad Date: Wed, 14 Sep 2016 19:44:05 +0000 Subject: [PATCH] [install] Update keystone for Newton This commit removes the ADMIN token steps from the install guide and replaces them with ``keystone-manage bootstrap``, which is the preferred method for bootstrapping a keystone deployment without the security risks of a privileged administrator token. This commit also introduces an additional ``keystone-manage`` command to setup a fernet repository for encrypting and decrypting credentials. Change-Id: Id1f490e61aa357f3fc9b71307196835410c0d08a --- doc/install-guide/source/keystone-install.rst | 38 ++++++++----------- 1 file changed, 16 insertions(+), 22 deletions(-) diff --git a/doc/install-guide/source/keystone-install.rst b/doc/install-guide/source/keystone-install.rst index f61d25f419..3b6068e279 100644 --- a/doc/install-guide/source/keystone-install.rst +++ b/doc/install-guide/source/keystone-install.rst @@ -5,8 +5,8 @@ Install and configure This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For -performance, this configuration deploys Fernet tokens and the Apache -HTTP server to handle requests. +scalability purposes, this configuration deploys Fernet tokens and +the Apache HTTP server to handle requests. Prerequisites ------------- @@ -42,13 +42,6 @@ database and an administration token. * Exit the database access client. -#. Generate a random value to use as the administration token during - initial configuration: - - .. code-block:: console - - $ openssl rand -hex 10 - Install and configure components -------------------------------- @@ -98,18 +91,6 @@ Install and configure components 2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following actions: - * In the ``[DEFAULT]`` section, define the value of the initial - administration token: - - .. code-block:: ini - - [DEFAULT] - ... - admin_token = ADMIN_TOKEN - - Replace ``ADMIN_TOKEN`` with the random value that you generated in a - previous step. - * In the ``[database]`` section, configure database access: .. code-block:: ini @@ -138,11 +119,24 @@ Install and configure components Ignore any deprecation messages in this output. -4. Initialize Fernet keys: +4. Initialize Fernet key repositories: .. code-block:: console # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone + # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone + +5. Bootstrap the Identity service: + + .. code-block:: console + + # keystone-manage bootstrap --bootstrap-password ADMIN_PASSWORD \ + --bootstrap-admin-url http://controller:35357/v3/ \ + --bootstrap-internal-url http://controller:35357/v3/ \ + --bootstrap-public-url http://controller:5000/v3/ \ + --bootstrap-region-id RegionOne + + Replace ``ADMIN_PASSWORD`` with a suitable password for an administrative user. .. only:: obs or rdo or ubuntu