openstack/openstack-manuals
Code Issues Proposed changes

Install: Keystone updates for Mitaka

Browse Source 
Update keystone configuration for Mitaka.

1) Change token type from UUID with Memcached to Fernet.
2) Complete migration to the Identity v3 API. As testing
   progresses, some services may require additional
   changes.

Note: Still contemplating use of clouds.yaml. Initial
      investigation indicates insufficient positive
      impact for the changes necessary to implement it.

Note: The keystone authentication library for services
      (keystoneauth1) requires Memcached in Mitaka. A
      future patch will move installation of Memcached
      to the environment content.

Change-Id: Ifdf96c285f1b260822922661668bc30629328ade
Implements: bp installguide-mitaka
This commit is contained in:
Matthew Kassawara 2016-02-12 12:26:52 -07:00
parent 03fb8fbfa3
commit bd9b8b65d4
4 changed files with 52 additions and 72 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
doc/install-guide/source/keystone-install.rst
View File

@ -5,8 +5,8 @@ Install and configure
This section describes how to install and configure the OpenStack This section describes how to install and configure the OpenStack
Identity service, code-named keystone, on the controller node. For Identity service, code-named keystone, on the controller node. For
performance, this configuration deploys the Apache HTTP server to handle performance, this configuration deploys Fernet tokens and the Apache
requests and Memcached to store tokens instead of an SQL database. HTTP server to handle requests.
.. only:: obs or rdo or ubuntu .. only:: obs or rdo or ubuntu
@ -59,7 +59,7 @@ requests and Memcached to store tokens instead of an SQL database.
.. include:: shared/note_configuration_vary_by_distribution.rst .. include:: shared/note_configuration_vary_by_distribution.rst
.. note:: .. note::
In Kilo and Liberty releases, the keystone project deprecates eventlet In Kilo and newer releases, the keystone project deprecates eventlet
in favor of a separate web server with WSGI extensions. This guide uses in favor of a separate web server with WSGI extensions. This guide uses
the Apache HTTP server with ``mod_wsgi`` to serve Identity service the Apache HTTP server with ``mod_wsgi`` to serve Identity service
requests on port 5000 and 35357. By default, the keystone service requests on port 5000 and 35357. By default, the keystone service
@ -82,8 +82,7 @@ requests and Memcached to store tokens instead of an SQL database.
.. code-block:: console .. code-block:: console
# apt-get install keystone apache2 libapache2-mod-wsgi \ # apt-get install keystone apache2 libapache2-mod-wsgi
memcached python-memcache
.. only:: obs or rdo .. only:: obs or rdo
@ -93,25 +92,13 @@ requests and Memcached to store tokens instead of an SQL database.
.. code-block:: console .. code-block:: console
# yum install openstack-keystone httpd mod_wsgi \ # yum install openstack-keystone httpd mod_wsgi
memcached python-memcached
.. only:: obs .. only:: obs
.. code-block:: console .. code-block:: console
# zypper install openstack-keystone apache2-mod_wsgi \ # zypper install openstack-keystone apache2-mod_wsgi
memcached python-python-memcached
.. only:: obs or rdo
2. Start the Memcached service and configure it to start when the system
boots:
.. code-block:: console
# systemctl enable memcached.service
# systemctl start memcached.service
.. only:: obs or rdo or ubuntu .. only:: obs or rdo or ubuntu
@ -150,23 +137,13 @@ requests and Memcached to store tokens instead of an SQL database.
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database. Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
* In the ``[memcache]`` section, configure the Memcached service: * In the ``[token]`` section, configure the Fernet token provider:
.. code-block:: ini
[memcache]
...
servers = localhost:11211
* In the ``[token]`` section, configure the UUID token provider and
Memcached driver:
.. code-block:: ini .. code-block:: ini
[token] [token]
... ...
provider = uuid provider = fernet
driver = memcache
* In the ``[revoke]`` section, configure the SQL revocation driver: * In the ``[revoke]`` section, configure the SQL revocation driver:
@ -193,6 +170,12 @@ requests and Memcached to store tokens instead of an SQL database.
# su -s /bin/sh -c "keystone-manage db_sync" keystone # su -s /bin/sh -c "keystone-manage db_sync" keystone
5. Initialize Fernet keys:
.. code-block:: console
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
.. only:: debian .. only:: debian
Install and configure the components Install and configure the components
@ -346,7 +329,6 @@ requests and Memcached to store tokens instead of an SQL database.
.. image:: figures/debconf-screenshots/keystone_7_register_endpoint.png .. image:: figures/debconf-screenshots/keystone_7_register_endpoint.png
.. only:: obs or rdo or ubuntu .. only:: obs or rdo or ubuntu
Configure the Apache HTTP server Configure the Apache HTTP server

20
doc/install-guide/source/keystone-openrc.rst
View File

@ -24,7 +24,6 @@ scripts to load appropriate credentials for client operations.
export OS_PROJECT_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3 export OS_AUTH_URL=http://controller:35357/v3
@ -40,7 +39,6 @@ scripts to load appropriate credentials for client operations.
export OS_PROJECT_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3 export OS_AUTH_URL=http://controller:5000/v3
@ -69,11 +67,13 @@ For example:
.. code-block:: console .. code-block:: console
$ openstack token issue $ openstack token issue
+------------+----------------------------------+ +------------+-----------------------------------------------------------------+
| Field | Value | | Field | Value |
+------------+----------------------------------+ +------------+-----------------------------------------------------------------+
| expires | 2015-03-25T01:45:49.950092Z | | expires | 2016-02-12T20:44:35.659723Z |
| id | cd4110152ac24bdeaa82e1443c910c36 | | id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| project_id | cf12a15c5ea84b019aec3dc45580896b | | | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| user_id | 4d411f2291f34941b30eef9bd797505a | | | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
+------------+----------------------------------+ | project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+

16
doc/install-guide/source/keystone-services.rst
View File

@ -122,7 +122,7 @@ Create the service entity and API endpoints
.. code-block:: console .. code-block:: console
$ openstack endpoint create --region RegionOne \ $ openstack endpoint create --region RegionOne \
identity public http://controller:5000/v2.0 identity public http://controller:5000/v3
+--------------+----------------------------------+ +--------------+----------------------------------+
| Field | Value | | Field | Value |
+--------------+----------------------------------+ +--------------+----------------------------------+
@ -134,11 +134,11 @@ Create the service entity and API endpoints
| service_id | 8c8c0927262a45ad9066cfe70d46892c | | service_id | 8c8c0927262a45ad9066cfe70d46892c |
| service_name | keystone | | service_name | keystone |
| service_type | identity | | service_type | identity |
| url | http://controller:5000/v2.0 | | url | http://controller:5000/v3 |
+--------------+----------------------------------+ +--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \ $ openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v2.0 identity internal http://controller:5000/v3
+--------------+----------------------------------+ +--------------+----------------------------------+
| Field | Value | | Field | Value |
+--------------+----------------------------------+ +--------------+----------------------------------+
@ -150,11 +150,11 @@ Create the service entity and API endpoints
| service_id | 6f8de927262ac12f6066cfe70d99ac51 | | service_id | 6f8de927262ac12f6066cfe70d99ac51 |
| service_name | keystone | | service_name | keystone |
| service_type | identity | | service_type | identity |
| url | http://controller:5000/v2.0 | | url | http://controller:5000/v3 |
+--------------+----------------------------------+ +--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \ $ openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v2.0 identity admin http://controller:35357/v3
+--------------+----------------------------------+ +--------------+----------------------------------+
| Field | Value | | Field | Value |
+--------------+----------------------------------+ +--------------+----------------------------------+
@ -166,7 +166,7 @@ Create the service entity and API endpoints
| service_id | 34ab3d27262ac449cba6cfe704dbc11f | | service_id | 34ab3d27262ac449cba6cfe704dbc11f |
| service_name | keystone | | service_name | keystone |
| service_type | identity | | service_type | identity |
| url | http://controller:35357/v2.0 | | url | http://controller:35357/v3 |
+--------------+----------------------------------+ +--------------+----------------------------------+
.. note:: .. note::
@ -174,7 +174,3 @@ Create the service entity and API endpoints
Each service that you add to your OpenStack environment requires one Each service that you add to your OpenStack environment requires one
or more service entities and three API endpoint variants in the Identity or more service entities and three API endpoint variants in the Identity
service. service.
.. note::
Services can access the v3 API using the v2.0 URL.

42
doc/install-guide/source/keystone-verify.rst
View File

@ -36,17 +36,18 @@ services.
$ openstack --os-auth-url http://controller:35357/v3 \ $ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-id default --os-user-domain-id default \ --os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \ --os-project-name admin --os-username admin token issue
token issue
Password: Password:
+------------+----------------------------------+ +------------+-----------------------------------------------------------------+
| Field | Value | | Field | Value |
+------------+----------------------------------+ +------------+-----------------------------------------------------------------+
| expires | 2015-03-24T18:55:01Z | | expires | 2016-02-12T20:14:07.056119Z |
| id | ff5ed908984c4a4190f584d826d75fed | | id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| project_id | cf12a15c5ea84b019aec3dc45580896b | | | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| user_id | 4d411f2291f34941b30eef9bd797505a | | | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
+------------+----------------------------------+ | project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
.. note:: .. note::
@ -58,17 +59,18 @@ services.
$ openstack --os-auth-url http://controller:5000/v3 \ $ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-id default --os-user-domain-id default \ --os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \ --os-project-name demo --os-username demo token issue
token issue
Password: Password:
+------------+----------------------------------+ +------------+-----------------------------------------------------------------+
| Field | Value | | Field | Value |
+------------+----------------------------------+ +------------+-----------------------------------------------------------------+
| expires | 2014-10-10T12:51:33Z | | expires | 2016-02-12T20:15:39.014479Z |
| id | 1b87ceae9e08411ba4a16e4dada04802 | | id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| project_id | 4aa51bb942be4dd0ac0555d7591f80a6 | | | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| user_id | 7004dfa0dda84d63aef81cf7f100af01 | | | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
+------------+----------------------------------+ | project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
.. note:: .. note::