Install: Keystone updates for Mitaka
Update keystone configuration for Mitaka. 1) Change token type from UUID with Memcached to Fernet. 2) Complete migration to the Identity v3 API. As testing progresses, some services may require additional changes. Note: Still contemplating use of clouds.yaml. Initial investigation indicates insufficient positive impact for the changes necessary to implement it. Note: The keystone authentication library for services (keystoneauth1) requires Memcached in Mitaka. A future patch will move installation of Memcached to the environment content. Change-Id: Ifdf96c285f1b260822922661668bc30629328ade Implements: bp installguide-mitaka
This commit is contained in:
parent
03fb8fbfa3
commit
bd9b8b65d4
@ -5,8 +5,8 @@ Install and configure
|
||||
|
||||
This section describes how to install and configure the OpenStack
|
||||
Identity service, code-named keystone, on the controller node. For
|
||||
performance, this configuration deploys the Apache HTTP server to handle
|
||||
requests and Memcached to store tokens instead of an SQL database.
|
||||
performance, this configuration deploys Fernet tokens and the Apache
|
||||
HTTP server to handle requests.
|
||||
|
||||
.. only:: obs or rdo or ubuntu
|
||||
|
||||
@ -59,7 +59,7 @@ requests and Memcached to store tokens instead of an SQL database.
|
||||
.. include:: shared/note_configuration_vary_by_distribution.rst
|
||||
|
||||
.. note::
|
||||
In Kilo and Liberty releases, the keystone project deprecates eventlet
|
||||
In Kilo and newer releases, the keystone project deprecates eventlet
|
||||
in favor of a separate web server with WSGI extensions. This guide uses
|
||||
the Apache HTTP server with ``mod_wsgi`` to serve Identity service
|
||||
requests on port 5000 and 35357. By default, the keystone service
|
||||
@ -82,8 +82,7 @@ requests and Memcached to store tokens instead of an SQL database.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# apt-get install keystone apache2 libapache2-mod-wsgi \
|
||||
memcached python-memcache
|
||||
# apt-get install keystone apache2 libapache2-mod-wsgi
|
||||
|
||||
.. only:: obs or rdo
|
||||
|
||||
@ -93,25 +92,13 @@ requests and Memcached to store tokens instead of an SQL database.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# yum install openstack-keystone httpd mod_wsgi \
|
||||
memcached python-memcached
|
||||
# yum install openstack-keystone httpd mod_wsgi
|
||||
|
||||
.. only:: obs
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# zypper install openstack-keystone apache2-mod_wsgi \
|
||||
memcached python-python-memcached
|
||||
|
||||
.. only:: obs or rdo
|
||||
|
||||
2. Start the Memcached service and configure it to start when the system
|
||||
boots:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# systemctl enable memcached.service
|
||||
# systemctl start memcached.service
|
||||
# zypper install openstack-keystone apache2-mod_wsgi
|
||||
|
||||
.. only:: obs or rdo or ubuntu
|
||||
|
||||
@ -150,23 +137,13 @@ requests and Memcached to store tokens instead of an SQL database.
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
|
||||
|
||||
* In the ``[memcache]`` section, configure the Memcached service:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[memcache]
|
||||
...
|
||||
servers = localhost:11211
|
||||
|
||||
* In the ``[token]`` section, configure the UUID token provider and
|
||||
Memcached driver:
|
||||
* In the ``[token]`` section, configure the Fernet token provider:
|
||||
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
...
|
||||
provider = uuid
|
||||
driver = memcache
|
||||
provider = fernet
|
||||
|
||||
* In the ``[revoke]`` section, configure the SQL revocation driver:
|
||||
|
||||
@ -193,6 +170,12 @@ requests and Memcached to store tokens instead of an SQL database.
|
||||
|
||||
# su -s /bin/sh -c "keystone-manage db_sync" keystone
|
||||
|
||||
5. Initialize Fernet keys:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
|
||||
|
||||
.. only:: debian
|
||||
|
||||
Install and configure the components
|
||||
@ -346,7 +329,6 @@ requests and Memcached to store tokens instead of an SQL database.
|
||||
|
||||
.. image:: figures/debconf-screenshots/keystone_7_register_endpoint.png
|
||||
|
||||
|
||||
.. only:: obs or rdo or ubuntu
|
||||
|
||||
Configure the Apache HTTP server
|
||||
|
@ -24,7 +24,6 @@ scripts to load appropriate credentials for client operations.
|
||||
export OS_PROJECT_DOMAIN_ID=default
|
||||
export OS_USER_DOMAIN_ID=default
|
||||
export OS_PROJECT_NAME=admin
|
||||
export OS_TENANT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=ADMIN_PASS
|
||||
export OS_AUTH_URL=http://controller:35357/v3
|
||||
@ -40,7 +39,6 @@ scripts to load appropriate credentials for client operations.
|
||||
export OS_PROJECT_DOMAIN_ID=default
|
||||
export OS_USER_DOMAIN_ID=default
|
||||
export OS_PROJECT_NAME=demo
|
||||
export OS_TENANT_NAME=demo
|
||||
export OS_USERNAME=demo
|
||||
export OS_PASSWORD=DEMO_PASS
|
||||
export OS_AUTH_URL=http://controller:5000/v3
|
||||
@ -69,11 +67,13 @@ For example:
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack token issue
|
||||
+------------+----------------------------------+
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+----------------------------------+
|
||||
| expires | 2015-03-25T01:45:49.950092Z |
|
||||
| id | cd4110152ac24bdeaa82e1443c910c36 |
|
||||
| project_id | cf12a15c5ea84b019aec3dc45580896b |
|
||||
| user_id | 4d411f2291f34941b30eef9bd797505a |
|
||||
+------------+----------------------------------+
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:44:35.659723Z |
|
||||
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
|
||||
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
|
||||
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
|
||||
| project_id | 343d245e850143a096806dfaefa9afdc |
|
||||
| user_id | ac3377633149401296f6c0d92d79dc16 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
@ -122,7 +122,7 @@ Create the service entity and API endpoints
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack endpoint create --region RegionOne \
|
||||
identity public http://controller:5000/v2.0
|
||||
identity public http://controller:5000/v3
|
||||
+--------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+--------------+----------------------------------+
|
||||
@ -134,11 +134,11 @@ Create the service entity and API endpoints
|
||||
| service_id | 8c8c0927262a45ad9066cfe70d46892c |
|
||||
| service_name | keystone |
|
||||
| service_type | identity |
|
||||
| url | http://controller:5000/v2.0 |
|
||||
| url | http://controller:5000/v3 |
|
||||
+--------------+----------------------------------+
|
||||
|
||||
$ openstack endpoint create --region RegionOne \
|
||||
identity internal http://controller:5000/v2.0
|
||||
identity internal http://controller:5000/v3
|
||||
+--------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+--------------+----------------------------------+
|
||||
@ -150,11 +150,11 @@ Create the service entity and API endpoints
|
||||
| service_id | 6f8de927262ac12f6066cfe70d99ac51 |
|
||||
| service_name | keystone |
|
||||
| service_type | identity |
|
||||
| url | http://controller:5000/v2.0 |
|
||||
| url | http://controller:5000/v3 |
|
||||
+--------------+----------------------------------+
|
||||
|
||||
$ openstack endpoint create --region RegionOne \
|
||||
identity admin http://controller:35357/v2.0
|
||||
identity admin http://controller:35357/v3
|
||||
+--------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+--------------+----------------------------------+
|
||||
@ -166,7 +166,7 @@ Create the service entity and API endpoints
|
||||
| service_id | 34ab3d27262ac449cba6cfe704dbc11f |
|
||||
| service_name | keystone |
|
||||
| service_type | identity |
|
||||
| url | http://controller:35357/v2.0 |
|
||||
| url | http://controller:35357/v3 |
|
||||
+--------------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
@ -174,7 +174,3 @@ Create the service entity and API endpoints
|
||||
Each service that you add to your OpenStack environment requires one
|
||||
or more service entities and three API endpoint variants in the Identity
|
||||
service.
|
||||
|
||||
.. note::
|
||||
|
||||
Services can access the v3 API using the v2.0 URL.
|
||||
|
@ -36,17 +36,18 @@ services.
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357/v3 \
|
||||
--os-project-domain-id default --os-user-domain-id default \
|
||||
--os-project-name admin --os-username admin --os-auth-type password \
|
||||
token issue
|
||||
--os-project-name admin --os-username admin token issue
|
||||
Password:
|
||||
+------------+----------------------------------+
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+----------------------------------+
|
||||
| expires | 2015-03-24T18:55:01Z |
|
||||
| id | ff5ed908984c4a4190f584d826d75fed |
|
||||
| project_id | cf12a15c5ea84b019aec3dc45580896b |
|
||||
| user_id | 4d411f2291f34941b30eef9bd797505a |
|
||||
+------------+----------------------------------+
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:14:07.056119Z |
|
||||
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|
||||
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|
||||
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
|
||||
| project_id | 343d245e850143a096806dfaefa9afdc |
|
||||
| user_id | ac3377633149401296f6c0d92d79dc16 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. note::
|
||||
|
||||
@ -58,17 +59,18 @@ services.
|
||||
|
||||
$ openstack --os-auth-url http://controller:5000/v3 \
|
||||
--os-project-domain-id default --os-user-domain-id default \
|
||||
--os-project-name demo --os-username demo --os-auth-type password \
|
||||
token issue
|
||||
--os-project-name demo --os-username demo token issue
|
||||
Password:
|
||||
+------------+----------------------------------+
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+----------------------------------+
|
||||
| expires | 2014-10-10T12:51:33Z |
|
||||
| id | 1b87ceae9e08411ba4a16e4dada04802 |
|
||||
| project_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
|
||||
| user_id | 7004dfa0dda84d63aef81cf7f100af01 |
|
||||
+------------+----------------------------------+
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:15:39.014479Z |
|
||||
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|
||||
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|
||||
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
|
||||
| project_id | ed0b60bf607743088218b0a533d5943f |
|
||||
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. note::
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user