OpenStack Identity Service

OpenStack Identity Service The OpenStack Identity Service provides the cloud environment with an authentication and authorization system. In this system, users are a part of one or more projects. In each of these projects, they hold a specific role. Install the packages: # apt-get install keystone python-keystone python-keystoneclient # yum install openstack-keystone python-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient Edit /etc/keystone/keystone.conf: [DEFAULT] admin_token = password debug = True verbose = True [sql] connection = mysql://keystone:password@localhost/keystone Create the ssl keys: # keystone-manage pki_setup # chown -R keystone:keystone /etc/keystone/* Setup keystone default catalog: # KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates # sed -e "s,%SERVICE_HOST%,10.10.10.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \ $KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG Create the ssl keys: # keystone-manage pki_setup # chown -R openstack-keystone:openstack-keystone /etc/keystone/* Restart OpenStack Identity and create the tables in the database: # service keystone restart # keystone-manage db_sync # service openstack-keystone restart # openstack-db --init --service keystone # systemctl restart openstack-keystone # keystone-manage db_sync Check the /var/log/keystone/keystone.log file for errors that would prevent the OpenStack Identity service from successfully starting. Enable the identity service: # systemctl enable openstack-keystone.service Create an openrc file: Create a file called ~/openrc. This file contains the OpenStack admin credentials that are used when interacting with the OpenStack environment on the command line. export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=password export OS_AUTH_URL="http://localhost:5000/v2.0/" export OS_SERVICE_ENDPOINT="http://localhost:35357/v2.0" export OS_SERVICE_TOKEN=password Best practice for bootstrapping the first administrative user is to use the OS_SERVICE_ENDPOINT and OS_SERVICE_TOKEN together as environment variables, then set up a separate RC file just for Identity administration that uses port 35357 for the OS_AUTH_URL. This example is meant to provide a quick setup, not an audit-able environment. Source the credentials into your environment: source ~/openrc Configure the Bash shell to load these credentials upon each login: echo "source ~/openrc" >> ~/.bashrc The following bash script populates OpenStack Identity with some initial data: Projects: admin and services Roles: admin, Member Users: admin, demo, nova, glance, neutron, and cinder Services: compute, volume, image, identity, ec2, and network #!/bin/bash # Modify these variables as needed ADMIN_PASSWORD=${ADMIN_PASSWORD:-password} SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD} DEMO_PASSWORD=${DEMO_PASSWORD:-$ADMIN_PASSWORD} export OS_SERVICE_TOKEN="password" export OS_SERVICE_ENDPOINT="http://localhost:35357/v2.0" SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service} # MYSQL_USER=keystone MYSQL_DATABASE=keystone MYSQL_HOST=localhost MYSQL_PASSWORD=password # KEYSTONE_REGION=RegionOne KEYSTONE_HOST=10.10.10.10 # Shortcut function to get a newly generated ID function get_field() { while read data; do if [ "$1" -lt 0 ]; then field="(\$(NF$1))" else field="\$$(($1 + 1))" fi echo "$data" | awk -F'[ \t]*\\|[ \t]*' "{print $field}" done } # Tenants ADMIN_TENANT=$(keystone tenant-create --name=admin | grep " id " | \ get_field 2) DEMO_TENANT=$(keystone tenant-create --name=demo | grep " id " | \ get_field 2) SERVICE_TENANT=$(keystone tenant-create --name=$SERVICE_TENANT_NAME | \ grep " id " | get_field 2) # Users ADMIN_USER=$(keystone user-create --name=admin --pass="$ADMIN_PASSWORD" \ --email=admin@domain.com | grep " id " | get_field 2) DEMO_USER=$(keystone user-create --name=demo --pass="$DEMO_PASSWORD" \ --email=demo@domain.com --tenant-id=$DEMO_TENANT | grep " id " | \ get_field 2) NOVA_USER=$(keystone user-create --name=nova --pass="$SERVICE_PASSWORD" \ --tenant-id $SERVICE_TENANT --email=nova@domain.com | grep " id " | \ get_field 2) GLANCE_USER=$(keystone user-create --name=glance \ --pass="$SERVICE_PASSWORD" \ --tenant-id $SERVICE_TENANT --email=glance@domain.com | \ grep " id " | get_field 2) NEUTRON_USER=$(keystone user-create --name=neutron \ --pass="$SERVICE_PASSWORD" \ --tenant-id $SERVICE_TENANT --email=neutron@domain.com | \ grep " id " | get_field 2) CINDER_USER=$(keystone user-create --name=cinder \ --pass="$SERVICE_PASSWORD" \ --tenant-id $SERVICE_TENANT --email=cinder@domain.com | \ grep " id " | get_field 2) # Roles ADMIN_ROLE=$(keystone role-create --name=admin | grep " id " | \ get_field 2) MEMBER_ROLE=$(keystone role-create --name=Member | grep " id " | \ get_field 2) # Add Roles to Users in Tenants keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE \ --tenant-id $ADMIN_TENANT keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $NOVA_USER \ --role-id $ADMIN_ROLE keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $GLANCE_USER \ --role-id $ADMIN_ROLE keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $NEUTRON_USER \ --role-id $ADMIN_ROLE keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $CINDER_USER \ --role-id $ADMIN_ROLE keystone user-role-add --tenant-id $DEMO_TENANT --user-id $DEMO_USER \ --role-id $MEMBER_ROLE # Create services COMPUTE_SERVICE=$(keystone service-create --name nova --type compute \ --description 'OpenStack Compute Service' | grep " id " | get_field 2) VOLUME_SERVICE=$(keystone service-create --name cinder --type volume \ --description 'OpenStack Volume Service' | grep " id " | get_field 2) IMAGE_SERVICE=$(keystone service-create --name glance --type image \ --description 'OpenStack Image Service' | grep " id " | get_field 2) IDENTITY_SERVICE=$(keystone service-create --name keystone --type identity \ --description 'OpenStack Identity' | grep " id " | get_field 2) EC2_SERVICE=$(keystone service-create --name ec2 --type ec2 \ --description 'OpenStack EC2 service' | grep " id " | get_field 2) NETWORK_SERVICE=$(keystone service-create --name neutron --type network \ --description 'OpenStack Networking service' | grep " id " | get_field 2) # Create endpoints keystone endpoint-create --region $KEYSTONE_REGION \ --service-id $COMPUTE_SERVICE \ --publicurl 'http://'"$KEYSTONE_HOST"':8774/v2/$(tenant_id)s' \ --adminurl 'http://'"$KEYSTONE_HOST"':8774/v2/$(tenant_id)s' \ --internalurl 'http://'"$KEYSTONE_HOST"':8774/v2/$(tenant_id)s' keystone endpoint-create --region $KEYSTONE_REGION \ --service-id $VOLUME_SERVICE \ --publicurl 'http://'"$KEYSTONE_HOST"':8776/v1/$(tenant_id)s' \ --adminurl 'http://'"$KEYSTONE_HOST"':8776/v1/$(tenant_id)s' \ --internalurl 'http://'"$KEYSTONE_HOST"':8776/v1/$(tenant_id)s' keystone endpoint-create --region $KEYSTONE_REGION \ --service-id $IMAGE_SERVICE \ --publicurl 'http://'"$KEYSTONE_HOST"':9292' \ --adminurl 'http://'"$KEYSTONE_HOST"':9292' \ --internalurl 'http://'"$KEYSTONE_HOST"':9292' keystone endpoint-create --region $KEYSTONE_REGION \ --service-id $IDENTITY_SERVICE \ --publicurl 'http://'"$KEYSTONE_HOST"':5000/v2.0' \ --adminurl 'http://'"$KEYSTONE_HOST"':35357/v2.0' \ --internalurl 'http://'"$KEYSTONE_HOST"':5000/v2.0' keystone endpoint-create --region $KEYSTONE_REGION \ --service-id $EC2_SERVICE \ --publicurl 'http://'"$KEYSTONE_HOST"':8773/services/Cloud' \ --adminurl 'http://'"$KEYSTONE_HOST"':8773/services/Admin' \ --internalurl 'http://'"$KEYSTONE_HOST"':8773/services/Cloud' keystone endpoint-create --region $KEYSTONE_REGION \ --service-id $NETWORK_SERVICE \ --publicurl 'http://'"$KEYSTONE_HOST"':9696/' \ --adminurl 'http://'"$KEYSTONE_HOST"':9696/' \ --internalurl 'http://'"$KEYSTONE_HOST"':9696/' If you make a mistake during this guide, you can reset the OpenStack Identity database by performing the following steps: # mysql -u root -p -e "drop database keystone" # mysql -u root -p -e "create database keystone" # mysql -u root -p -e "grant all privileges on keystone.* TO \ 'keystone'@'localhost' identified by 'password'" # keystone-manage db_sync And finally, re-run the above bash script.