openstack/openstack-manuals
Code Issues Proposed changes
44c29ece34
openstack-manuals/doc/install-guide/basic-install-files/basic-install_controller-keystone.xml
Diane Fleming 64b6c9261e Folder rename, file rename, flattening of directories 
Current folder name	New folder name	        Book title
----------------------------------------------------------
basic-install 	        DELETE
cli-guide	        DELETE
common	                common
NEW	                admin-guide-cloud	Cloud Administrators Guide
docbkx-example	        DELETE
openstack-block-storage-admin 	DELETE
openstack-compute-admin 	DELETE
openstack-config 	config-reference	OpenStack Configuration Reference
openstack-ha 	        high-availability-guide	OpenStack High Availabilty Guide
openstack-image	        image-guide	OpenStack Virtual Machine Image Guide
openstack-install 	install-guide	OpenStack Installation Guide
openstack-network-connectivity-admin 	admin-guide-network 	OpenStack Networking Administration Guide
openstack-object-storage-admin 	DELETE
openstack-security 	security-guide	OpenStack Security Guide
openstack-training 	training-guide	OpenStack Training Guide
openstack-user 	        user-guide	OpenStack End User Guide
openstack-user-admin 	user-guide-admin	OpenStack Admin User Guide
glossary	        NEW        	OpenStack Glossary

bug: #1220407

Change-Id: Id5ffc774b966ba7b9a591743a877aa10ab3094c7
author: diane fleming
2013-09-08 15:15:50 -07:00

246 lines
12 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="basic-install_controller-keystone">
<title>OpenStack Identity Service</title>
<para>The OpenStack Identity Service provides the cloud environment with an authentication and authorization system. In this system,
users are a part of one or more projects. In each of these projects, they hold a specific role.
<orderedlist>
<listitem>
<para>Install the packages:
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>apt-get install keystone python-keystone python-keystoneclient</userinput></screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>yum install openstack-keystone python-keystone python-keystoneclient</userinput></screen>
<screen os="opensuse"><prompt>#</prompt> <userinput>zypper install openstack-keystone python-keystoneclient</userinput></screen>
</para>
</listitem>
<listitem>
<para>Edit <filename>/etc/keystone/keystone.conf</filename>:
<programlisting language="ini">[DEFAULT]
admin_token = password
debug = True
verbose = True
[sql]
connection = mysql://keystone:password@localhost/keystone</programlisting></para>
</listitem>
<listitem os="rhel;centos;fedora">
<para>Create the ssl keys:
<screen><prompt>#</prompt> <userinput>keystone-manage pki_setup</userinput>
<prompt>#</prompt> <userinput>chown -R keystone:keystone /etc/keystone/*</userinput></screen></para>
</listitem>
<listitem os="opensuse">
<para>Setup keystone default catalog:
<screen><prompt>#</prompt> <userinput>KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates</userinput>
<prompt>#</prompt> <userinput>sed -e "s,%SERVICE_HOST%,10.10.10.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \
$KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG</userinput></screen>
</para>
</listitem>
<listitem os="opensuse">
<para>Create the ssl keys:
<screen><prompt>#</prompt> <userinput>keystone-manage pki_setup</userinput>
<prompt>#</prompt> <userinput>chown -R openstack-keystone:openstack-keystone /etc/keystone/*</userinput></screen></para>
</listitem>
<listitem>
<para>Restart OpenStack Identity and create the tables in the database:
<screen os="ubuntu;debian"><prompt>#</prompt> <userinput>service keystone restart</userinput>
<prompt>#</prompt> <userinput>keystone-manage db_sync</userinput>
</screen>
<screen os="rhel;centos;fedora"><prompt>#</prompt> <userinput>service openstack-keystone restart</userinput>
<prompt>#</prompt> <userinput>openstack-db --init --service keystone</userinput></screen>
<screen os="opensuse"><prompt>#</prompt> <userinput>systemctl restart openstack-keystone</userinput>
<prompt>#</prompt> <userinput>keystone-manage db_sync</userinput></screen>
<note>
<para>Check the <literal>/var/log/keystone/keystone.log</literal> file for errors that would
prevent the OpenStack Identity service from successfully starting.</para>
</note>
</para>
</listitem>
<listitem os="opensuse">
<para>Enable the identity service:
<screen><prompt>#</prompt> <userinput>systemctl enable openstack-keystone.service</userinput></screen>
</para>
</listitem>
<listitem>
<para>Create an <literal>openrc</literal> file:</para>
<para>
<itemizedlist>
<listitem>
<para>Create a file called <filename>~/openrc</filename>. This file contains the OpenStack admin
credentials that are used when interacting with the OpenStack environment on the command line.
<programlisting language="bash">export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=password
export OS_AUTH_URL="http://localhost:5000/v2.0/"
export OS_SERVICE_ENDPOINT="http://localhost:35357/v2.0"
export OS_SERVICE_TOKEN=password</programlisting></para>
</listitem>
</itemizedlist>
</para>
<note>
<para>Best practice for bootstrapping the first administrative user is to use the OS_SERVICE_ENDPOINT and
OS_SERVICE_TOKEN together as environment variables, then set up a separate RC file just for Identity administration
that uses port 35357 for the OS_AUTH_URL. This example is meant to provide a quick setup, not an audit-able
environment.</para>
</note>
<itemizedlist>
<listitem>
<para>Source the credentials into your environment: <screen><userinput>source ~/openrc</userinput></screen></para>
</listitem>
<listitem>
<para>Configure the Bash shell to load these credentials upon each login:
<screen><userinput>echo "source ~/openrc" >> ~/.bashrc</userinput></screen>
</para>
</listitem>
</itemizedlist>
</listitem>
<listitem>
<para>The following bash script populates OpenStack Identity with some initial data:
<itemizedlist>
<listitem><para>Projects: admin and services</para></listitem>
<listitem><para>Roles: admin, Member</para></listitem>
<listitem><para>Users: admin, demo, nova, glance, neutron, and cinder</para></listitem>
<listitem><para>Services: compute, volume, image, identity, ec2, and network</para></listitem>
</itemizedlist>
<programlisting language="bash">#!/bin/bash
# Modify these variables as needed
ADMIN_PASSWORD=${ADMIN_PASSWORD:-password}
SERVICE_PASSWORD=${SERVICE_PASSWORD:-$ADMIN_PASSWORD}
DEMO_PASSWORD=${DEMO_PASSWORD:-$ADMIN_PASSWORD}
export OS_SERVICE_TOKEN="password"
export OS_SERVICE_ENDPOINT="http://localhost:35357/v2.0"
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-service}
#
MYSQL_USER=keystone
MYSQL_DATABASE=keystone
MYSQL_HOST=localhost
MYSQL_PASSWORD=password
#
KEYSTONE_REGION=RegionOne
KEYSTONE_HOST=10.10.10.10
# Shortcut function to get a newly generated ID
function get_field() {
while read data; do
if [ "$1" -lt 0 ]; then
field="(\$(NF$1))"
else
field="\$$(($1 + 1))"
fi
echo "$data" | awk -F'[ \t]*\\|[ \t]*' "{print $field}"
done
}
# Tenants
ADMIN_TENANT=$(keystone tenant-create --name=admin | grep " id " | \
get_field 2)
DEMO_TENANT=$(keystone tenant-create --name=demo | grep " id " | \
get_field 2)
SERVICE_TENANT=$(keystone tenant-create --name=$SERVICE_TENANT_NAME | \
grep " id " | get_field 2)
# Users
ADMIN_USER=$(keystone user-create --name=admin --pass="$ADMIN_PASSWORD" \
--email=admin@domain.com | grep " id " | get_field 2)
DEMO_USER=$(keystone user-create --name=demo --pass="$DEMO_PASSWORD" \
--email=demo@domain.com --tenant-id=$DEMO_TENANT | grep " id " | \
get_field 2)
NOVA_USER=$(keystone user-create --name=nova --pass="$SERVICE_PASSWORD" \
--tenant-id $SERVICE_TENANT --email=nova@domain.com | grep " id " | \
get_field 2)
GLANCE_USER=$(keystone user-create --name=glance \
--pass="$SERVICE_PASSWORD" \
--tenant-id $SERVICE_TENANT --email=glance@domain.com | \
grep " id " | get_field 2)
NEUTRON_USER=$(keystone user-create --name=neutron \
--pass="$SERVICE_PASSWORD" \
--tenant-id $SERVICE_TENANT --email=neutron@domain.com | \
grep " id " | get_field 2)
CINDER_USER=$(keystone user-create --name=cinder \
--pass="$SERVICE_PASSWORD" \
--tenant-id $SERVICE_TENANT --email=cinder@domain.com | \
grep " id " | get_field 2)
# Roles
ADMIN_ROLE=$(keystone role-create --name=admin | grep " id " | \
get_field 2)
MEMBER_ROLE=$(keystone role-create --name=Member | grep " id " | \
get_field 2)
# Add Roles to Users in Tenants
keystone user-role-add --user-id $ADMIN_USER --role-id $ADMIN_ROLE \
--tenant-id $ADMIN_TENANT
keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $NOVA_USER \
--role-id $ADMIN_ROLE
keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $GLANCE_USER \
--role-id $ADMIN_ROLE
keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $NEUTRON_USER \
--role-id $ADMIN_ROLE
keystone user-role-add --tenant-id $SERVICE_TENANT --user-id $CINDER_USER \
--role-id $ADMIN_ROLE
keystone user-role-add --tenant-id $DEMO_TENANT --user-id $DEMO_USER \
--role-id $MEMBER_ROLE
# Create services
COMPUTE_SERVICE=$(keystone service-create --name nova --type compute \
--description 'OpenStack Compute Service' | grep " id " | get_field 2)
VOLUME_SERVICE=$(keystone service-create --name cinder --type volume \
--description 'OpenStack Volume Service' | grep " id " | get_field 2)
IMAGE_SERVICE=$(keystone service-create --name glance --type image \
--description 'OpenStack Image Service' | grep " id " | get_field 2)
IDENTITY_SERVICE=$(keystone service-create --name keystone --type identity \
--description 'OpenStack Identity' | grep " id " | get_field 2)
EC2_SERVICE=$(keystone service-create --name ec2 --type ec2 \
--description 'OpenStack EC2 service' | grep " id " | get_field 2)
NETWORK_SERVICE=$(keystone service-create --name neutron --type network \
--description 'OpenStack Networking service' | grep " id " | get_field 2)
# Create endpoints
keystone endpoint-create --region $KEYSTONE_REGION \
--service-id $COMPUTE_SERVICE \
--publicurl 'http://'"$KEYSTONE_HOST"':8774/v2/$(tenant_id)s' \
--adminurl 'http://'"$KEYSTONE_HOST"':8774/v2/$(tenant_id)s' \
--internalurl 'http://'"$KEYSTONE_HOST"':8774/v2/$(tenant_id)s'
keystone endpoint-create --region $KEYSTONE_REGION \
--service-id $VOLUME_SERVICE \
--publicurl 'http://'"$KEYSTONE_HOST"':8776/v1/$(tenant_id)s' \
--adminurl 'http://'"$KEYSTONE_HOST"':8776/v1/$(tenant_id)s' \
--internalurl 'http://'"$KEYSTONE_HOST"':8776/v1/$(tenant_id)s'
keystone endpoint-create --region $KEYSTONE_REGION \
--service-id $IMAGE_SERVICE \
--publicurl 'http://'"$KEYSTONE_HOST"':9292' \
--adminurl 'http://'"$KEYSTONE_HOST"':9292' \
--internalurl 'http://'"$KEYSTONE_HOST"':9292'
keystone endpoint-create --region $KEYSTONE_REGION \
--service-id $IDENTITY_SERVICE \
--publicurl 'http://'"$KEYSTONE_HOST"':5000/v2.0' \
--adminurl 'http://'"$KEYSTONE_HOST"':35357/v2.0' \
--internalurl 'http://'"$KEYSTONE_HOST"':5000/v2.0'
keystone endpoint-create --region $KEYSTONE_REGION \
--service-id $EC2_SERVICE \
--publicurl 'http://'"$KEYSTONE_HOST"':8773/services/Cloud' \
--adminurl 'http://'"$KEYSTONE_HOST"':8773/services/Admin' \
--internalurl 'http://'"$KEYSTONE_HOST"':8773/services/Cloud'
keystone endpoint-create --region $KEYSTONE_REGION \
--service-id $NETWORK_SERVICE \
--publicurl 'http://'"$KEYSTONE_HOST"':9696/' \
--adminurl 'http://'"$KEYSTONE_HOST"':9696/' \
--internalurl 'http://'"$KEYSTONE_HOST"':9696/'</programlisting>
</para>
</listitem>
</orderedlist>
<note>
<para>
If you make a mistake during this guide, you can reset the OpenStack Identity database by performing the following steps:
<screen><prompt>#</prompt> <userinput>mysql -u root -p -e "drop database keystone"</userinput>
<prompt>#</prompt> <userinput>mysql -u root -p -e "create database keystone"</userinput>
<prompt>#</prompt> <userinput>mysql -u root -p -e "grant all privileges on keystone.* TO \
'keystone'@'localhost' identified by 'password'"</userinput>
<prompt>#</prompt> <userinput>keystone-manage db_sync</userinput></screen>
And finally, re-run the above bash script.
</para>
</note>
</para>
</section>
View Git Blame Copy Permalink