API tools faq
paste
Advertisement
Guest User

Icehouse Keystone Tutorial

a guest
Apr 25th, 2014
179
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.54 KB | None | 0 0
raw download clone embed print report
  1. Keystone: Identity Service
  2.  
  3. Management Node
  4.  
  5. Install Keystone packages
  6. apt-get install keystone
  7.  
  8. Update Keystone Database connection in the config file. /etc/keystone/keystone.conf
  9.  
  10. [database]
  11. connection = mysql://keystone:KEYSTONE_DBPASS@host.domain/keystone
  12. And remove the default SQLite database.
  13. rm /var/lib/keystone/keystone.db
  14.  
  15.  
  16. Login to MySQL and create a Keystone database and user with all priviliges.
  17.  
  18. mysql -u root -p
  19. mysql> CREATE DATABASE keystone;
  20. mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
  21. IDENTIFIED BY 'KEYSTONE_DBPASS';
  22. mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
  23. IDENTIFIED BY 'KEYSTONE_DBPASS';
  24. mysql> exit
  25.  
  26. Create database tables
  27. /bin/sh -c “keystone-manage db_sync” keystone
  28.  
  29. Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Also configure the log directory.
  30.  
  31. /etc/keystone/keystone.conf
  32. [DEFAULT]
  33. admin_token = ADMIN_TOKEN
  34. ...
  35. log_dir = /var/log/keystone
  36. Restart keystone
  37. service keystone restart
  38.  
  39. Use cronjub to purge expired tokens from the Keystone database.
  40. (crontab -l 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' » /var/spool/cron/crontabs/root
  41.  
  42. Instead of always typing our keystone credentials we create a file in the root directory that we shall source. Replace ADMIN_TOKEN with the value from your keystone configuration.
  43.  
  44. vi .keystone-auth
  45.  
  46. export OS_SERVICE_TOKEN=ADMIN_TOKEN
  47. export OS_SERVICE_ENDPOINT=http://host.domain:35357/v2.0
  48.  
  49. And source the file.
  50. source .keystone-auth
  51.  
  52. Create users, roles and tenants, we start by doing this for the admin.
  53.  
  54. keystone user-create --name=admin --pass=ADMIN_PASS --email=ADMIN_EMAIL
  55. keystone role-create --name=admin
  56. keystone tenant-create --name=admin --description="Admin Tenant"
  57. keystone user-role-add --user=admin --tenant=admin --role=admin
  58. keystone user-role-add --user=admin --role=_member_ --tenant=admin
  59. Next add a normal user and repeat this process for any additional users.
  60.  
  61. keystone user-create --name=demo --pass=DEMO_PASS --email=DEMO_EMAIL
  62. keystone tenant-create --name=demo --description="Demo Tenant"
  63. keystone user-role-add --user=demo --role=_member_ --tenant=demo
  64. We also need to create a tenant where we will house all services together. We will create their users / roles as we install the service.
  65. keystone tenant-create –name=service –description=“Service Tenant”
  66. So that the Identity Service can track which OpenStack services are installed and where they are located on the network, you must register each service in your OpenStack installation.
  67.  
  68. Start off by registering the Identity Service (Keystone) itself.
  69. keystone service-create –name=keystone –type=identity –description=“OpenStack Identity”
  70.  
  71. You will be supplied a service ID. Use this ID to register the actual end-point. In the command below we extract this ID using some clever scripting.
  72.  
  73. keystone endpoint-create \
  74. --service-id=$(keystone service-list | awk '/ identity / {print $2}') \
  75. --publicurl=http://host.domain:5000/v2.0 \
  76. --internalurl=http://host.domain:5000/v2.0 \
  77. --adminurl=http://host.domain:35357/v2.0
  78.  
  79. Verify that the Identity Service has installed correctly and is working as intended. Clear the host variables we set earlier, that way we can authenticate using keystone and see it in action.
  80.  
  81. unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
  82.  
  83. Request authentication token by using the admin user.
  84. keystone –os-username=admin –os-password=ADMIN_PASS –os-auth-url=http://host.domain:35357/v2.0 token-get
  85.  
  86. If the service is running on the expected endpoint, and if your credentials are correct you will receive a token paired with your user ID.
  87.  
  88. Verify that authorization is working by requesting authorization on a tenant.
  89.  
  90. keystone –os-username=admin –os-password=ADMIN_PASS –os-tenant-name=admin –os-auth-url=http://host.domain:35357/v2.0 token-get
  91.  
  92. You will receive a token paired to your user and tenant-id. This proves the user is part of this tenant, has a role in it and authenticated succesfully.
  93.  
  94. Create .admin-openrc, We will use this to pass our credentials. .admin-openrc
  95.  
  96. export OS_USERNAME=admin
  97. export OS_PASSWORD=ADMIN_PASS
  98. export OS_TENANT_NAME=admin
  99. export OS_AUTH_URL=http://host.domain:35357/v2.0
  100.  
  101. Save the file and run source .admin-openrc
  102.  
  103. Verify that your admin account has authorization to perform administrative commands.
  104. keystone user-list
  105. keystone user-role-list –user admin –tenant admin
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!