Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Keystone: Identity Service
- Management Node
- Install Keystone packages
- apt-get install keystone
- Update Keystone Database connection in the config file. /etc/keystone/keystone.conf
- [database]
- connection = mysql://keystone:KEYSTONE_DBPASS@host.domain/keystone
- And remove the default SQLite database.
- rm /var/lib/keystone/keystone.db
- Login to MySQL and create a Keystone database and user with all priviliges.
- mysql -u root -p
- mysql> CREATE DATABASE keystone;
- mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
- IDENTIFIED BY 'KEYSTONE_DBPASS';
- mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
- IDENTIFIED BY 'KEYSTONE_DBPASS';
- mysql> exit
- Create database tables
- /bin/sh -c “keystone-manage db_sync” keystone
- Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Also configure the log directory.
- /etc/keystone/keystone.conf
- [DEFAULT]
- admin_token = ADMIN_TOKEN
- ...
- log_dir = /var/log/keystone
- Restart keystone
- service keystone restart
- Use cronjub to purge expired tokens from the Keystone database.
- (crontab -l 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' » /var/spool/cron/crontabs/root
- Instead of always typing our keystone credentials we create a file in the root directory that we shall source. Replace ADMIN_TOKEN with the value from your keystone configuration.
- vi .keystone-auth
- export OS_SERVICE_TOKEN=ADMIN_TOKEN
- export OS_SERVICE_ENDPOINT=http://host.domain:35357/v2.0
- And source the file.
- source .keystone-auth
- Create users, roles and tenants, we start by doing this for the admin.
- keystone user-create --name=admin --pass=ADMIN_PASS --email=ADMIN_EMAIL
- keystone role-create --name=admin
- keystone tenant-create --name=admin --description="Admin Tenant"
- keystone user-role-add --user=admin --tenant=admin --role=admin
- keystone user-role-add --user=admin --role=_member_ --tenant=admin
- Next add a normal user and repeat this process for any additional users.
- keystone user-create --name=demo --pass=DEMO_PASS --email=DEMO_EMAIL
- keystone tenant-create --name=demo --description="Demo Tenant"
- keystone user-role-add --user=demo --role=_member_ --tenant=demo
- We also need to create a tenant where we will house all services together. We will create their users / roles as we install the service.
- keystone tenant-create –name=service –description=“Service Tenant”
- So that the Identity Service can track which OpenStack services are installed and where they are located on the network, you must register each service in your OpenStack installation.
- Start off by registering the Identity Service (Keystone) itself.
- keystone service-create –name=keystone –type=identity –description=“OpenStack Identity”
- You will be supplied a service ID. Use this ID to register the actual end-point. In the command below we extract this ID using some clever scripting.
- keystone endpoint-create \
- --service-id=$(keystone service-list | awk '/ identity / {print $2}') \
- --publicurl=http://host.domain:5000/v2.0 \
- --internalurl=http://host.domain:5000/v2.0 \
- --adminurl=http://host.domain:35357/v2.0
- Verify that the Identity Service has installed correctly and is working as intended. Clear the host variables we set earlier, that way we can authenticate using keystone and see it in action.
- unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
- Request authentication token by using the admin user.
- keystone –os-username=admin –os-password=ADMIN_PASS –os-auth-url=http://host.domain:35357/v2.0 token-get
- If the service is running on the expected endpoint, and if your credentials are correct you will receive a token paired with your user ID.
- Verify that authorization is working by requesting authorization on a tenant.
- keystone –os-username=admin –os-password=ADMIN_PASS –os-tenant-name=admin –os-auth-url=http://host.domain:35357/v2.0 token-get
- You will receive a token paired to your user and tenant-id. This proves the user is part of this tenant, has a role in it and authenticated succesfully.
- Create .admin-openrc, We will use this to pass our credentials. .admin-openrc
- export OS_USERNAME=admin
- export OS_PASSWORD=ADMIN_PASS
- export OS_TENANT_NAME=admin
- export OS_AUTH_URL=http://host.domain:35357/v2.0
- Save the file and run source .admin-openrc
- Verify that your admin account has authorization to perform administrative commands.
- keystone user-list
- keystone user-role-list –user admin –tenant admin
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement