This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.
Before you install and configure the Identity service, you must create a database.
Note
Before you begin, ensure you have the most recent version of
python-pyasn1
installed.
Use the database access client to connect to the database
server as the root
user:
$ mysql -u root -p
Create the keystone
database:
MariaDB [(none)]> CREATE DATABASE keystone;
Grant proper access to the keystone
database:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
Replace KEYSTONE_DBPASS
with a suitable password.
Exit the database access client.
Note
Default configuration files vary by distribution. You might need
to add these sections and options rather than modifying existing
sections and options. Also, an ellipsis (...
) in the configuration
snippets indicates potential default configuration options that you
should retain.
Note
This guide uses the Apache HTTP server with mod_wsgi
to serve
Identity service requests on ports 5000 and 35357. By default, the
keystone service still listens on these ports. Therefore, this guide
manually disables the keystone service.
Note
Starting with the Newton release, SUSE OpenStack packages are shipping
with the upstream default configuration files. For example
/etc/keystone/keystone.conf
, with customizations in
/etc/keystone/keystone.conf.d/010-keystone.conf
. While the
following instructions modify the default configuration file, adding a
new file in /etc/keystone/keystone.conf.d
achieves the same
result.
Run the following command to install the packages:
# zypper install openstack-keystone apache2-mod_wsgi
Edit the /etc/keystone/keystone.conf
file and complete the following
actions:
In the [database]
section, configure database access:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
Replace KEYSTONE_DBPASS
with the password you chose for the database.
Note
Comment out or remove any other connection
options in the
[database]
section.
In the [token]
section, configure the Fernet token provider:
[token]
# ...
provider = fernet
Populate the Identity service database:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
Initialize Fernet key repositories:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Bootstrap the Identity service:
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
Replace ADMIN_PASS
with a suitable password for an administrative user.
Edit the /etc/sysconfig/apache2
file and configure the
APACHE_SERVERNAME
option to reference the controller node:
APACHE_SERVERNAME="controller"
Create the /etc/apache2/conf.d/wsgi-keystone.conf
file
with the following content:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
Recursively change the ownership of the /etc/keystone
directory:
# chown -R keystone:keystone /etc/keystone
Start the Apache HTTP service and configure it to start when the system boots:
# systemctl enable apache2.service
# systemctl start apache2.service
Configure the administrative account
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
Replace ADMIN_PASS
with the password used in the
keystone-manage bootstrap
command in keystone-install-configure-obs.
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.