Install and configure

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

Note

Ensure that you have completed the prerequisite installation steps in the Openstack Install Guide before proceeding.

Prerequisites

Before you install and configure the Identity service, you must create a database.

Note

Before you begin, ensure you have the most recent version of python-pyasn1 installed.

1. Use the database access client to connect to the database server as the root user:

   $ mysql -u root -p
   

2. Create the keystone database:

   MariaDB [(none)]> CREATE DATABASE keystone;
   

3. Grant proper access to the keystone database:

   MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
   IDENTIFIED BY 'KEYSTONE_DBPASS';
   MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
   IDENTIFIED BY 'KEYSTONE_DBPASS';
   

   Replace KEYSTONE_DBPASS with a suitable password.

4. Exit the database access client.

Install and configure components

Note

Default configuration files vary by distribution. You might need to add these sections and options rather than modifying existing sections and options. Also, an ellipsis (...) in the configuration snippets indicates potential default configuration options that you should retain.

Note

Starting with the Newton release, SUSE OpenStack packages are shipping with the upstream default configuration files. For example /etc/keystone/keystone.conf, with customizations in /etc/keystone/keystone.conf.d/010-keystone.conf. While the following instructions modify the default configuration file, adding a new file in /etc/keystone/keystone.conf.d achieves the same result.

1. Run the following command to install the packages:

   # zypper install openstack-keystone apache2 apache2-mod_wsgi
   

2. Edit the /etc/keystone/keystone.conf file and complete the following actions:

   • In the [database] section, configure database access:

     [database]
     # ...
     connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
     

     Replace KEYSTONE_DBPASS with the password you chose for the database.

     Note

     Comment out or remove any other connection options in the [database] section.

   • In the [token] section, configure the Fernet token provider:

     [token]
     # ...
     provider = fernet
     

3. Populate the Identity service database:

   # su -s /bin/sh -c "keystone-manage db_sync" keystone
   

4. Initialize Fernet key repositories:

   Note

   The --keystone-user and --keystone-group flags are used to specify the operating system’s user/group that will be used to run keystone. These are provided to allow running keystone under another operating system user/group. In the example below, we call the user & group keystone.

   # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
   # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
   

5. Bootstrap the Identity service:

   Note

   Before the Queens release, keystone needed to be run on two separate ports to accommodate the Identity v2 API which ran a separate admin-only service commonly on port 35357. With the removal of the v2 API, keystone can be run on the same port for all interfaces.

   # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
     --bootstrap-admin-url http://controller:5000/v3/ \
     --bootstrap-internal-url http://controller:5000/v3/ \
     --bootstrap-public-url http://controller:5000/v3/ \
     --bootstrap-region-id RegionOne
   

   Replace ADMIN_PASS with a suitable password for an administrative user.

Configure the Apache HTTP server

1. Edit the /etc/sysconfig/apache2 file and configure the APACHE_SERVERNAME option to reference the controller node:

   APACHE_SERVERNAME="controller"
   

   The APACHE_SERVERNAME entry will need to be added if it does not already exist.

2. Create the /etc/apache2/conf.d/wsgi-keystone.conf file with the following content:

   Listen 5000
   
   <VirtualHost *:5000>
       WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
       WSGIProcessGroup keystone-public
       WSGIScriptAlias / /usr/bin/keystone-wsgi-public
       WSGIApplicationGroup %{GLOBAL}
       WSGIPassAuthorization On
       ErrorLogFormat "%{cu}t %M"
       ErrorLog /var/log/apache2/keystone.log
       CustomLog /var/log/apache2/keystone_access.log combined
   
       <Directory /usr/bin>
           Require all granted
       </Directory>
   </VirtualHost>
   

3. Recursively change the ownership of the /etc/keystone directory:

   # chown -R keystone:keystone /etc/keystone
   

SSL

A secure deployment should have the web server configured to use SSL or running behind an SSL terminator.

Finalize the installation

1. Start the Apache HTTP service and configure it to start when the system boots:

   # systemctl enable apache2.service
   # systemctl start apache2.service
   

2. Configure the administrative account by setting the proper environmental variables:

   $ export OS_USERNAME=admin
   $ export OS_PASSWORD=ADMIN_PASS
   $ export OS_PROJECT_NAME=admin
   $ export OS_USER_DOMAIN_NAME=Default
   $ export OS_PROJECT_DOMAIN_NAME=Default
   $ export OS_AUTH_URL=http://controller:5000/v3
   $ export OS_IDENTITY_API_VERSION=3
   

   These values shown here are the default ones created from keystone-manage bootstrap.

   Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure-obs.