Keystone project provides Identity as a service for all OpenStack services and components. It is recommended to authenticate users and authorize access of OpenStack components. For Example, if a user would like to launch a new instance, Keystone is responsible for making sure that the user account, which issued the instance launch command, is a known authenticated user account and the account has permissions to launch the instance.
Keystone also provides a services catalog, which OpenStack serves, users and other services can query Keystone for the services of a particular OpenStack environment. For each service, Keystone returns an endpoint, which is a network-accessible URL from where users and services can access a certain service.
In this chapter, we are going to configure Keystone to use MariaDB as the backend data store provides, which is the most common configuration. Keystone can also use user account details on an LDAP server or Microsoft Active Directory, which will be covered in Chapter 4, Keystone Identity Service.
Before installing and configuring Keystone, we need to prepare a database for Keystone to use, configure it's user's permissions, and open needed firewall ports, so other nodes would be able to communicate with it. Keystone is usually installed on the controller node as part of OpenStack's control plane.
Run the following commands on the controller node!
[root@controller ~]# mysql -u root -p
Create a database named
MariaDB [(none)]> CREATE DATABASE keystone;
Create a user account named
keystonewith the selected password instead of
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'my_keystone_db_password';
Grant access for
keystoneuser account to the
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'my_keystone_db_password';
MariaDB [(none)]> FLUSH PRIVILEGES;
At this point, you can exit the MySQL client:
MariaDB [(none)]> quit
[root@controller ~]# firewall-cmd --add-port=5000/tcp --permanent [root@controller ~]# firewall-cmd --add-port=35357/tcp --permanent
Proceed with the following steps:
By now, all OpenStack's prerequisites, including a database service and a message broker, should be installed and configured, and this is the first OpenStack service we install. First, we need to install, configure, enable, and start the package.
keystone package using
yum command as follows:
[root@controller ~]# yum install -y openstack-keystone
This will also install Python supporting packages and additional packages for more advanced backend configurations.
openstack-configcommand with your chosen keystone database user details and database IP address:
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf sql connection mysql://keystone:'firstname.lastname@example.org/keystone
[root@controller ~]# su keystone -s /bin/sh -c "keystone-manage db_sync"
Set a custom token or use
opensslcommand to generate a random token:
[root@controller ~]# export SERVICE_TOKEN=$(openssl rand -hex 10)
Store the token in a file for use in the next steps:
[root@controller ~]# echo $SERVICE_TOKEN > ~/keystone_admin_token
We need to configure Keystone to use the token we created, we can manually edit the Keystone configuration file
/etc/keystone/keystone.confand manually remove comment mark
admin_tokenor we can use the command
openstack-configto set the needed property.
openstack-configcommand to configure
service_tokenparameter as follows:
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $SERVICE_TOKEN