Keystone project provides Identity as a service for all OpenStack services and components. It is recommended to authenticate users and authorize access of OpenStack components. For Example, if a user would like to launch a new instance, Keystone is responsible for making sure that the user account, which issued the instance launch command, is a known authenticated user account and the account has permissions to launch the instance.
Keystone also provides a services catalog, which OpenStack serves, users and other services can query Keystone for the services of a particular OpenStack environment. For each service, Keystone returns an endpoint, which is a network-accessible URL from where users and services can access a certain service.
In this chapter, we are going to configure Keystone to use MariaDB as the backend data store provides, which is the most common configuration. Keystone can also use user account details on an LDAP server or Microsoft Active Directory, which will be covered in Chapter 4, Keystone Identity Service.
Before installing and configuring Keystone, we need to prepare a database for Keystone to use, configure it's user's permissions, and open needed firewall ports, so other nodes would be able to communicate with it. Keystone is usually installed on the controller node as part of OpenStack's control plane.
Run the following commands on the controller node!
To create a database for Keystone, use MySQL command to access the MariaDB instance, This will ask you to type the password you selected for the MariaDB root user:
[root@controller ~]# mysql -u root -pCreate a database named
keystone:MariaDB [(none)]> CREATE DATABASE keystone;Create a user account named
keystonewith the selected password instead of'my_keystone_db_password':MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'my_keystone_db_password';Grant access for
keystoneuser account to thekeystonedatabase:MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'my_keystone_db_password';Flush database privileges to ensure that they are effective immediately:
MariaDB [(none)]> FLUSH PRIVILEGES;At this point, you can exit the MySQL client:
MariaDB [(none)]> quit
Keystone service uses port 5000 for public access and port 35357 for administration.
[root@controller ~]# firewall-cmd --add-port=5000/tcp --permanent [root@controller ~]# firewall-cmd --add-port=35357/tcp --permanent
Proceed with the following steps:
By now, all OpenStack's prerequisites, including a database service and a message broker, should be installed and configured, and this is the first OpenStack service we install. First, we need to install, configure, enable, and start the package.
Install keystone package using yum command as follows:
[root@controller ~]# yum install -y openstack-keystone
This will also install Python supporting packages and additional packages for more advanced backend configurations.
Keystone's database connection string is set in /etc/keystone/keystone.conf; we can use the #openstack-config command to configure the connection string.
Run the
openstack-configcommand with your chosen keystone database user details and database IP address:[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf sql connection mysql://keystone:'my_keystone_db_password'@10.10.0.1/keystoneAfter the database is configured, we can create the Keystone database tables using
db_synccommand:[root@controller ~]# su keystone -s /bin/sh -c "keystone-manage db_sync"
Before starting the Keystone service, we need to make some initial service configurations for it to start properly.
Keystone can use a token by which it will identify the administrative user:
Set a custom token or use
opensslcommand to generate a random token:[root@controller ~]# export SERVICE_TOKEN=$(openssl rand -hex 10)Store the token in a file for use in the next steps:
[root@controller ~]# echo $SERVICE_TOKEN > ~/keystone_admin_tokenWe need to configure Keystone to use the token we created, we can manually edit the Keystone configuration file
/etc/keystone/keystone.confand manually remove comment mark#next toadmin_tokenor we can use the commandopenstack-configto set the needed property.Use
openstack-configcommand to configureservice_tokenparameter as follows:[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $SERVICE_TOKEN