Keystone uses cryptographically signed tokens with a private key and is matched against x509 certificate with a public key. Chapter 4, Keystone Identity Service discusses more advanced configurations. In this chapter, we use keystone-manage pki_setup
command to generate PKI key pairs and to configure Keystone to use it.
Proceed with the following steps:
Generate PKI keys using
keystone-manage pki_setup
command:[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
Change ownership of the generated PKI files:
[root@controller ~]# chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/
Configure Keystone service to use the generated PKI files:
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing token_format PKI [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing certfile /etc/keystone/ssl/certs/signing_cert.pem [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing keyfile /etc/keystone/ssl/private/signing_key.pem [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing ca_certs /etc/keystone/ssl/certs/ca.pem [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing key_size 1024 [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing valid_days 3650 [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing ca_password None
At this point, Keystone is configured and readily run as follows:
[root@controller ~]# systemctl start openstack-keystone
Enable Keystone to start after system reboot:
[root@controller ~]# systemctl enable openstack-keystone
We need to configure a Keystone service endpoint for other services to operate properly:
Set the
SERVICE_TOKEN
environment parameter using thekeystone_admin_token
we generated on basic Keystone configuration step:[root@controller ~]# export SERVICE_TOKEN=`cat ~/keystone_admin_token`
Set the
SERVICE_ENDPOINT
environment parameter with Keystone's endpoint URL using your controller's IP address:[root@controller ~]# export SERVICE_ENDPOINT="http://10.10.0.1:35357/v2.0"
Create a Keystone service entry:
[root@el7-icehouse-controller ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity service"
An output of a successful execution should look similar to the following, with a different unique ID:
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity service | | enabled | True | | id | 1fa0e426e1ba464d95d16c6df0899047 | | name | keystone | | type | identity | +-------------+----------------------------------+
The
endpoint-create
command allows us to set a different IP addresses that are accessible from public and from internal sources. At this point, we may use our controller's management NIC IP to access Keystone endpoint.Create Keystone service endpoint using keystone endpoint-create command:
[root@controller ~]# keystone endpoint-create --service keystone --publicurl 'http://10.10.0.1:5000/v2.0' --adminurl 'http://10.10.0.1:35357/v2.0'--internalurl 'http://10.10.0.1:5000/v2.0'
Create services tenant:
[root@controller ~(keystone_admin)]# keystone tenant-create --name services --description "Services Tenant"
Create an administrative account within Keystone:
[root@controller ~]# keystone user-create --name admin --pass password
Create the
admin
role:[root@controller ~]# keystone role-create --name admin
Create an
admin
tenant:[root@controller ~]# keystone tenant-create --name admin
Add an
admin
roles to the admin user with theadmin
tenant:[root@el7-icehouse-controller ~]# keystone user-role-add --user admin --role admin --tenant admin
Create
keystonerc_admin
file with the following content:[root@controller ~]# cat ~/keystonerc_admin export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=password export OS_AUTH_URL=http://10.10.0.1:35357/v2.0/ export PS1='[\u@\h \W(keystone_admin)]\$ '
To load the environment variables, run source command:
[root@controller ~]# source keystonerc_admin
We may also create an unprivileged user account that has no administration permissions on our newly created OpenStack environment:
Create the user account in Keystone:
[root@controller ~(keystone_admin)]# keystone user-create --name USER --pass password
Create a new tenant:
[root@el7-icehouse-controller ~(keystone_admin)]# keystone tenant-create --name TENANT
Assign the user account to the newly created tenant:
[root@el7-icehouse-controller ~(keystone_admin)]# keystone user-role-add --user USER --role _member_ --tenant TENANT
Create keystonerc_user file with the following content:
[root@controller ~(keystone_admin)]# cat ~/keystonerc_user export OS_USERNAME=USER export OS_TENANT_NAME=TENANT export OS_PASSWORD=password export OS_AUTH_URL=http://10.10.0.1:5000/v2.0/ export PS1='[\u@\h \W(keystone_user)]\$ '
If installation and configuration of Keystone service was successful, Keystone should be operational, and we execute a keystone command to verify that it is operational.
Use the command #tenant-list
to list the existing tenants:
[root@controller ~(keystone_admin)]# keystone tenant-list
The output of successful tenant creation should look like this:
+----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | a5b7bf37d1b646cb8ec0eb35481204c4 | admin | True | | fafb926db0674ad9a34552dc05ac3a18 | services | True | +----------------------------------+----------+---------+