Added keystone installation guides
Currently some keystone installation guide docs are part of general OpenStack-manuals. Migrating those docs to keystone documentation so that they can be reviewed effectively by keystone developers too. Added installation guides for Ubuntu, openSUSE and Red Hat Enterprise. The installation guides for Debian will be added once they are complete in openstack-manuals. Also changed the toctree structure in install-guides to include directives so that all sections appear on one page rather than just links. Partial-Bug #1694460 Change-Id: I03aecfd1544b559a8fbd1ab11c5474145cff9ff9
This commit is contained in:
parent
9070172084
commit
c69c283bf8
@ -47,6 +47,13 @@ client library`_.
|
||||
.. _`Authentication library`: https://docs.openstack.org/developer/keystoneauth/
|
||||
.. _`Python client library`: https://docs.openstack.org/developer/python-keystoneclient/
|
||||
|
||||
Installation Guides
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
install/index.rst
|
||||
|
||||
General Information
|
||||
~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
|
52
doc/source/install/common/get-started-identity.rst
Normal file
52
doc/source/install/common/get-started-identity.rst
Normal file
@ -0,0 +1,52 @@
|
||||
Identity service overview
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The OpenStack Identity service provides a single point of integration for
|
||||
managing authentication, authorization, and a catalog of services.
|
||||
|
||||
The Identity service is typically the first service a user interacts with. Once
|
||||
authenticated, an end user can use their identity to access other OpenStack
|
||||
services. Likewise, other OpenStack services leverage the Identity service to
|
||||
ensure users are who they say they are and discover where other services are
|
||||
within the deployment. The Identity service can also integrate with some
|
||||
external user management systems (such as LDAP).
|
||||
|
||||
Users and services can locate other services by using the service catalog,
|
||||
which is managed by the Identity service. As the name implies, a service
|
||||
catalog is a collection of available services in an OpenStack deployment. Each
|
||||
service can have one or many endpoints and each endpoint can be one of three
|
||||
types: admin, internal, or public. In a production environment, different
|
||||
endpoint types might reside on separate networks exposed to different types of
|
||||
users for security reasons. For instance, the public API network might be
|
||||
visible from the Internet so customers can manage their clouds. The admin API
|
||||
network might be restricted to operators within the organization that manages
|
||||
cloud infrastructure. The internal API network might be restricted to the hosts
|
||||
that contain OpenStack services. Also, OpenStack supports multiple regions for
|
||||
scalability. For simplicity, this guide uses the management network for all
|
||||
endpoint types and the default ``RegionOne`` region. Together, regions,
|
||||
services, and endpoints created within the Identity service comprise the
|
||||
service catalog for a deployment. Each OpenStack service in your deployment
|
||||
needs a service entry with corresponding endpoints stored in the Identity
|
||||
service. This can all be done after the Identity service has been installed and
|
||||
configured.
|
||||
|
||||
The Identity service contains these components:
|
||||
|
||||
Server
|
||||
A centralized server provides authentication and authorization
|
||||
services using a RESTful interface.
|
||||
|
||||
Drivers
|
||||
Drivers or a service back end are integrated to the centralized
|
||||
server. They are used for accessing identity information in
|
||||
repositories external to OpenStack, and may already exist in
|
||||
the infrastructure where OpenStack is deployed (for example, SQL
|
||||
databases or LDAP servers).
|
||||
|
||||
Modules
|
||||
Middleware modules run in the address space of the OpenStack
|
||||
component that is using the Identity service. These modules
|
||||
intercept service requests, extract user credentials, and send them
|
||||
to the centralized server for authorization. The integration between
|
||||
the middleware modules and OpenStack components uses the Python Web
|
||||
Server Gateway Interface.
|
50
doc/source/install/index-obs.rst
Normal file
50
doc/source/install/index-obs.rst
Normal file
@ -0,0 +1,50 @@
|
||||
=====================================================================
|
||||
Keystone Installation Tutorial for openSUSE and SUSE Linux Enterprise
|
||||
=====================================================================
|
||||
|
||||
Abstract
|
||||
~~~~~~~~
|
||||
|
||||
This guide will show you how to install OpenStack by using packages
|
||||
on openSUSE Leap 42.2 and SUSE Linux Enterprise Server 12 - for
|
||||
both SP1 and SP2 - through the Open Build Service Cloud repository.
|
||||
|
||||
Explanations of configuration options and sample configuration files
|
||||
are included.
|
||||
|
||||
.. note::
|
||||
The Training Labs scripts provide an automated way of deploying the
|
||||
cluster described in this Installation Guide into VirtualBox or KVM
|
||||
VMs. You will need a desktop computer or a laptop with at least 8
|
||||
GB memory and 20 GB free storage running Linux, MaOS, or Windows.
|
||||
Please see the
|
||||
`OpenStack Training Labs <https://docs.openstack.org/training_labs/>`_.
|
||||
|
||||
This guide documents the OpenStack Ocata release.
|
||||
|
||||
.. warning::
|
||||
|
||||
This guide is a work-in-progress and is subject to updates frequently.
|
||||
Pre-release packages have been used for testing, and some instructions
|
||||
may not work with final versions. Please help us make this guide better
|
||||
by reporting any errors you encounter.
|
||||
|
||||
Contents
|
||||
~~~~~~~~
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
common/get-started-identity.rst
|
||||
keystone-install-obs.rst
|
||||
keystone-users.rst
|
||||
keystone-verify-obs.rst
|
||||
keystone-openrc.rst
|
||||
|
||||
.. Pseudo only directive for each distribution used by the build tool.
|
||||
This pseudo only directive for toctree only works fine with Tox.
|
||||
When you directly build this guide with Sphinx,
|
||||
some navigation menu may not work properly.
|
||||
.. Keep this pseudo only directive not to break translation tool chain
|
||||
at the openstack-doc-tools repo until it is changed.
|
||||
.. end of contents
|
50
doc/source/install/index-rdo.rst
Normal file
50
doc/source/install/index-rdo.rst
Normal file
@ -0,0 +1,50 @@
|
||||
======================================================================
|
||||
Keystone Installation Tutorial for Red Hat Enterprise Linux and CentOS
|
||||
======================================================================
|
||||
|
||||
Abstract
|
||||
~~~~~~~~
|
||||
|
||||
This guide will show you how to install Keystone by using packages
|
||||
available on Red Hat Enterprise Linux 7 and its derivatives through
|
||||
the RDO repository.
|
||||
|
||||
Explanations of configuration options and sample configuration files
|
||||
are included.
|
||||
|
||||
.. note::
|
||||
The Training Labs scripts provide an automated way of deploying the
|
||||
cluster described in this Installation Guide into VirtualBox or KVM
|
||||
VMs. You will need a desktop computer or a laptop with at least 8
|
||||
GB memory and 20 GB free storage running Linux, MaOS, or Windows.
|
||||
Please see the
|
||||
`OpenStack Training Labs <https://docs.openstack.org/training_labs/>`_.
|
||||
|
||||
This guide documents the OpenStack Ocata release.
|
||||
|
||||
.. warning::
|
||||
|
||||
This guide is a work-in-progress and is subject to updates frequently.
|
||||
Pre-release packages have been used for testing, and some instructions
|
||||
may not work with final versions. Please help us make this guide better
|
||||
by reporting any errors you encounter.
|
||||
|
||||
Contents
|
||||
~~~~~~~~
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
common/get-started-identity.rst
|
||||
keystone-install-rdo.rst
|
||||
keystone-users.rst
|
||||
keystone-verify-rdo.rst
|
||||
keystone-openrc.rst
|
||||
|
||||
.. Pseudo only directive for each distribution used by the build tool.
|
||||
This pseudo only directive for toctree only works fine with Tox.
|
||||
When you directly build this guide with Sphinx,
|
||||
some navigation menu may not work properly.
|
||||
.. Keep this pseudo only directive not to break translation tool chain
|
||||
at the openstack-doc-tools repo until it is changed.
|
||||
.. end of contents
|
50
doc/source/install/index-ubuntu.rst
Normal file
50
doc/source/install/index-ubuntu.rst
Normal file
@ -0,0 +1,50 @@
|
||||
=========================================
|
||||
Keystone Installation Tutorial for Ubuntu
|
||||
=========================================
|
||||
|
||||
Abstract
|
||||
~~~~~~~~
|
||||
|
||||
This guide will walk through an installation by using packages
|
||||
available through Canonical's Ubuntu Cloud archive repository for
|
||||
Ubuntu 16.04 (LTS).
|
||||
|
||||
Explanations of configuration options and sample configuration files
|
||||
are included.
|
||||
|
||||
.. note::
|
||||
The Training Labs scripts provide an automated way of deploying the
|
||||
cluster described in this Installation Guide into VirtualBox or KVM
|
||||
VMs. You will need a desktop computer or a laptop with at least 8
|
||||
GB memory and 20 GB free storage running Linux, MaOS, or Windows.
|
||||
Please see the
|
||||
`OpenStack Training Labs <https://docs.openstack.org/training_labs/>`_.
|
||||
|
||||
This guide documents the OpenStack Ocata release.
|
||||
|
||||
.. warning::
|
||||
|
||||
This guide is a work-in-progress and is subject to updates frequently.
|
||||
Pre-release packages have been used for testing, and some instructions
|
||||
may not work with final versions. Please help us make this guide better
|
||||
by reporting any errors you encounter.
|
||||
|
||||
Contents
|
||||
~~~~~~~~
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 2
|
||||
|
||||
common/get-started-identity.rst
|
||||
keystone-install-ubuntu.rst
|
||||
keystone-users.rst
|
||||
keystone-verify-ubuntu.rst
|
||||
keystone-openrc.rst
|
||||
|
||||
.. Pseudo only directive for each distribution used by the build tool.
|
||||
This pseudo only directive for toctree only works fine with Tox.
|
||||
When you directly build this guide with Sphinx,
|
||||
some navigation menu may not work properly.
|
||||
.. Keep this pseudo only directive not to break translation tool chain
|
||||
at the openstack-doc-tools repo until it is changed.
|
||||
.. end of contents
|
22
doc/source/install/index.rst
Normal file
22
doc/source/install/index.rst
Normal file
@ -0,0 +1,22 @@
|
||||
=================================
|
||||
Keystone Installation Tutorial
|
||||
=================================
|
||||
|
||||
The OpenStack system consists of several key services that are separately
|
||||
installed. These services work together depending on your cloud
|
||||
needs and include the Compute, Identity, Networking, Image, Block Storage,
|
||||
Object Storage, Telemetry, Orchestration, and Database services. You
|
||||
can install any of these projects separately and configure them stand-alone
|
||||
or as connected entities.
|
||||
|
||||
This section describes how to install and configure the OpenStack
|
||||
Identity service, code-named keystone, on the controller node. For
|
||||
scalability purposes, this configuration deploys Fernet tokens and
|
||||
the Apache HTTP server to handle requests.
|
||||
|
||||
.. toctree::
|
||||
:maxdepth: 3
|
||||
|
||||
index-obs
|
||||
index-rdo
|
||||
index-ubuntu
|
261
doc/source/install/keystone-install-obs.rst
Normal file
261
doc/source/install/keystone-install-obs.rst
Normal file
@ -0,0 +1,261 @@
|
||||
Install and configure
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This section describes how to install and configure the OpenStack
|
||||
Identity service, code-named keystone, on the controller node. For
|
||||
scalability purposes, this configuration deploys Fernet tokens and
|
||||
the Apache HTTP server to handle requests.
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Before you install and configure the Identity service, you must
|
||||
create a database.
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
Before you begin, ensure you have the most recent version of
|
||||
``python-pyasn1`` `installed <https://pypi.python.org/pypi/pyasn1>`_.
|
||||
|
||||
|
||||
|
||||
|
||||
#. Use the database access client to connect to the database
|
||||
server as the ``root`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ mysql -u root -p
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
2. Create the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
MariaDB [(none)]> CREATE DATABASE keystone;
|
||||
|
||||
.. end
|
||||
|
||||
#. Grant proper access to the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
|
||||
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
||||
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
|
||||
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with a suitable password.
|
||||
|
||||
#. Exit the database access client.
|
||||
|
||||
.. _keystone-install-configure-obs:
|
||||
|
||||
Install and configure components
|
||||
--------------------------------
|
||||
|
||||
.. include:: shared/note_configuration_vary_by_distribution.rst
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
This guide uses the Apache HTTP server with ``mod_wsgi`` to serve
|
||||
Identity service requests on ports 5000 and 35357. By default, the
|
||||
keystone service still listens on these ports. Therefore, this guide
|
||||
manually disables the keystone service.
|
||||
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
Starting with the Newton release, SUSE OpenStack packages are shipping
|
||||
with the upstream default configuration files. For example
|
||||
``/etc/keystone/keystone.conf``, with customizations in
|
||||
``/etc/keystone/keystone.conf.d/010-keystone.conf``. While the
|
||||
following instructions modify the default configuration file, adding a
|
||||
new file in ``/etc/keystone/keystone.conf.d`` achieves the same
|
||||
result.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#. Run the following command to install the packages:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# zypper install openstack-keystone apache2-mod_wsgi
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
|
||||
actions:
|
||||
|
||||
* In the ``[database]`` section, configure database access:
|
||||
|
||||
.. path /etc/keystone/keystone.conf
|
||||
.. code-block:: ini
|
||||
|
||||
[database]
|
||||
# ...
|
||||
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
|
||||
|
||||
.. note::
|
||||
|
||||
Comment out or remove any other ``connection`` options in the
|
||||
``[database]`` section.
|
||||
|
||||
* In the ``[token]`` section, configure the Fernet token provider:
|
||||
|
||||
.. path /etc/keystone/keystone.conf
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
# ...
|
||||
provider = fernet
|
||||
|
||||
.. end
|
||||
|
||||
3. Populate the Identity service database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# su -s /bin/sh -c "keystone-manage db_sync" keystone
|
||||
|
||||
.. end
|
||||
|
||||
4. Initialize Fernet key repositories:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
|
||||
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
|
||||
|
||||
.. end
|
||||
|
||||
5. Bootstrap the Identity service:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
|
||||
--bootstrap-admin-url http://controller:35357/v3/ \
|
||||
--bootstrap-internal-url http://controller:5000/v3/ \
|
||||
--bootstrap-public-url http://controller:5000/v3/ \
|
||||
--bootstrap-region-id RegionOne
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``ADMIN_PASS`` with a suitable password for an administrative user.
|
||||
|
||||
Configure the Apache HTTP server
|
||||
--------------------------------
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#. Edit the ``/etc/sysconfig/apache2`` file and configure the
|
||||
``APACHE_SERVERNAME`` option to reference the controller node:
|
||||
|
||||
.. path /etc/sysconfig/apache2
|
||||
.. code-block:: shell
|
||||
|
||||
APACHE_SERVERNAME="controller"
|
||||
|
||||
.. end
|
||||
|
||||
#. Create the ``/etc/apache2/conf.d/wsgi-keystone.conf`` file
|
||||
with the following content:
|
||||
|
||||
.. path /etc/apache2/conf.d/wsgi-keystone.conf
|
||||
.. code-block:: apache
|
||||
|
||||
Listen 5000
|
||||
Listen 35357
|
||||
|
||||
<VirtualHost *:5000>
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
Require all granted
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:35357>
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
Require all granted
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
.. end
|
||||
|
||||
#. Recursively change the ownership of the ``/etc/keystone`` directory:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# chown -R keystone:keystone /etc/keystone
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
Finalize the installation
|
||||
-------------------------
|
||||
|
||||
|
||||
|
||||
|
||||
#. Start the Apache HTTP service and configure it to start when the system
|
||||
boots:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# systemctl enable apache2.service
|
||||
# systemctl start apache2.service
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
2. Configure the administrative account
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_USERNAME=admin
|
||||
$ export OS_PASSWORD=ADMIN_PASS
|
||||
$ export OS_PROJECT_NAME=admin
|
||||
$ export OS_USER_DOMAIN_NAME=Default
|
||||
$ export OS_PROJECT_DOMAIN_NAME=Default
|
||||
$ export OS_AUTH_URL=http://controller:35357/v3
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``ADMIN_PASS`` with the password used in the
|
||||
``keystone-manage bootstrap`` command in `keystone-install-configure-obs`_.
|
203
doc/source/install/keystone-install-rdo.rst
Normal file
203
doc/source/install/keystone-install-rdo.rst
Normal file
@ -0,0 +1,203 @@
|
||||
Install and configure
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This section describes how to install and configure the OpenStack
|
||||
Identity service, code-named keystone, on the controller node. For
|
||||
scalability purposes, this configuration deploys Fernet tokens and
|
||||
the Apache HTTP server to handle requests.
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Before you install and configure the Identity service, you must
|
||||
create a database.
|
||||
|
||||
|
||||
|
||||
|
||||
#. Use the database access client to connect to the database
|
||||
server as the ``root`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ mysql -u root -p
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
2. Create the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
MariaDB [(none)]> CREATE DATABASE keystone;
|
||||
|
||||
.. end
|
||||
|
||||
#. Grant proper access to the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
|
||||
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
||||
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
|
||||
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with a suitable password.
|
||||
|
||||
#. Exit the database access client.
|
||||
|
||||
.. _keystone-install-configure-rdo:
|
||||
|
||||
Install and configure components
|
||||
--------------------------------
|
||||
|
||||
.. include:: shared/note_configuration_vary_by_distribution.rst
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
This guide uses the Apache HTTP server with ``mod_wsgi`` to serve
|
||||
Identity service requests on ports 5000 and 35357. By default, the
|
||||
keystone service still listens on these ports. Therefore, this guide
|
||||
manually disables the keystone service.
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
#. Run the following command to install the packages:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# yum install openstack-keystone httpd mod_wsgi
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
|
||||
actions:
|
||||
|
||||
* In the ``[database]`` section, configure database access:
|
||||
|
||||
.. path /etc/keystone/keystone.conf
|
||||
.. code-block:: ini
|
||||
|
||||
[database]
|
||||
# ...
|
||||
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
|
||||
|
||||
.. note::
|
||||
|
||||
Comment out or remove any other ``connection`` options in the
|
||||
``[database]`` section.
|
||||
|
||||
* In the ``[token]`` section, configure the Fernet token provider:
|
||||
|
||||
.. path /etc/keystone/keystone.conf
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
# ...
|
||||
provider = fernet
|
||||
|
||||
.. end
|
||||
|
||||
3. Populate the Identity service database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# su -s /bin/sh -c "keystone-manage db_sync" keystone
|
||||
|
||||
.. end
|
||||
|
||||
4. Initialize Fernet key repositories:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
|
||||
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
|
||||
|
||||
.. end
|
||||
|
||||
5. Bootstrap the Identity service:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
|
||||
--bootstrap-admin-url http://controller:35357/v3/ \
|
||||
--bootstrap-internal-url http://controller:5000/v3/ \
|
||||
--bootstrap-public-url http://controller:5000/v3/ \
|
||||
--bootstrap-region-id RegionOne
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``ADMIN_PASS`` with a suitable password for an administrative user.
|
||||
|
||||
Configure the Apache HTTP server
|
||||
--------------------------------
|
||||
|
||||
|
||||
#. Edit the ``/etc/httpd/conf/httpd.conf`` file and configure the
|
||||
``ServerName`` option to reference the controller node:
|
||||
|
||||
.. path /etc/httpd/conf/httpd
|
||||
.. code-block:: apache
|
||||
|
||||
ServerName controller
|
||||
|
||||
.. end
|
||||
|
||||
#. Create a link to the ``/usr/share/keystone/wsgi-keystone.conf`` file:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Finalize the installation
|
||||
-------------------------
|
||||
|
||||
|
||||
|
||||
#. Start the Apache HTTP service and configure it to start when the system
|
||||
boots:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# systemctl enable httpd.service
|
||||
# systemctl start httpd.service
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
2. Configure the administrative account
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_USERNAME=admin
|
||||
$ export OS_PASSWORD=ADMIN_PASS
|
||||
$ export OS_PROJECT_NAME=admin
|
||||
$ export OS_USER_DOMAIN_NAME=Default
|
||||
$ export OS_PROJECT_DOMAIN_NAME=Default
|
||||
$ export OS_AUTH_URL=http://controller:35357/v3
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``ADMIN_PASS`` with the password used in the
|
||||
``keystone-manage bootstrap`` command in `keystone-install-configure-rdo`_.
|
193
doc/source/install/keystone-install-ubuntu.rst
Normal file
193
doc/source/install/keystone-install-ubuntu.rst
Normal file
@ -0,0 +1,193 @@
|
||||
Install and configure
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This section describes how to install and configure the OpenStack
|
||||
Identity service, code-named keystone, on the controller node. For
|
||||
scalability purposes, this configuration deploys Fernet tokens and
|
||||
the Apache HTTP server to handle requests.
|
||||
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Before you install and configure the Identity service, you must
|
||||
create a database.
|
||||
|
||||
|
||||
|
||||
#. Use the database access client to connect to the database
|
||||
server as the ``root`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# mysql
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
2. Create the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
MariaDB [(none)]> CREATE DATABASE keystone;
|
||||
|
||||
.. end
|
||||
|
||||
#. Grant proper access to the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
|
||||
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
||||
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
|
||||
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with a suitable password.
|
||||
|
||||
#. Exit the database access client.
|
||||
|
||||
.. _keystone-install-configure-ubuntu:
|
||||
|
||||
Install and configure components
|
||||
--------------------------------
|
||||
|
||||
.. include:: shared/note_configuration_vary_by_distribution.rst
|
||||
|
||||
|
||||
|
||||
|
||||
.. note::
|
||||
|
||||
This guide uses the Apache HTTP server with ``mod_wsgi`` to serve
|
||||
Identity service requests on ports 5000 and 35357. By default, the
|
||||
keystone service still listens on these ports. The package handles
|
||||
all of the Apache configuration for you (including the activation of
|
||||
the ``mod_wsgi`` apache2 module and keystone configuration in Apache).
|
||||
|
||||
#. Run the following command to install the packages:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# apt install keystone
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
2. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
|
||||
actions:
|
||||
|
||||
* In the ``[database]`` section, configure database access:
|
||||
|
||||
.. path /etc/keystone/keystone.conf
|
||||
.. code-block:: ini
|
||||
|
||||
[database]
|
||||
# ...
|
||||
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
|
||||
|
||||
.. note::
|
||||
|
||||
Comment out or remove any other ``connection`` options in the
|
||||
``[database]`` section.
|
||||
|
||||
* In the ``[token]`` section, configure the Fernet token provider:
|
||||
|
||||
.. path /etc/keystone/keystone.conf
|
||||
.. code-block:: ini
|
||||
|
||||
[token]
|
||||
# ...
|
||||
provider = fernet
|
||||
|
||||
.. end
|
||||
|
||||
3. Populate the Identity service database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# su -s /bin/sh -c "keystone-manage db_sync" keystone
|
||||
|
||||
.. end
|
||||
|
||||
4. Initialize Fernet key repositories:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
|
||||
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
|
||||
|
||||
.. end
|
||||
|
||||
5. Bootstrap the Identity service:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
|
||||
--bootstrap-admin-url http://controller:35357/v3/ \
|
||||
--bootstrap-internal-url http://controller:5000/v3/ \
|
||||
--bootstrap-public-url http://controller:5000/v3/ \
|
||||
--bootstrap-region-id RegionOne
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``ADMIN_PASS`` with a suitable password for an administrative user.
|
||||
|
||||
Configure the Apache HTTP server
|
||||
--------------------------------
|
||||
|
||||
|
||||
|
||||
#. Edit the ``/etc/apache2/apache2.conf`` file and configure the
|
||||
``ServerName`` option to reference the controller node:
|
||||
|
||||
.. path /etc/apache2/apache2.conf
|
||||
.. code-block:: apache
|
||||
|
||||
ServerName controller
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
Finalize the installation
|
||||
-------------------------
|
||||
|
||||
|
||||
#. Restart the Apache service:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# service apache2 restart
|
||||
|
||||
.. end
|
||||
|
||||
|
||||
|
||||
|
||||
2. Configure the administrative account
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_USERNAME=admin
|
||||
$ export OS_PASSWORD=ADMIN_PASS
|
||||
$ export OS_PROJECT_NAME=admin
|
||||
$ export OS_USER_DOMAIN_NAME=Default
|
||||
$ export OS_PROJECT_DOMAIN_NAME=Default
|
||||
$ export OS_AUTH_URL=http://controller:35357/v3
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``ADMIN_PASS`` with the password used in the
|
||||
``keystone-manage bootstrap`` command in `keystone-install-configure-ubuntu`_.
|
96
doc/source/install/keystone-openrc.rst
Normal file
96
doc/source/install/keystone-openrc.rst
Normal file
@ -0,0 +1,96 @@
|
||||
Create OpenStack client environment scripts
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The previous section used a combination of environment variables and
|
||||
command options to interact with the Identity service via the
|
||||
``openstack`` client. To increase efficiency of client operations,
|
||||
OpenStack supports simple client environment scripts also known as
|
||||
OpenRC files. These scripts typically contain common options for
|
||||
all clients, but also support unique options. For more information, see the
|
||||
`OpenStack End User Guide <https://docs.openstack.org/user-guide/common/
|
||||
cli_set_environment_variables_using_openstack_rc.html>`_.
|
||||
|
||||
Creating the scripts
|
||||
--------------------
|
||||
|
||||
Create client environment scripts for the ``admin`` and ``demo``
|
||||
projects and users. Future portions of this guide reference these
|
||||
scripts to load appropriate credentials for client operations.
|
||||
|
||||
#. Create and edit the ``admin-openrc`` file and add the following content:
|
||||
|
||||
.. note::
|
||||
|
||||
The OpenStack client also supports using a ``clouds.yaml`` file.
|
||||
For more information, see
|
||||
the `os-client-config <http://docs.openstack.org/developer/os-client-config/>`_.
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=Default
|
||||
export OS_USER_DOMAIN_NAME=Default
|
||||
export OS_PROJECT_NAME=admin
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=ADMIN_PASS
|
||||
export OS_AUTH_URL=http://controller:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
export OS_IMAGE_API_VERSION=2
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``ADMIN_PASS`` with the password you chose
|
||||
for the ``admin`` user in the Identity service.
|
||||
|
||||
#. Create and edit the ``demo-openrc`` file and add the following content:
|
||||
|
||||
.. code-block:: bash
|
||||
|
||||
export OS_PROJECT_DOMAIN_NAME=Default
|
||||
export OS_USER_DOMAIN_NAME=Default
|
||||
export OS_PROJECT_NAME=demo
|
||||
export OS_USERNAME=demo
|
||||
export OS_PASSWORD=DEMO_PASS
|
||||
export OS_AUTH_URL=http://controller:5000/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
export OS_IMAGE_API_VERSION=2
|
||||
|
||||
.. end
|
||||
|
||||
Replace ``DEMO_PASS`` with the password you chose
|
||||
for the ``demo`` user in the Identity service.
|
||||
|
||||
Using the scripts
|
||||
-----------------
|
||||
|
||||
To run clients as a specific project and user, you can simply load
|
||||
the associated client environment script prior to running them.
|
||||
For example:
|
||||
|
||||
#. Load the ``admin-openrc`` file to populate
|
||||
environment variables with the location of the Identity service
|
||||
and the ``admin`` project and user credentials:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ . admin-openrc
|
||||
|
||||
.. end
|
||||
|
||||
#. Request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack token issue
|
||||
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:44:35.659723Z |
|
||||
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
|
||||
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
|
||||
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
|
||||
| project_id | 343d245e850143a096806dfaefa9afdc |
|
||||
| user_id | ac3377633149401296f6c0d92d79dc16 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. end
|
113
doc/source/install/keystone-users.rst
Normal file
113
doc/source/install/keystone-users.rst
Normal file
@ -0,0 +1,113 @@
|
||||
Create a domain, projects, users, and roles
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Identity service provides authentication services for each OpenStack
|
||||
service. The authentication service uses a combination of domains,
|
||||
projects, users, and roles.
|
||||
|
||||
#. This guide uses a service project that contains a unique user for each
|
||||
service that you add to your environment. Create the ``service``
|
||||
project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project create --domain default \
|
||||
--description "Service Project" service
|
||||
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | Service Project |
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
|
||||
| is_domain | False |
|
||||
| name | service |
|
||||
| parent_id | default |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
#. Regular (non-admin) tasks should use an unprivileged project and user.
|
||||
As an example, this guide creates the ``demo`` project and user.
|
||||
|
||||
* Create the ``demo`` project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project create --domain default \
|
||||
--description "Demo Project" demo
|
||||
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | Demo Project |
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
|
||||
| is_domain | False |
|
||||
| name | demo |
|
||||
| parent_id | default |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
Do not repeat this step when creating additional users for this
|
||||
project.
|
||||
|
||||
* Create the ``demo`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user create --domain default \
|
||||
--password-prompt demo
|
||||
|
||||
User Password:
|
||||
Repeat User Password:
|
||||
+---------------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+---------------------+----------------------------------+
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | aeda23aa78f44e859900e22c24817832 |
|
||||
| name | demo |
|
||||
| options | {} |
|
||||
| password_expires_at | None |
|
||||
+---------------------+----------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
* Create the ``user`` role:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role create user
|
||||
|
||||
+-----------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-----------+----------------------------------+
|
||||
| domain_id | None |
|
||||
| id | 997ce8d05fc143ac97d83fdfb5998552 |
|
||||
| name | user |
|
||||
+-----------+----------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
* Add the ``user`` role to the ``demo`` project and user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role add --project demo --user demo user
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
This command provides no output.
|
||||
|
||||
.. note::
|
||||
|
||||
You can repeat this procedure to create additional projects and
|
||||
users.
|
83
doc/source/install/keystone-verify-obs.rst
Normal file
83
doc/source/install/keystone-verify-obs.rst
Normal file
@ -0,0 +1,83 @@
|
||||
Verify operation
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
Verify operation of the Identity service before installing other
|
||||
services.
|
||||
|
||||
.. note::
|
||||
|
||||
Perform these commands on the controller node.
|
||||
|
||||
|
||||
#. For security reasons, disable the temporary authentication
|
||||
token mechanism:
|
||||
|
||||
Edit the ``/etc/keystone/keystone-paste.ini``
|
||||
file and remove ``admin_token_auth`` from the
|
||||
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
|
||||
and ``[pipeline:api_v3]`` sections.
|
||||
|
||||
|
||||
|
||||
2. Unset the temporary ``OS_AUTH_URL`` and ``OS_PASSWORD``
|
||||
environment variable:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ unset OS_AUTH_URL OS_PASSWORD
|
||||
|
||||
.. end
|
||||
|
||||
3. As the ``admin`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357/v3 \
|
||||
--os-project-domain-name Default --os-user-domain-name Default \
|
||||
--os-project-name admin --os-username admin token issue
|
||||
|
||||
Password:
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:14:07.056119Z |
|
||||
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|
||||
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|
||||
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
|
||||
| project_id | 343d245e850143a096806dfaefa9afdc |
|
||||
| user_id | ac3377633149401296f6c0d92d79dc16 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
4. As the ``demo`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:5000/v3 \
|
||||
--os-project-domain-name Default --os-user-domain-name Default \
|
||||
--os-project-name demo --os-username demo token issue
|
||||
|
||||
Password:
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:15:39.014479Z |
|
||||
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|
||||
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|
||||
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
|
||||
| project_id | ed0b60bf607743088218b0a533d5943f |
|
||||
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``demo``
|
||||
user and API port 5000 which only allows regular (non-admin)
|
||||
access to the Identity service API.
|
83
doc/source/install/keystone-verify-rdo.rst
Normal file
83
doc/source/install/keystone-verify-rdo.rst
Normal file
@ -0,0 +1,83 @@
|
||||
Verify operation
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
Verify operation of the Identity service before installing other
|
||||
services.
|
||||
|
||||
.. note::
|
||||
|
||||
Perform these commands on the controller node.
|
||||
|
||||
|
||||
|
||||
#. For security reasons, disable the temporary authentication
|
||||
token mechanism:
|
||||
|
||||
Edit the ``/etc/keystone/keystone-paste.ini``
|
||||
file and remove ``admin_token_auth`` from the
|
||||
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
|
||||
and ``[pipeline:api_v3]`` sections.
|
||||
|
||||
|
||||
2. Unset the temporary ``OS_AUTH_URL`` and ``OS_PASSWORD``
|
||||
environment variable:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ unset OS_AUTH_URL OS_PASSWORD
|
||||
|
||||
.. end
|
||||
|
||||
3. As the ``admin`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357/v3 \
|
||||
--os-project-domain-name Default --os-user-domain-name Default \
|
||||
--os-project-name admin --os-username admin token issue
|
||||
|
||||
Password:
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:14:07.056119Z |
|
||||
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|
||||
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|
||||
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
|
||||
| project_id | 343d245e850143a096806dfaefa9afdc |
|
||||
| user_id | ac3377633149401296f6c0d92d79dc16 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
4. As the ``demo`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:5000/v3 \
|
||||
--os-project-domain-name Default --os-user-domain-name Default \
|
||||
--os-project-name demo --os-username demo token issue
|
||||
|
||||
Password:
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:15:39.014479Z |
|
||||
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|
||||
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|
||||
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
|
||||
| project_id | ed0b60bf607743088218b0a533d5943f |
|
||||
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``demo``
|
||||
user and API port 5000 which only allows regular (non-admin)
|
||||
access to the Identity service API.
|
83
doc/source/install/keystone-verify-ubuntu.rst
Normal file
83
doc/source/install/keystone-verify-ubuntu.rst
Normal file
@ -0,0 +1,83 @@
|
||||
Verify operation
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
Verify operation of the Identity service before installing other
|
||||
services.
|
||||
|
||||
.. note::
|
||||
|
||||
Perform these commands on the controller node.
|
||||
|
||||
|
||||
#. For security reasons, disable the temporary authentication
|
||||
token mechanism:
|
||||
|
||||
Edit the ``/etc/keystone/keystone-paste.ini``
|
||||
file and remove ``admin_token_auth`` from the
|
||||
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
|
||||
and ``[pipeline:api_v3]`` sections.
|
||||
|
||||
|
||||
|
||||
2. Unset the temporary ``OS_AUTH_URL`` and ``OS_PASSWORD``
|
||||
environment variable:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ unset OS_AUTH_URL OS_PASSWORD
|
||||
|
||||
.. end
|
||||
|
||||
3. As the ``admin`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357/v3 \
|
||||
--os-project-domain-name Default --os-user-domain-name Default \
|
||||
--os-project-name admin --os-username admin token issue
|
||||
|
||||
Password:
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:14:07.056119Z |
|
||||
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|
||||
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|
||||
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
|
||||
| project_id | 343d245e850143a096806dfaefa9afdc |
|
||||
| user_id | ac3377633149401296f6c0d92d79dc16 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
4. As the ``demo`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:5000/v3 \
|
||||
--os-project-domain-name Default --os-user-domain-name Default \
|
||||
--os-project-name demo --os-username demo token issue
|
||||
|
||||
Password:
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| Field | Value |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
| expires | 2016-02-12T20:15:39.014479Z |
|
||||
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|
||||
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|
||||
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
|
||||
| project_id | ed0b60bf607743088218b0a533d5943f |
|
||||
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
|
||||
+------------+-----------------------------------------------------------------+
|
||||
|
||||
.. end
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``demo``
|
||||
user and API port 5000 which only allows regular (non-admin)
|
||||
access to the Identity service API.
|
@ -0,0 +1,7 @@
|
||||
.. note::
|
||||
|
||||
Default configuration files vary by distribution. You might need
|
||||
to add these sections and options rather than modifying existing
|
||||
sections and options. Also, an ellipsis (``...``) in the configuration
|
||||
snippets indicates potential default configuration options that you
|
||||
should retain.
|
Loading…
x
Reference in New Issue
Block a user