4e39e2abe5
As part of the docs consolidation effort, move the SSL recommendation to the installation guides for each distro. This also corrects the wording: "running in a web server" is not necessarily secure on its own, the web server must be configured to use SSL. Change-Id: If0b547680cbbea4c7f29d82de3f4fe96bd14b4ec
4.9 KiB
Install and configure
This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.
Note
Ensure that you have completed the prerequisite installation steps in the Openstack Install Guide before proceeding.
Prerequisites
Before you install and configure the Identity service, you must create a database.
Use the database access client to connect to the database server as the
rootuser:# mysqlCreate the
keystonedatabase:MariaDB [(none)]> CREATE DATABASE keystone;Grant proper access to the
keystonedatabase:MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS';Replace
KEYSTONE_DBPASSwith a suitable password.Exit the database access client.
Install and configure components
Note
This guide uses the Apache HTTP server with mod_wsgi to
serve Identity service requests on port 5000. By default, the keystone
service still listens on this port. The package handles all of the
Apache configuration for you (including the activation of the
mod_wsgi apache2 module and keystone configuration in
Apache).
Run the following command to install the packages:
# apt install keystone apache2 libapache2-mod-wsgiEdit the
/etc/keystone/keystone.conffile and complete the following actions:In the
[database]section, configure database access:[database] # ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystoneReplace
KEYSTONE_DBPASSwith the password you chose for the database.Note
Comment out or remove any other
connectionoptions in the[database]section.In the
[token]section, configure the Fernet token provider:[token] # ... provider = fernet
Populate the Identity service database:
# su -s /bin/sh -c "keystone-manage db_sync" keystoneInitialize Fernet key repositories:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone # keystone-manage credential_setup --keystone-user keystone --keystone-group keystoneBootstrap the Identity service:
Note
Before the Queens release, keystone needed to be run on two separate ports to accommodate the Identity v2 API which ran a separate admin-only service commonly on port 35357. With the removal of the v2 API, keystone can be run on the same port for all interfaces.
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOneReplace
ADMIN_PASSwith a suitable password for an administrative user.
Configure the Apache HTTP server
Edit the
/etc/apache2/apache2.conffile and configure theServerNameoption to reference the controller node:ServerName controller
SSL
A secure deployment should have the web server configured to use SSL or running behind an SSL terminator.
Finalize the installation
Restart the Apache service:
# service apache2 restartConfigure the administrative account
$ export OS_USERNAME=admin $ export OS_PASSWORD=ADMIN_PASS $ export OS_PROJECT_NAME=admin $ export OS_USER_DOMAIN_NAME=Default $ export OS_PROJECT_DOMAIN_NAME=Default $ export OS_AUTH_URL=http://controller:5000/v3 $ export OS_IDENTITY_API_VERSION=3Replace
ADMIN_PASSwith the password used in thekeystone-manage bootstrapcommand in keystone-install-configure-ubuntu.