diff --git a/doc/install-guide/ch_keystone.xml b/doc/install-guide/ch_keystone.xml
index 799b880016..26eb7959de 100644
--- a/doc/install-guide/ch_keystone.xml
+++ b/doc/install-guide/ch_keystone.xml
@@ -3,8 +3,7 @@
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0"
xml:id="ch_keystone">
-
- Configuring the Identity Service
+ Configure the Identity Service
diff --git a/doc/install-guide/figures/debconf-screenshots/keystone_1_admin_token.png b/doc/install-guide/figures/debconf-screenshots/keystone_1_admin_token.png
new file mode 100644
index 0000000000..2787743491
Binary files /dev/null and b/doc/install-guide/figures/debconf-screenshots/keystone_1_admin_token.png differ
diff --git a/doc/install-guide/figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png b/doc/install-guide/figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png
new file mode 100644
index 0000000000..a18be1ed8c
Binary files /dev/null and b/doc/install-guide/figures/debconf-screenshots/keystone_2_register_admin_tenant_yes_no.png differ
diff --git a/doc/install-guide/figures/debconf-screenshots/keystone_3_admin_user_name.png b/doc/install-guide/figures/debconf-screenshots/keystone_3_admin_user_name.png
new file mode 100644
index 0000000000..f13e0c0018
Binary files /dev/null and b/doc/install-guide/figures/debconf-screenshots/keystone_3_admin_user_name.png differ
diff --git a/doc/install-guide/figures/debconf-screenshots/keystone_4_admin_user_email.png b/doc/install-guide/figures/debconf-screenshots/keystone_4_admin_user_email.png
new file mode 100644
index 0000000000..a5f234eb29
Binary files /dev/null and b/doc/install-guide/figures/debconf-screenshots/keystone_4_admin_user_email.png differ
diff --git a/doc/install-guide/figures/debconf-screenshots/keystone_5_admin_user_pass.png b/doc/install-guide/figures/debconf-screenshots/keystone_5_admin_user_pass.png
new file mode 100644
index 0000000000..845b50b431
Binary files /dev/null and b/doc/install-guide/figures/debconf-screenshots/keystone_5_admin_user_pass.png differ
diff --git a/doc/install-guide/figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png b/doc/install-guide/figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png
new file mode 100644
index 0000000000..68c7c2d8de
Binary files /dev/null and b/doc/install-guide/figures/debconf-screenshots/keystone_6_admin_user_pass_confirm.png differ
diff --git a/doc/install-guide/figures/debconf-screenshots/keystone_7_register_endpoint.png b/doc/install-guide/figures/debconf-screenshots/keystone_7_register_endpoint.png
new file mode 100644
index 0000000000..caa33a06a6
Binary files /dev/null and b/doc/install-guide/figures/debconf-screenshots/keystone_7_register_endpoint.png differ
diff --git a/doc/install-guide/section_keystone-install.xml b/doc/install-guide/section_keystone-install.xml
index 0641ed39d4..dd0a468c86 100644
--- a/doc/install-guide/section_keystone-install.xml
+++ b/doc/install-guide/section_keystone-install.xml
@@ -11,29 +11,12 @@
# apt-get install keystone
# yum install openstack-keystone python-keystoneclient
# zypper install openstack-keystone python-keystoneclient openstack-utils
- Note for Debian users
- Note that on Debian system, the above is all what is needed
- to install the Identity Service. During the setup, the debconf system will prompt
- the user for the database access information. It will then
- automatically create the database, configure access rights,
- and then modify /etc/keystone/keystone.conf to reflect this
- configuration. Debconf will also be used to configure the AUTH_TOKEN
- administrator password.
- The Debian package will then perform the
- keystone-manage db_sync for you, and create an "admin/admin" tenant
- and user, which you can later use for setting-up the other OpenStack
- service (later called "auth token" in this documentation). Finally,
- the package will also ask the user to setup the keystone endpoint.
- Therefore, if you use Debian, you can skip all the remaining steps below.
- If you need to reconfigure Keystone, you can use:
- # dpkg-reconfigure -plow keystone
- or edit the configuration files and manually restart the daemon.
- Remember that for using a database server that is installed remotely,
- you need to call before installing the Identity Service:
- # apt-get install dbconfig-common && dpkg-reconfigure -plow dbconfig-common
-
-
+
+ Answer to the debconf and
+ dbconfig-common questions for setting-up the database.
+
+
The Identity Service uses a database to store information.
Specify the location of the database in the configuration file.
In this guide, we use a MySQL database on the controller node
@@ -42,8 +25,8 @@
with a suitable password for the database user.
# openstack-config --set /etc/keystone/keystone.conf \
sql connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone
- Edit /etc/keystone/keystone.conf and change the [sql] section.
-
+ Edit /etc/keystone/keystone.conf and change the [sql] section.
+
...
[sql]
# The SQLAlchemy connection string used to connect to the database
@@ -61,7 +44,7 @@ connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
# openstack-db --init --service keystone --password KEYSTONE_DBPASS
-
+
First, we need to create a database user called keystone, by logging in
as root using the password we set earlier.
# mysql -u root -p
@@ -71,13 +54,73 @@ IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
-
+
We now start the keystone service and create its tables.
# keystone-manage db_sync
# service keystone restart
+
+ You need to define an authorization token that is used as a
+ shared secret between the Identity Service and other OpenStack services.
+ Fill-in the debconf prompt with the value that will be put in the
+ admin_token directive of keystone.conf. It is
+ recommended to generate this password with openssl rand -hex 10.
+
+
+
+
+
+
+ Later on, you can verify that /etc/keystone/keystone.conf
+ contains the password you have set using debconf:
+
+[DEFAULT]
+# A "shared secret" between keystone and other openstack services
+admin_token = ADMIN_TOKEN
+...
+
+
+
+ Answer to the debconf prompts to create an admin tenant.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ If this is the first time you install Keystone, then you should
+ register Keystone in the Keystone catalogue of services:
+
+
+
+
+
+
+
+
You need to define an authorization token that is used as a
shared secret between the Identity Service and other OpenStack services.
Use openssl to generate a random token, then store it
@@ -85,18 +128,17 @@ IDENTIFIED BY 'KEYSTONE_DBPASS';
# ADMIN_TOKEN=$(openssl rand -hex 10)
# echo $ADMIN_TOKEN
# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
- # openssl rand -hex 10
+ # openssl rand -hex 10
For SUSE Linux Enterprise use instead as first command:
# ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"')
-Edit /etc/keystone/keystone.conf and
+Edit /etc/keystone/keystone.conf and
change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command.
-
+
[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN
...
-
@@ -116,7 +158,7 @@ admin_token = ADMIN_TOKEN
# sed -e "s,%SERVICE_HOST%,192.168.0.10,g" -e "s/%S3_SERVICE_PORT%/8080/" \
$KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG
-
+
Restart the Identity service.
# service keystone restart
diff --git a/doc/install-guide/section_keystone-services.xml b/doc/install-guide/section_keystone-services.xml
index 5bfe427760..72ebec9c0e 100644
--- a/doc/install-guide/section_keystone-services.xml
+++ b/doc/install-guide/section_keystone-services.xml
@@ -1,16 +1,9 @@
+ xml:id="keystone-services"
+ os="rhel;centos;fedora;opensuse;sles;ubuntu">
Defining Services and API Endpoints
- Note for Debian users
- On Debian systems, the Keystone package
- will prompt the user for automatically creating the service end API
- endpoint of Keystone (in the Keystone database itself). So if you
- directed the package to do so, you don't need to perform the commands
- detailed in this section, as it will have been done automatically.
- However, it is advised to still read it to understand what has been
- done by the Keystone package.
The Identity Service also tracks what OpenStack services are
installed and where to locate them on the network. For each service
on your OpenStack installation, you must call
diff --git a/doc/install-guide/section_keystone-users.xml b/doc/install-guide/section_keystone-users.xml
index 761a7854c4..cbc7a37c24 100644
--- a/doc/install-guide/section_keystone-users.xml
+++ b/doc/install-guide/section_keystone-users.xml
@@ -1,7 +1,7 @@
+ xml:id="keystone-users" os="rhel;centos;fedora;opensuse;sles;ubuntu">
Defining Users, Tenants, and Roles
Once Keystone is installed and running, you set up users, tenants,