Merge "[install] Liberty updates for keystone"
This commit is contained in:
commit
8837e98ca9
@ -1,35 +1,33 @@
|
||||
=====================
|
||||
Install and configure
|
||||
=====================
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
This section describes how to install and configure the OpenStack
|
||||
Identity service, code-named keystone, on the controller node. For
|
||||
performance, this configuration deploys the Apache HTTP server to handle
|
||||
requests and Memcached to store tokens instead of an SQL database.
|
||||
|
||||
|
|
||||
|
||||
**To configure prerequisites**
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
Before you configure the OpenStack Identity service, you must create a
|
||||
database and an administration token.
|
||||
|
||||
#. To create the database, complete these steps:
|
||||
#. To create the database, complete the following actions:
|
||||
|
||||
a. Use the database access client to connect to the database server as the
|
||||
* Use the database access client to connect to the database server as the
|
||||
``root`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ mysql -u root -p
|
||||
|
||||
b. Create the ``keystone`` database:
|
||||
* Create the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
CREATE DATABASE keystone;
|
||||
|
||||
c. Grant proper access to the ``keystone`` database:
|
||||
* Grant proper access to the ``keystone`` database:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
@ -40,8 +38,7 @@ database and an administration token.
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with a suitable password.
|
||||
|
||||
d. Exit the database access client.
|
||||
|
||||
* Exit the database access client.
|
||||
|
||||
#. Generate a random value to use as the administration token during
|
||||
initial configuration:
|
||||
@ -50,20 +47,21 @@ database and an administration token.
|
||||
|
||||
$ openssl rand -hex 10
|
||||
|
||||
|
|
||||
|
||||
.. only:: obs or rdo or ubuntu
|
||||
|
||||
**To install and configure the Identity service components**
|
||||
Install and configure components
|
||||
--------------------------------
|
||||
|
||||
.. include:: shared/note_configuration_vary_by_distribution.rst
|
||||
|
||||
.. note::
|
||||
In Kilo, the keystone project deprecates Eventlet in favor of a WSGI
|
||||
server. This guide uses the Apache HTTP server with ``mod_wsgi`` to
|
||||
serve keystone requests on ports 5000 and 35357. By default, the
|
||||
keystone service still listens on ports 5000 and 35357. Therefore,
|
||||
this guide disables the keystone service.
|
||||
In Kilo and Liberty releases, the keystone project deprecates eventlet
|
||||
in favor of a separate web server with WSGI extensions. This guide uses
|
||||
the Apache HTTP server with ``mod_wsgi`` to serve Identity service
|
||||
requests on port 5000 and 35357. By default, the keystone service
|
||||
still listens on ports 5000 and 35357. Therefore, this guide disables
|
||||
the keystone service. The keystone project plans to remove eventlet
|
||||
support in Mitaka.
|
||||
|
||||
.. only:: ubuntu
|
||||
|
||||
@ -80,7 +78,8 @@ database and an administration token.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
|
||||
# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi \
|
||||
memcached python-memcache
|
||||
|
||||
.. only:: obs or rdo
|
||||
|
||||
@ -90,13 +89,15 @@ database and an administration token.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached
|
||||
# yum install openstack-keystone httpd mod_wsgi python-openstackclient \
|
||||
memcached python-memcached
|
||||
|
||||
.. only:: obs
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# zypper install openstack-keystone python-openstackclient apache2-mod_wsgi memcached python-python-memcached
|
||||
# zypper install openstack-keystone python-openstackclient apache2-mod_wsgi \
|
||||
memcached python-python-memcached
|
||||
|
||||
.. only:: obs or rdo
|
||||
|
||||
@ -110,14 +111,13 @@ database and an administration token.
|
||||
|
||||
.. only:: obs or rdo or ubuntu
|
||||
|
||||
3. Edit the :file:`/etc/keystone/keystone.conf` file and complete the following
|
||||
3. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
|
||||
actions:
|
||||
|
||||
a. In the ``[DEFAULT]`` section, define the value of the initial
|
||||
* In the ``[DEFAULT]`` section, define the value of the initial
|
||||
administration token:
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[DEFAULT]
|
||||
...
|
||||
@ -126,10 +126,9 @@ database and an administration token.
|
||||
Replace ``ADMIN_TOKEN`` with the random value that you generated in a
|
||||
previous step.
|
||||
|
||||
b. In the ``[database]`` section, configure database access:
|
||||
* In the ``[database]`` section, configure database access:
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[database]
|
||||
...
|
||||
@ -137,40 +136,36 @@ database and an administration token.
|
||||
|
||||
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
|
||||
|
||||
c. In the ``[memcache]`` section, configure the Memcache service:
|
||||
* In the ``[memcache]`` section, configure the Memcache service:
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[memcache]
|
||||
...
|
||||
servers = localhost:11211
|
||||
|
||||
d. In the ``[token]`` section, configure the UUID token provider and
|
||||
* In the ``[token]`` section, configure the UUID token provider and
|
||||
Memcached driver:
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[token]
|
||||
...
|
||||
provider = keystone.token.providers.uuid.Provider
|
||||
driver = keystone.token.persistence.backends.memcache.Token
|
||||
provider = uuid
|
||||
driver = memcache
|
||||
|
||||
e. In the ``[revoke]`` section, configure the SQL revocation driver:
|
||||
* In the ``[revoke]`` section, configure the SQL revocation driver:
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[revoke]
|
||||
...
|
||||
driver = keystone.contrib.revoke.backends.sql.Revoke
|
||||
driver = sql
|
||||
|
||||
f. (Optional) To assist with troubleshooting, enable verbose logging in the
|
||||
* (Optional) To assist with troubleshooting, enable verbose logging in the
|
||||
``[DEFAULT]`` section:
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[DEFAULT]
|
||||
...
|
||||
@ -186,7 +181,8 @@ database and an administration token.
|
||||
|
||||
.. only:: debian
|
||||
|
||||
**To install and configure the components**
|
||||
Install and configure the components
|
||||
------------------------------------
|
||||
|
||||
#. Run the following command to install the packages:
|
||||
|
||||
@ -203,7 +199,6 @@ database and an administration token.
|
||||
which will fill the below database access directive.
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[database]
|
||||
...
|
||||
@ -237,7 +232,6 @@ database and an administration token.
|
||||
you entered:
|
||||
|
||||
.. code-block:: ini
|
||||
:linenos:
|
||||
|
||||
[DEFAULT]
|
||||
...
|
||||
@ -291,23 +285,22 @@ database and an administration token.
|
||||
|
||||
.. only:: obs or rdo or ubuntu
|
||||
|
||||
**To configure the Apache HTTP server**
|
||||
Configure the Apache HTTP server
|
||||
--------------------------------
|
||||
|
||||
.. only:: rdo
|
||||
|
||||
#. Edit the :file:`/etc/httpd/conf/httpd.conf` file and configure the
|
||||
#. Edit the ``/etc/httpd/conf/httpd.conf`` file and configure the
|
||||
``ServerName`` option to reference the controller node:
|
||||
|
||||
.. code-block:: apache
|
||||
:linenos:
|
||||
|
||||
ServerName controller
|
||||
|
||||
#. Create the :file:`/etc/httpd/conf.d/wsgi-keystone.conf` file with
|
||||
#. Create the ``/etc/httpd/conf.d/wsgi-keystone.conf`` file with
|
||||
the following content:
|
||||
|
||||
.. code-block:: apache
|
||||
:linenos:
|
||||
|
||||
Listen 5000
|
||||
Listen 35357
|
||||
@ -315,72 +308,110 @@ database and an administration token.
|
||||
<VirtualHost *:5000>
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
LogLevel info
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog /var/log/httpd/keystone-error.log
|
||||
CustomLog /var/log/httpd/keystone-access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:35357>
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
LogLevel info
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
ErrorLog /var/log/httpd/keystone-error.log
|
||||
CustomLog /var/log/httpd/keystone-access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
.. only:: ubuntu
|
||||
|
||||
#. Edit the :file:`/etc/apache2/apache2.conf` file and configure the
|
||||
#. Edit the ``/etc/apache2/apache2.conf`` file and configure the
|
||||
``ServerName`` option to reference the controller node:
|
||||
|
||||
.. code-block:: apache
|
||||
:linenos:
|
||||
|
||||
ServerName controller
|
||||
|
||||
#. Create the :file:`/etc/apache2/sites-available/wsgi-keystone.conf` file
|
||||
#. Create the ``/etc/apache2/sites-available/wsgi-keystone.conf`` file
|
||||
with the following content:
|
||||
|
||||
.. code-block:: apache
|
||||
:linenos:
|
||||
|
||||
Listen 5000
|
||||
Listen 35357
|
||||
|
||||
<VirtualHost *:5000>
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
LogLevel info
|
||||
ErrorLog /var/log/apache2/keystone-error.log
|
||||
CustomLog /var/log/apache2/keystone-access.log combined
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:35357>
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
</IfVersion>
|
||||
LogLevel info
|
||||
ErrorLog /var/log/apache2/keystone-error.log
|
||||
CustomLog /var/log/apache2/keystone-access.log combined
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
#. Enable the Identity service virtual hosts:
|
||||
@ -391,134 +422,75 @@ database and an administration token.
|
||||
|
||||
.. only:: obs
|
||||
|
||||
#. Edit the :file:`/etc/sysconfig/apache2` file and configure the
|
||||
#. Edit the ``/etc/sysconfig/apache2`` file and configure the
|
||||
``APACHE_SERVERNAME`` option to reference the controller node:
|
||||
|
||||
.. code-block:: apache
|
||||
:linenos:
|
||||
|
||||
APACHE_SERVERNAME="controller"
|
||||
|
||||
#. Create the :file:`/etc/apache2/conf.d/wsgi-keystone.conf` file
|
||||
#. Create the ``/etc/apache2/conf.d/wsgi-keystone.conf`` file
|
||||
with the following content:
|
||||
|
||||
.. code-block:: apache
|
||||
:linenos:
|
||||
|
||||
Listen 5000
|
||||
Listen 35357
|
||||
|
||||
<VirtualHost *:5000>
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
|
||||
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-public
|
||||
WSGIScriptAlias / /srv/www/cgi-bin/keystone/main
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
LogLevel info
|
||||
ErrorLog /var/log/apache2/keystone-error.log
|
||||
CustomLog /var/log/apache2/keystone-access.log combined
|
||||
</IfVersion>
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
<VirtualHost *:35357>
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
|
||||
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
|
||||
WSGIProcessGroup keystone-admin
|
||||
WSGIScriptAlias / /srv/www/cgi-bin/keystone/admin
|
||||
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
|
||||
WSGIApplicationGroup %{GLOBAL}
|
||||
WSGIPassAuthorization On
|
||||
<IfVersion >= 2.4>
|
||||
ErrorLogFormat "%{cu}t %M"
|
||||
LogLevel info
|
||||
ErrorLog /var/log/apache2/keystone-error.log
|
||||
CustomLog /var/log/apache2/keystone-access.log combined
|
||||
</IfVersion>
|
||||
ErrorLog /var/log/apache2/keystone.log
|
||||
CustomLog /var/log/apache2/keystone_access.log combined
|
||||
|
||||
<Directory /usr/bin>
|
||||
<IfVersion >= 2.4>
|
||||
Require all granted
|
||||
</IfVersion>
|
||||
<IfVersion < 2.4>
|
||||
Order allow,deny
|
||||
Allow from all
|
||||
</IfVersion>
|
||||
</Directory>
|
||||
</VirtualHost>
|
||||
|
||||
.. only:: ubuntu
|
||||
|
||||
4. Create the directory structure for the WSGI components:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# mkdir -p /var/www/cgi-bin/keystone
|
||||
|
||||
|
||||
5. Copy the WSGI components from the upstream repository into this
|
||||
directory:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \
|
||||
| tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
|
||||
|
||||
6. Adjust ownership and permissions on this directory and the files in it:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# chown -R keystone:keystone /var/www/cgi-bin/keystone
|
||||
# chmod 755 /var/www/cgi-bin/keystone/*
|
||||
|
||||
.. only:: obs or rdo
|
||||
|
||||
3. Create the directory structure for the WSGI components:
|
||||
|
||||
.. only:: rdo
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# mkdir -p /var/www/cgi-bin/keystone
|
||||
|
||||
.. only:: obs
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# mkdir -p /srv/www/cgi-bin/keystone
|
||||
|
||||
4. Copy the WSGI components from the upstream repository into this
|
||||
directory:
|
||||
|
||||
.. only:: rdo
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \
|
||||
| tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
|
||||
|
||||
.. only:: obs
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \
|
||||
| tee /srv/www/cgi-bin/keystone/main /srv/www/cgi-bin/keystone/admin
|
||||
|
||||
.. only:: obs or rdo
|
||||
|
||||
5. Adjust ownership and permissions on this directory and the files in it:
|
||||
|
||||
.. only:: rdo
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# chown -R keystone:keystone /var/www/cgi-bin/keystone
|
||||
# chmod 755 /var/www/cgi-bin/keystone/*
|
||||
|
||||
.. only:: obs
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# chown -R keystone:keystone /srv/www/cgi-bin/keystone
|
||||
# chmod 755 /srv/www/cgi-bin/keystone/*
|
||||
|
||||
.. only:: obs
|
||||
|
||||
6. Change the ownership of :file:`/etc/keystone` to give the
|
||||
``keystone`` system access to it:
|
||||
6. Recursively change the ownership of the ``/etc/keystone`` directory:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
# chown -R keystone:keystone /etc/keystone
|
||||
|
||||
|
|
||||
|
||||
**To finalize the installation**
|
||||
Finalize the installation
|
||||
-------------------------
|
||||
|
||||
.. only:: ubuntu
|
||||
|
||||
@ -554,23 +526,3 @@ database and an administration token.
|
||||
|
||||
# systemctl enable apache2.service
|
||||
# systemctl start apache2.service
|
||||
|
||||
#. By default, the Identity service stores expired tokens in the SQL
|
||||
database indefinitely. The accumulation of expired tokens considerably
|
||||
increases the database size and degrades performance over time,
|
||||
particularly in environments with limited resources.
|
||||
|
||||
The packages already contain a cron job under
|
||||
:file:`/etc/cron.hourly/keystone`, so it is not necessary to manually
|
||||
configure a periodic task that purges expired tokens.
|
||||
|
||||
.. only:: debian
|
||||
|
||||
* By default, the Identity service stores expired tokens in the SQL
|
||||
database indefinitely. The accumulation of expired tokens considerably
|
||||
increases the database size and degrades performance over time,
|
||||
particularly in environments with limited resources.
|
||||
|
||||
The packages already contain a cron job under
|
||||
:file:`/etc/cron.hourly/keystone`, so it is not necessary to manually
|
||||
configure a periodic task that purges expired tokens.
|
||||
|
@ -1,27 +1,25 @@
|
||||
===========================================
|
||||
Create OpenStack client environment scripts
|
||||
===========================================
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The previous section used a combination of environment variables and
|
||||
command options to interact with the Identity service via the
|
||||
:command:`openstack` client. To increase efficiency of client
|
||||
operations, OpenStack supports simple client environment scripts also
|
||||
known as OpenRC files. These scripts typically contain common options for
|
||||
``openstack`` client. To increase efficiency of client operations,
|
||||
OpenStack supports simple client environment scripts also known as
|
||||
OpenRC files. These scripts typically contain common options for
|
||||
all clients, but also support unique options. For more information, see the
|
||||
`OpenStack User Guide <http://docs.openstack.org/user-guide/common/
|
||||
cli_set_environment_variables_using_openstack_rc.html>`__.
|
||||
|
||||
To create the scripts
|
||||
~~~~~~~~~~~~~~~~~~~~~
|
||||
Creating the scripts
|
||||
--------------------
|
||||
|
||||
Create client environment scripts for the ``admin`` and ``demo``
|
||||
projects and users. Future portions of this guide reference these
|
||||
scripts to load appropriate credentials for client operations.
|
||||
|
||||
#. Edit the :file:`admin-openrc.sh` file and add the following content:
|
||||
#. Edit the ``admin-openrc.sh`` file and add the following content:
|
||||
|
||||
.. code-block:: bash
|
||||
:linenos:
|
||||
|
||||
export OS_PROJECT_DOMAIN_ID=default
|
||||
export OS_USER_DOMAIN_ID=default
|
||||
@ -30,14 +28,14 @@ scripts to load appropriate credentials for client operations.
|
||||
export OS_USERNAME=admin
|
||||
export OS_PASSWORD=ADMIN_PASS
|
||||
export OS_AUTH_URL=http://controller:35357/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
Replace ``ADMIN_PASS`` with the password you chose
|
||||
for the ``admin`` user in the Identity service.
|
||||
|
||||
#. Edit the :file:`demo-openrc.sh` file and add the following content:
|
||||
#. Edit the ``demo-openrc.sh`` file and add the following content:
|
||||
|
||||
.. code-block:: bash
|
||||
:linenos:
|
||||
|
||||
export OS_PROJECT_DOMAIN_ID=default
|
||||
export OS_USER_DOMAIN_ID=default
|
||||
@ -46,18 +44,19 @@ scripts to load appropriate credentials for client operations.
|
||||
export OS_USERNAME=demo
|
||||
export OS_PASSWORD=DEMO_PASS
|
||||
export OS_AUTH_URL=http://controller:5000/v3
|
||||
export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
Replace ``DEMO_PASS`` with the password you chose
|
||||
for the ``demo`` user in the Identity service.
|
||||
|
||||
To load client environment scripts
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Using the scripts
|
||||
-----------------
|
||||
|
||||
To run clients as a specific project and user, you can simply load
|
||||
the associated client environment script prior to running them.
|
||||
For example:
|
||||
|
||||
#. Load the :file:`admin-openrc.sh` file to populate
|
||||
#. Load the ``admin-openrc.sh`` file to populate
|
||||
environment variables with the location of the Identity service
|
||||
and the ``admin`` project and user credentials:
|
||||
|
||||
|
@ -1,13 +1,13 @@
|
||||
==========================================
|
||||
Create the service entity and API endpoint
|
||||
==========================================
|
||||
Create the service entity and API endpoints
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Identity service provides a catalog of services and their locations.
|
||||
Each service that you add to your OpenStack environment requires a
|
||||
:term:`service` entity and several :term:`API endpoints<API endpoint>`
|
||||
in the catalog.
|
||||
|
||||
**To configure prerequisites**
|
||||
Prerequisites
|
||||
-------------
|
||||
|
||||
.. only:: obs or rdo or ubuntu
|
||||
|
||||
@ -17,6 +17,13 @@ in the catalog.
|
||||
:doc:`keystone-install` to initialize the service entity and API endpoint
|
||||
for the Identity service.
|
||||
|
||||
.. only:: debian
|
||||
|
||||
.. note::
|
||||
|
||||
The packages can automatically create the service entity and API
|
||||
endpoints.
|
||||
|
||||
You must pass the value of the authentication token to the :command:`openstack`
|
||||
command with the ``--os-token`` parameter or set the OS_TOKEN
|
||||
environment variable. Similarly, you must also pass the value of the
|
||||
@ -49,7 +56,7 @@ environment variables to reduce command length.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_URL=http://controller:35357/v2.0
|
||||
$ export OS_URL=http://controller:35357/v3
|
||||
|
||||
.. only:: debian
|
||||
|
||||
@ -58,7 +65,14 @@ environment variables to reduce command length.
|
||||
The packages can automatically create the service entity and API
|
||||
endpoint.
|
||||
|
||||
**To create the service entity and API endpoint**
|
||||
#. Configure the Identity API version:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ export OS_IDENTITY_API_VERSION=3
|
||||
|
||||
Create the service entity and API endpoints
|
||||
-------------------------------------------
|
||||
|
||||
#. The Identity service manages a catalog of services in your OpenStack
|
||||
environment. Services use this catalog to determine the other services
|
||||
@ -91,41 +105,72 @@ environment variables to reduce command length.
|
||||
|
||||
OpenStack uses three API endpoint variants for each service: admin,
|
||||
internal, and public. The admin API endpoint allows modifying users and
|
||||
tenants by default, while the public and internal APIs do not. In a
|
||||
production environment, the variants might reside on separate networks
|
||||
that service different types of users for security reasons. For
|
||||
instance, the public API network might be reachable from outside the
|
||||
cloud for management tools, the admin API network might be protected,
|
||||
while the internal API network is connected to each host. Also,
|
||||
OpenStack supports multiple regions for scalability. For simplicity,
|
||||
this guide uses the management network for all endpoint variations and
|
||||
the default ``RegionOne`` region.
|
||||
tenants by default, while the public and internal APIs do not allow these
|
||||
operations. In a production environment, the variants might reside on
|
||||
separate networks that service different types of users for security
|
||||
reasons. For instance, the public API network might be visible from the
|
||||
Internet so customers can manage their clouds. The admin API network
|
||||
might be restricted to operators within the organization that manages
|
||||
cloud infrastructure. The internal API network might be restricted to
|
||||
the hosts that contain OpenStack services. Also, OpenStack supports
|
||||
multiple regions for scalability. For simplicity, this guide uses the
|
||||
management network for all endpoint variations and the default
|
||||
``RegionOne`` region.
|
||||
|
||||
Create the Identity service API endpoint:
|
||||
Create the Identity service API endpoints:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack endpoint create \
|
||||
--publicurl http://controller:5000/v2.0 \
|
||||
--internalurl http://controller:5000/v2.0 \
|
||||
--adminurl http://controller:35357/v2.0 \
|
||||
--region RegionOne \
|
||||
identity
|
||||
$ openstack endpoint create --region RegionOne \
|
||||
identity public http://controller:5000/v2.0
|
||||
+--------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+--------------+----------------------------------+
|
||||
| adminurl | http://controller:35357/v2.0 |
|
||||
| id | 4a9ffc04b8eb4848a49625a3df0170e5 |
|
||||
| internalurl | http://controller:5000/v2.0 |
|
||||
| publicurl | http://controller:5000/v2.0 |
|
||||
| enabled | True |
|
||||
| id | 30fff543e7dc4b7d9a0fb13791b78bf4 |
|
||||
| interface | public |
|
||||
| region | RegionOne |
|
||||
| service_id | 4ddaae90388b4ebc9d252ec2252d8d10 |
|
||||
| region_id | RegionOne |
|
||||
| service_id | 8c8c0927262a45ad9066cfe70d46892c |
|
||||
| service_name | keystone |
|
||||
| service_type | identity |
|
||||
| url | http://controller:5000/v2.0 |
|
||||
+--------------+----------------------------------+
|
||||
|
||||
$ openstack endpoint create --region RegionOne \
|
||||
identity internal http://controller:5000/v2.0
|
||||
+--------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+--------------+----------------------------------+
|
||||
| enabled | True |
|
||||
| id | 57cfa543e7dc4b712c0ab137911bc4fe |
|
||||
| interface | internal |
|
||||
| region | RegionOne |
|
||||
| region_id | RegionOne |
|
||||
| service_id | 6f8de927262ac12f6066cfe70d99ac51 |
|
||||
| service_name | keystone |
|
||||
| service_type | identity |
|
||||
| url | http://controller:5000/v2.0 |
|
||||
+--------------+----------------------------------+
|
||||
|
||||
$ openstack endpoint create --region RegionOne \
|
||||
identity admin http://controller:35357/v2.0
|
||||
+--------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+--------------+----------------------------------+
|
||||
| enabled | True |
|
||||
| id | 78c3dfa3e7dc44c98ab1b1379122ecb1 |
|
||||
| interface | admin |
|
||||
| region | RegionOne |
|
||||
| region_id | RegionOne |
|
||||
| service_id | 34ab3d27262ac449cba6cfe704dbc11f |
|
||||
| service_name | keystone |
|
||||
| service_type | identity |
|
||||
| url | http://controller:5000/v2.0 |
|
||||
+--------------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
|
||||
Each service that you add to your OpenStack environment requires one
|
||||
or more service entities and one API endpoint in the Identity
|
||||
or more service entities and three API endpoint variants in the Identity
|
||||
service.
|
||||
|
@ -1,6 +1,5 @@
|
||||
=================================
|
||||
Create projects, users, and roles
|
||||
=================================
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
|
||||
The Identity service provides authentication services for each OpenStack
|
||||
service. The authentication service uses a combination of :term:`domains
|
||||
@ -9,33 +8,27 @@ service. The authentication service uses a combination of :term:`domains
|
||||
|
||||
.. note::
|
||||
|
||||
For simplicity, this guide implicitly uses the ``default`` domain.
|
||||
|
||||
.. only:: debian
|
||||
|
||||
.. note::
|
||||
|
||||
The packages can automatically create the service entity and API
|
||||
endpoint.
|
||||
|
||||
To create tenants, users, and roles
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
For simplicity, this guide uses the ``default`` domain.
|
||||
|
||||
#. Create an administrative project, user, and role for administrative
|
||||
operations in your environment:
|
||||
|
||||
a. Create the ``admin`` project:
|
||||
* Create the ``admin`` project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project create --description "Admin Project" admin
|
||||
$ openstack project create --domain default \
|
||||
--description "Admin Project" admin
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | Admin Project |
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | cf12a15c5ea84b019aec3dc45580896b |
|
||||
| id | 343d245e850143a096806dfaefa9afdc |
|
||||
| is_domain | False |
|
||||
| name | admin |
|
||||
| parent_id | None |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
@ -43,24 +36,24 @@ To create tenants, users, and roles
|
||||
OpenStack generates IDs dynamically, so you will see different
|
||||
values in the example command output.
|
||||
|
||||
b. Create the ``admin`` user:
|
||||
* Create the ``admin`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user create --password-prompt admin
|
||||
$ openstack user create --domain default \
|
||||
--password-prompt admin
|
||||
User Password:
|
||||
Repeat User Password:
|
||||
+------------+----------------------------------+
|
||||
+-----------+----------------------------------+
|
||||
| Field | Value |
|
||||
+------------+----------------------------------+
|
||||
| email | None |
|
||||
+-----------+----------------------------------+
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | 4d411f2291f34941b30eef9bd797505a |
|
||||
| id | ac3377633149401296f6c0d92d79dc16 |
|
||||
| name | admin |
|
||||
| username | admin |
|
||||
+------------+----------------------------------+
|
||||
+-----------+----------------------------------+
|
||||
|
||||
c. Create the ``admin`` role:
|
||||
* Create the ``admin`` role:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
@ -72,59 +65,64 @@ To create tenants, users, and roles
|
||||
| name | admin |
|
||||
+-------+----------------------------------+
|
||||
|
||||
d. Add the ``admin`` role to the ``admin`` project and user:
|
||||
* Add the ``admin`` role to the ``admin`` project and user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role add --project admin --user admin admin
|
||||
+-------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------+----------------------------------+
|
||||
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
|
||||
| name | admin |
|
||||
+-------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
|
||||
This command provides no output.
|
||||
|
||||
.. note::
|
||||
|
||||
Any roles that you create must map to roles specified in the
|
||||
:file:`policy.json` file in the configuration file directory of each
|
||||
``policy.json`` file in the configuration file directory of each
|
||||
OpenStack service. The default policy for most services grants
|
||||
administrative access to the ``admin`` role. For more information,
|
||||
see the `Operations Guide - Managing Projects and
|
||||
Users <http://docs.openstack.org/openstack-ops/content/projects_users.html>`__.
|
||||
|
||||
#. This guide uses a service project that contains a unique user for each
|
||||
service that you add to your environment.
|
||||
|
||||
a. Create the ``service`` project:
|
||||
service that you add to your environment. Create the ``service``
|
||||
project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project create --description "Service Project" service
|
||||
$ openstack project create --domain default \
|
||||
--description "Service Project" service
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | Service Project |
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | 55cbd79c0c014c8a95534ebd16213ca1 |
|
||||
| id | 894cdfa366d34e9d835d3de01e752262 |
|
||||
| is_domain | False |
|
||||
| name | service |
|
||||
| parent_id | None |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
#. Regular (non-admin) tasks should use an unprivileged project and user.
|
||||
As an example, this guide creates the ``demo`` project and user.
|
||||
|
||||
a. Create the ``demo`` project:
|
||||
* Create the ``demo`` project:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack project create --description "Demo Project" demo
|
||||
$ openstack project create --domain default \
|
||||
--description "Demo Project" demo
|
||||
+-------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------------+----------------------------------+
|
||||
| description | Demo Project |
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | ab8ea576c0574b6092bb99150449b2d3 |
|
||||
| id | ed0b60bf607743088218b0a533d5943f |
|
||||
| is_domain | False |
|
||||
| name | demo |
|
||||
| parent_id | None |
|
||||
+-------------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
@ -132,24 +130,24 @@ To create tenants, users, and roles
|
||||
Do not repeat this step when creating additional users for this
|
||||
project.
|
||||
|
||||
b. Create the ``demo`` user:
|
||||
* Create the ``demo`` user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack user create --password-prompt demo
|
||||
$ openstack user create --domain default \
|
||||
--password-prompt demo
|
||||
User Password:
|
||||
Repeat User Password:
|
||||
+------------+----------------------------------+
|
||||
+-----------+----------------------------------+
|
||||
| Field | Value |
|
||||
+------------+----------------------------------+
|
||||
| email | None |
|
||||
+-----------+----------------------------------+
|
||||
| domain_id | default |
|
||||
| enabled | True |
|
||||
| id | 3a81e6c8103b46709ef8d141308d4c72 |
|
||||
| id | 58126687cbcc4888bfa9ab73a2256f27 |
|
||||
| name | demo |
|
||||
| username | demo |
|
||||
+------------+----------------------------------+
|
||||
+-----------+----------------------------------+
|
||||
|
||||
c. Create the ``user`` role:
|
||||
* Create the ``user`` role:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
@ -157,21 +155,19 @@ To create tenants, users, and roles
|
||||
+-------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------+----------------------------------+
|
||||
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
|
||||
| id | 997ce8d05fc143ac97d83fdfb5998552 |
|
||||
| name | user |
|
||||
+-------+----------------------------------+
|
||||
|
||||
d. Add the ``user`` role to the ``demo`` project and user:
|
||||
* Add the ``user`` role to the ``demo`` project and user:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack role add --project demo --user demo user
|
||||
+-------+----------------------------------+
|
||||
| Field | Value |
|
||||
+-------+----------------------------------+
|
||||
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
|
||||
| name | user |
|
||||
+-------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
|
||||
This command provides no output.
|
||||
|
||||
.. note::
|
||||
|
||||
|
@ -1,6 +1,5 @@
|
||||
================
|
||||
Verify operation
|
||||
================
|
||||
~~~~~~~~~~~~~~~~
|
||||
|
||||
Verify operation of the Identity service before installing other
|
||||
services.
|
||||
@ -10,7 +9,7 @@ services.
|
||||
1. For security reasons, disable the temporary authentication
|
||||
token mechanism:
|
||||
|
||||
Edit the :file:`/etc/keystone/keystone-paste.ini`
|
||||
Edit the ``/etc/keystone/keystone-paste.ini``
|
||||
file and remove ``admin_token_auth`` from the
|
||||
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
|
||||
and ``[pipeline:api_v3]`` sections.
|
||||
@ -20,7 +19,7 @@ services.
|
||||
1. For security reasons, disable the temporary authentication
|
||||
token mechanism:
|
||||
|
||||
Edit the :file:`/usr/share/keystone/keystone-dist-paste.ini`
|
||||
Edit the ``/usr/share/keystone/keystone-dist-paste.ini``
|
||||
file and remove ``admin_token_auth`` from the
|
||||
``[pipeline:public_api]``, ``[pipeline:admin_api]``,
|
||||
and ``[pipeline:api_v3]`` sections.
|
||||
@ -31,38 +30,11 @@ services.
|
||||
|
||||
$ unset OS_TOKEN OS_URL
|
||||
|
||||
3. As the ``admin`` user, request an authentication token from
|
||||
the Identity version 2.0 API:
|
||||
3. As the ``admin`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357 \
|
||||
--os-project-name admin --os-username admin \
|
||||
--os-auth-type password token issue
|
||||
Password:
|
||||
+------------+----------------------------------+
|
||||
| Field | Value |
|
||||
+------------+----------------------------------+
|
||||
| expires | 2015-03-24T18:55:01Z |
|
||||
| id | ff5ed908984c4a4190f584d826d75fed |
|
||||
| project_id | cf12a15c5ea84b019aec3dc45580896b |
|
||||
| user_id | 4d411f2291f34941b30eef9bd797505a |
|
||||
+------------+----------------------------------+
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
4. The Identity version 3 API adds support for domains that contain
|
||||
projects and users. Projects and users can use the same names in
|
||||
different domains. Therefore, in order to use the version 3 API,
|
||||
requests must also explicitly contain at least the ``default``
|
||||
domain or use IDs. For simplicity, this guide explicitly uses
|
||||
the ``default`` domain so examples can use names instead of IDs.
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357 \
|
||||
$ openstack --os-auth-url http://controller:35357/v3 \
|
||||
--os-project-domain-id default --os-user-domain-id default \
|
||||
--os-project-name admin --os-username admin --os-auth-type password \
|
||||
token issue
|
||||
@ -80,75 +52,11 @@ services.
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
5. As the ``admin`` user, list projects to verify that the
|
||||
``admin`` user can execute admin-only CLI commands and
|
||||
that the Identity service contains the projects that you
|
||||
created in :doc:`keystone-users`:
|
||||
4. As the ``demo`` user, request an authentication token:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357 \
|
||||
--os-project-name admin --os-username admin \
|
||||
--os-auth-type password project list
|
||||
Password:
|
||||
+----------------------------------+---------+
|
||||
| ID | Name |
|
||||
+----------------------------------+---------+
|
||||
| 55cbd79c0c014c8a95534ebd16213ca1 | service |
|
||||
| ab8ea576c0574b6092bb99150449b2d3 | demo |
|
||||
| cf12a15c5ea84b019aec3dc45580896b | admin |
|
||||
+----------------------------------+---------+
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
6. As the ``admin`` user, list users to verify that the Identity service
|
||||
contains the users that you created in :doc:`keystone-users`:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357 \
|
||||
--os-project-name admin --os-username admin \
|
||||
--os-auth-type password user list
|
||||
Password:
|
||||
+----------------------------------+-------+
|
||||
| ID | Name |
|
||||
+----------------------------------+-------+
|
||||
| 4d411f2291f34941b30eef9bd797505a | admin |
|
||||
| 3a81e6c8103b46709ef8d141308d4c72 | demo |
|
||||
+----------------------------------+-------+
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
7. As the ``admin`` user, list roles to verify that the Identity service
|
||||
contains the role that you created in :doc:`keystone-users`:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:35357 \
|
||||
--os-project-name admin --os-username admin \
|
||||
--os-auth-type password role list
|
||||
Password:
|
||||
+----------------------------------+-------+
|
||||
| ID | Name |
|
||||
+----------------------------------+-------+
|
||||
| 9fe2ff9ee4384b1894a90878d3e92bab | user |
|
||||
| cd2cb9a39e874ea69e5d4b896eb16128 | admin |
|
||||
+----------------------------------+-------+
|
||||
|
||||
.. note::
|
||||
|
||||
This command uses the password for the ``admin`` user.
|
||||
|
||||
8. As the ``demo`` user, request an authentication token from
|
||||
the Identity version 3 API:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:5000 \
|
||||
$ openstack --os-auth-url http://controller:5000/v3 \
|
||||
--os-project-domain-id default --os-user-domain-id default \
|
||||
--os-project-name demo --os-username demo --os-auth-type password \
|
||||
token issue
|
||||
@ -167,16 +75,3 @@ services.
|
||||
This command uses the password for the ``demo``
|
||||
user and API port 5000 which only allows regular (non-admin)
|
||||
access to the Identity service API.
|
||||
|
||||
9. As the ``demo`` user, attempt to list users
|
||||
to verify that it cannot execute admin-only CLI commands:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ openstack --os-auth-url http://controller:5000 \
|
||||
--os-project-domain-id default --os-user-domain-id default \
|
||||
--os-project-name demo --os-username demo \
|
||||
--os-auth-type password user list
|
||||
Password:
|
||||
ERROR: openstack You are not authorized to perform the
|
||||
requested action, admin_required. (HTTP 403)
|
||||
|
Loading…
Reference in New Issue
Block a user