openstack/openstack-manuals
Code Issues Proposed changes

[install] Liberty updates for keystone

Browse Source 
Update keystone configuration for Liberty and address some
consistency issues.

Changes and testing specific to distribution packages
primarily involve Ubuntu. Other distributions may require
additional patches.

Change-Id: I1ff8c1831b0bff407b7dd7af8c8a9b33d6a89284
Implements: blueprint installguide-liberty
This commit is contained in:
Matthew Kassawara 2015-09-24 19:14:34 -05:00
parent 07e4283bec
commit c054a422a2
5 changed files with 518 additions and 631 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

660
doc/install-guide/source/keystone-install.rst
View File

@ -1,47 +1,44 @@
=====================
Install and configure Install and configure
===================== ~~~~~~~~~~~~~~~~~~~~~
This section describes how to install and configure the OpenStack This section describes how to install and configure the OpenStack
Identity service, code-named keystone, on the controller node. For Identity service, code-named keystone, on the controller node. For
performance, this configuration deploys the Apache HTTP server to handle performance, this configuration deploys the Apache HTTP server to handle
requests and Memcached to store tokens instead of an SQL database. requests and Memcached to store tokens instead of an SQL database.
| Prerequisites
-------------
**To configure prerequisites**
Before you configure the OpenStack Identity service, you must create a Before you configure the OpenStack Identity service, you must create a
database and an administration token. database and an administration token.
#. To create the database, complete these steps: #. To create the database, complete the following actions:
a. Use the database access client to connect to the database server as the * Use the database access client to connect to the database server as the
``root`` user: ``root`` user:
.. code-block:: console .. code-block:: console
$ mysql -u root -p $ mysql -u root -p
b. Create the ``keystone`` database: * Create the ``keystone`` database:
.. code-block:: console .. code-block:: console
CREATE DATABASE keystone; CREATE DATABASE keystone;
c. Grant proper access to the ``keystone`` database: * Grant proper access to the ``keystone`` database:
.. code-block:: console .. code-block:: console
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS'; IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS'; IDENTIFIED BY 'KEYSTONE_DBPASS';
Replace ``KEYSTONE_DBPASS`` with a suitable password. Replace ``KEYSTONE_DBPASS`` with a suitable password.
d. Exit the database access client.
* Exit the database access client.
#. Generate a random value to use as the administration token during #. Generate a random value to use as the administration token during
initial configuration: initial configuration:
@ -50,143 +47,142 @@ database and an administration token.
$ openssl rand -hex 10 $ openssl rand -hex 10
|
.. only:: obs or rdo or ubuntu .. only:: obs or rdo or ubuntu
**To install and configure the Identity service components** Install and configure components
--------------------------------
.. include:: shared/note_configuration_vary_by_distribution.rst .. include:: shared/note_configuration_vary_by_distribution.rst
.. note:: .. note::
In Kilo, the keystone project deprecates Eventlet in favor of a WSGI In Kilo and Liberty releases, the keystone project deprecates eventlet
server. This guide uses the Apache HTTP server with ``mod_wsgi`` to in favor of a separate web server with WSGI extensions. This guide uses
serve keystone requests on ports 5000 and 35357. By default, the the Apache HTTP server with ``mod_wsgi`` to serve Identity service
keystone service still listens on ports 5000 and 35357. Therefore, requests on port 5000 and 35357. By default, the keystone service
this guide disables the keystone service. still listens on ports 5000 and 35357. Therefore, this guide disables
the keystone service. The keystone project plans to remove eventlet
support in Mitaka.
.. only:: ubuntu .. only:: ubuntu
#. Disable the keystone service from starting automatically after #. Disable the keystone service from starting automatically after
installation: installation:
.. code-block:: console
# echo "manual" > /etc/init/keystone.override
#. Run the following command to install the packages:
.. only:: ubuntu
.. code-block:: console .. code-block:: console
# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache # echo "manual" > /etc/init/keystone.override
.. only:: obs or rdo #. Run the following command to install the packages:
#. Run the following command to install the packages: .. only:: ubuntu
.. only:: rdo .. code-block:: console
# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi \
memcached python-memcache
.. only:: obs or rdo
#. Run the following command to install the packages:
.. only:: rdo
.. code-block:: console
# yum install openstack-keystone httpd mod_wsgi python-openstackclient \
memcached python-memcached
.. only:: obs
.. code-block:: console
# zypper install openstack-keystone python-openstackclient apache2-mod_wsgi \
memcached python-python-memcached
.. only:: obs or rdo
2. Start the Memcached service and configure it to start when the system
boots:
.. code-block:: console .. code-block:: console
# yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached # systemctl enable memcached.service
# systemctl start memcached.service
.. only:: obs .. only:: obs or rdo or ubuntu
3. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
actions:
* In the ``[DEFAULT]`` section, define the value of the initial
administration token:
.. code-block:: ini
[DEFAULT]
...
admin_token = ADMIN_TOKEN
Replace ``ADMIN_TOKEN`` with the random value that you generated in a
previous step.
* In the ``[database]`` section, configure database access:
.. code-block:: ini
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
* In the ``[memcache]`` section, configure the Memcache service:
.. code-block:: ini
[memcache]
...
servers = localhost:11211
* In the ``[token]`` section, configure the UUID token provider and
Memcached driver:
.. code-block:: ini
[token]
...
provider = uuid
driver = memcache
* In the ``[revoke]`` section, configure the SQL revocation driver:
.. code-block:: ini
[revoke]
...
driver = sql
* (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section:
.. code-block:: ini
[DEFAULT]
...
verbose = True
.. only:: obs or rdo or ubuntu
4. Populate the Identity service database:
.. code-block:: console .. code-block:: console
# zypper install openstack-keystone python-openstackclient apache2-mod_wsgi memcached python-python-memcached # su -s /bin/sh -c "keystone-manage db_sync" keystone
.. only:: obs or rdo
2. Start the Memcached service and configure it to start when the system
boots:
.. code-block:: console
# systemctl enable memcached.service
# systemctl start memcached.service
.. only:: obs or rdo or ubuntu
3. Edit the :file:`/etc/keystone/keystone.conf` file and complete the following
actions:
a. In the ``[DEFAULT]`` section, define the value of the initial
administration token:
.. code-block:: ini
:linenos:
[DEFAULT]
...
admin_token = ADMIN_TOKEN
Replace ``ADMIN_TOKEN`` with the random value that you generated in a
previous step.
b. In the ``[database]`` section, configure database access:
.. code-block:: ini
:linenos:
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
Replace ``KEYSTONE_DBPASS`` with the password you chose for the database.
c. In the ``[memcache]`` section, configure the Memcache service:
.. code-block:: ini
:linenos:
[memcache]
...
servers = localhost:11211
d. In the ``[token]`` section, configure the UUID token provider and
Memcached driver:
.. code-block:: ini
:linenos:
[token]
...
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.memcache.Token
e. In the ``[revoke]`` section, configure the SQL revocation driver:
.. code-block:: ini
:linenos:
[revoke]
...
driver = keystone.contrib.revoke.backends.sql.Revoke
f. (Optional) To assist with troubleshooting, enable verbose logging in the
``[DEFAULT]`` section:
.. code-block:: ini
:linenos:
[DEFAULT]
...
verbose = True
.. only:: obs or rdo or ubuntu
4. Populate the Identity service database:
.. code-block:: console
# su -s /bin/sh -c "keystone-manage db_sync" keystone
.. only:: debian .. only:: debian
**To install and configure the components** Install and configure the components
------------------------------------
#. Run the following command to install the packages: #. Run the following command to install the packages:
@ -203,7 +199,6 @@ database and an administration token.
which will fill the below database access directive. which will fill the below database access directive.
.. code-block:: ini .. code-block:: ini
:linenos:
[database] [database]
... ...
@ -237,7 +232,6 @@ database and an administration token.
you entered: you entered:
.. code-block:: ini .. code-block:: ini
:linenos:
[DEFAULT] [DEFAULT]
... ...
@ -291,234 +285,212 @@ database and an administration token.
.. only:: obs or rdo or ubuntu .. only:: obs or rdo or ubuntu
**To configure the Apache HTTP server** Configure the Apache HTTP server
--------------------------------
.. only:: rdo .. only:: rdo
#. Edit the :file:`/etc/httpd/conf/httpd.conf` file and configure the #. Edit the ``/etc/httpd/conf/httpd.conf`` file and configure the
``ServerName`` option to reference the controller node: ``ServerName`` option to reference the controller node:
.. code-block:: apache .. code-block:: apache
:linenos:
ServerName controller ServerName controller
#. Create the :file:`/etc/httpd/conf.d/wsgi-keystone.conf` file with #. Create the ``/etc/httpd/conf.d/wsgi-keystone.conf`` file with
the following content: the following content:
.. code-block:: apache .. code-block:: apache
:linenos:
Listen 5000 Listen 5000
Listen 35357 Listen 35357
<VirtualHost *:5000> <VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL} WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On WSGIPassAuthorization On
LogLevel info <IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M" ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log </IfVersion>
CustomLog /var/log/httpd/keystone-access.log combined ErrorLog /var/log/httpd/keystone-error.log
</VirtualHost> CustomLog /var/log/httpd/keystone-access.log combined
<VirtualHost *:35357> <Directory /usr/bin>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} <IfVersion >= 2.4>
WSGIProcessGroup keystone-admin Require all granted
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin </IfVersion>
WSGIApplicationGroup %{GLOBAL} <IfVersion < 2.4>
WSGIPassAuthorization On Order allow,deny
LogLevel info Allow from all
ErrorLogFormat "%{cu}t %M" </IfVersion>
ErrorLog /var/log/httpd/keystone-error.log </Directory>
CustomLog /var/log/httpd/keystone-access.log combined </VirtualHost>
</VirtualHost>
.. only:: ubuntu <VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
#. Edit the :file:`/etc/apache2/apache2.conf` file and configure the <Directory /usr/bin>
``ServerName`` option to reference the controller node: <IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
.. code-block:: apache .. only:: ubuntu
:linenos:
ServerName controller #. Edit the ``/etc/apache2/apache2.conf`` file and configure the
``ServerName`` option to reference the controller node:
#. Create the :file:`/etc/apache2/sites-available/wsgi-keystone.conf` file .. code-block:: apache
with the following content:
.. code-block:: apache ServerName controller
:linenos:
Listen 5000 #. Create the ``/etc/apache2/sites-available/wsgi-keystone.conf`` file
Listen 35357 with the following content:
<VirtualHost *:5000> .. code-block:: apache
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357> Listen 5000
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP} Listen 35357
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
#. Enable the Identity service virtual hosts: <VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
.. code-block:: console <Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled <VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
.. only:: obs <Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
#. Edit the :file:`/etc/sysconfig/apache2` file and configure the #. Enable the Identity service virtual hosts:
``APACHE_SERVERNAME`` option to reference the controller node:
.. code-block:: apache
:linenos:
APACHE_SERVERNAME="controller"
#. Create the :file:`/etc/apache2/conf.d/wsgi-keystone.conf` file
with the following content:
.. code-block:: apache
:linenos:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /srv/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /srv/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
.. only:: ubuntu
4. Create the directory structure for the WSGI components:
.. code-block:: console
# mkdir -p /var/www/cgi-bin/keystone
5. Copy the WSGI components from the upstream repository into this
directory:
.. code-block:: console
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \
| tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
6. Adjust ownership and permissions on this directory and the files in it:
.. code-block:: console
# chown -R keystone:keystone /var/www/cgi-bin/keystone
# chmod 755 /var/www/cgi-bin/keystone/*
.. only:: obs or rdo
3. Create the directory structure for the WSGI components:
.. only:: rdo
.. code-block:: console .. code-block:: console
# mkdir -p /var/www/cgi-bin/keystone # ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
.. only:: obs .. only:: obs
#. Edit the ``/etc/sysconfig/apache2`` file and configure the
``APACHE_SERVERNAME`` option to reference the controller node:
.. code-block:: apache
APACHE_SERVERNAME="controller"
#. Create the ``/etc/apache2/conf.d/wsgi-keystone.conf`` file
with the following content:
.. code-block:: apache
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
6. Recursively change the ownership of the ``/etc/keystone`` directory:
.. code-block:: console .. code-block:: console
# mkdir -p /srv/www/cgi-bin/keystone # chown -R keystone:keystone /etc/keystone
4. Copy the WSGI components from the upstream repository into this Finalize the installation
directory: -------------------------
.. only:: rdo
.. code-block:: console
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \
| tee /var/www/cgi-bin/keystone/main /var/www/cgi-bin/keystone/admin
.. only:: obs
.. code-block:: console
# curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo \
| tee /srv/www/cgi-bin/keystone/main /srv/www/cgi-bin/keystone/admin
.. only:: obs or rdo
5. Adjust ownership and permissions on this directory and the files in it:
.. only:: rdo
.. code-block:: console
# chown -R keystone:keystone /var/www/cgi-bin/keystone
# chmod 755 /var/www/cgi-bin/keystone/*
.. only:: obs
.. code-block:: console
# chown -R keystone:keystone /srv/www/cgi-bin/keystone
# chmod 755 /srv/www/cgi-bin/keystone/*
.. only:: obs
6. Change the ownership of :file:`/etc/keystone` to give the
``keystone`` system access to it:
.. code-block:: console
# chown -R keystone:keystone /etc/keystone
|
**To finalize the installation**
.. only:: ubuntu .. only:: ubuntu
@ -554,23 +526,3 @@ database and an administration token.
# systemctl enable apache2.service # systemctl enable apache2.service
# systemctl start apache2.service # systemctl start apache2.service
#. By default, the Identity service stores expired tokens in the SQL
database indefinitely. The accumulation of expired tokens considerably
increases the database size and degrades performance over time,
particularly in environments with limited resources.
The packages already contain a cron job under
:file:`/etc/cron.hourly/keystone`, so it is not necessary to manually
configure a periodic task that purges expired tokens.
.. only:: debian
* By default, the Identity service stores expired tokens in the SQL
database indefinitely. The accumulation of expired tokens considerably
increases the database size and degrades performance over time,
particularly in environments with limited resources.
The packages already contain a cron job under
:file:`/etc/cron.hourly/keystone`, so it is not necessary to manually
configure a periodic task that purges expired tokens.

27
doc/install-guide/source/keystone-openrc.rst
View File

@ -1,27 +1,25 @@
===========================================
Create OpenStack client environment scripts Create OpenStack client environment scripts
=========================================== ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The previous section used a combination of environment variables and The previous section used a combination of environment variables and
command options to interact with the Identity service via the command options to interact with the Identity service via the
:command:`openstack` client. To increase efficiency of client ``openstack`` client. To increase efficiency of client operations,
operations, OpenStack supports simple client environment scripts also OpenStack supports simple client environment scripts also known as
known as OpenRC files. These scripts typically contain common options for OpenRC files. These scripts typically contain common options for
all clients, but also support unique options. For more information, see the all clients, but also support unique options. For more information, see the
`OpenStack User Guide <http://docs.openstack.org/user-guide/common/ `OpenStack User Guide <http://docs.openstack.org/user-guide/common/
cli_set_environment_variables_using_openstack_rc.html>`__. cli_set_environment_variables_using_openstack_rc.html>`__.
To create the scripts Creating the scripts
~~~~~~~~~~~~~~~~~~~~~ --------------------
Create client environment scripts for the ``admin`` and ``demo`` Create client environment scripts for the ``admin`` and ``demo``
projects and users. Future portions of this guide reference these projects and users. Future portions of this guide reference these
scripts to load appropriate credentials for client operations. scripts to load appropriate credentials for client operations.
#. Edit the :file:`admin-openrc.sh` file and add the following content: #. Edit the ``admin-openrc.sh`` file and add the following content:
.. code-block:: bash .. code-block:: bash
:linenos:
export OS_PROJECT_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default
@ -30,14 +28,14 @@ scripts to load appropriate credentials for client operations.
export OS_USERNAME=admin export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3 export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
Replace ``ADMIN_PASS`` with the password you chose Replace ``ADMIN_PASS`` with the password you chose
for the ``admin`` user in the Identity service. for the ``admin`` user in the Identity service.
#. Edit the :file:`demo-openrc.sh` file and add the following content: #. Edit the ``demo-openrc.sh`` file and add the following content:
.. code-block:: bash .. code-block:: bash
:linenos:
export OS_PROJECT_DOMAIN_ID=default export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default
@ -46,18 +44,19 @@ scripts to load appropriate credentials for client operations.
export OS_USERNAME=demo export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3 export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
Replace ``DEMO_PASS`` with the password you chose Replace ``DEMO_PASS`` with the password you chose
for the ``demo`` user in the Identity service. for the ``demo`` user in the Identity service.
To load client environment scripts Using the scripts
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -----------------
To run clients as a specific project and user, you can simply load To run clients as a specific project and user, you can simply load
the associated client environment script prior to running them. the associated client environment script prior to running them.
For example: For example:
#. Load the :file:`admin-openrc.sh` file to populate #. Load the ``admin-openrc.sh`` file to populate
environment variables with the location of the Identity service environment variables with the location of the Identity service
and the ``admin`` project and user credentials: and the ``admin`` project and user credentials:

101
doc/install-guide/source/keystone-services.rst
View File

@ -1,13 +1,13 @@
========================================== Create the service entity and API endpoints
Create the service entity and API endpoint ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
==========================================
The Identity service provides a catalog of services and their locations. The Identity service provides a catalog of services and their locations.
Each service that you add to your OpenStack environment requires a Each service that you add to your OpenStack environment requires a
:term:`service` entity and several :term:`API endpoints<API endpoint>` :term:`service` entity and several :term:`API endpoints<API endpoint>`
in the catalog. in the catalog.
**To configure prerequisites** Prerequisites
-------------
.. only:: obs or rdo or ubuntu .. only:: obs or rdo or ubuntu
@ -17,6 +17,13 @@ in the catalog.
:doc:`keystone-install` to initialize the service entity and API endpoint :doc:`keystone-install` to initialize the service entity and API endpoint
for the Identity service. for the Identity service.
.. only:: debian
.. note::
The packages can automatically create the service entity and API
endpoints.
You must pass the value of the authentication token to the :command:`openstack` You must pass the value of the authentication token to the :command:`openstack`
command with the ``--os-token`` parameter or set the OS_TOKEN command with the ``--os-token`` parameter or set the OS_TOKEN
environment variable. Similarly, you must also pass the value of the environment variable. Similarly, you must also pass the value of the
@ -49,7 +56,7 @@ environment variables to reduce command length.
.. code-block:: console .. code-block:: console
$ export OS_URL=http://controller:35357/v2.0 $ export OS_URL=http://controller:35357/v3
.. only:: debian .. only:: debian
@ -58,7 +65,14 @@ environment variables to reduce command length.
The packages can automatically create the service entity and API The packages can automatically create the service entity and API
endpoint. endpoint.
**To create the service entity and API endpoint** #. Configure the Identity API version:
.. code-block:: console
$ export OS_IDENTITY_API_VERSION=3
Create the service entity and API endpoints
-------------------------------------------
#. The Identity service manages a catalog of services in your OpenStack #. The Identity service manages a catalog of services in your OpenStack
environment. Services use this catalog to determine the other services environment. Services use this catalog to determine the other services
@ -91,41 +105,72 @@ environment variables to reduce command length.
OpenStack uses three API endpoint variants for each service: admin, OpenStack uses three API endpoint variants for each service: admin,
internal, and public. The admin API endpoint allows modifying users and internal, and public. The admin API endpoint allows modifying users and
tenants by default, while the public and internal APIs do not. In a tenants by default, while the public and internal APIs do not allow these
production environment, the variants might reside on separate networks operations. In a production environment, the variants might reside on
that service different types of users for security reasons. For separate networks that service different types of users for security
instance, the public API network might be reachable from outside the reasons. For instance, the public API network might be visible from the
cloud for management tools, the admin API network might be protected, Internet so customers can manage their clouds. The admin API network
while the internal API network is connected to each host. Also, might be restricted to operators within the organization that manages
OpenStack supports multiple regions for scalability. For simplicity, cloud infrastructure. The internal API network might be restricted to
this guide uses the management network for all endpoint variations and the hosts that contain OpenStack services. Also, OpenStack supports
the default ``RegionOne`` region. multiple regions for scalability. For simplicity, this guide uses the
management network for all endpoint variations and the default
``RegionOne`` region.
Create the Identity service API endpoint: Create the Identity service API endpoints:
.. code-block:: console .. code-block:: console
$ openstack endpoint create \ $ openstack endpoint create --region RegionOne \
--publicurl http://controller:5000/v2.0 \ identity public http://controller:5000/v2.0
--internalurl http://controller:5000/v2.0 \
--adminurl http://controller:35357/v2.0 \
--region RegionOne \
identity
+--------------+----------------------------------+ +--------------+----------------------------------+
| Field | Value | | Field | Value |
+--------------+----------------------------------+ +--------------+----------------------------------+
| adminurl | http://controller:35357/v2.0 | | enabled | True |
| id | 4a9ffc04b8eb4848a49625a3df0170e5 | | id | 30fff543e7dc4b7d9a0fb13791b78bf4 |
| internalurl | http://controller:5000/v2.0 | | interface | public |
| publicurl | http://controller:5000/v2.0 |
| region | RegionOne | | region | RegionOne |
| service_id | 4ddaae90388b4ebc9d252ec2252d8d10 | | region_id | RegionOne |
| service_id | 8c8c0927262a45ad9066cfe70d46892c |
| service_name | keystone | | service_name | keystone |
| service_type | identity | | service_type | identity |
| url | http://controller:5000/v2.0 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 57cfa543e7dc4b712c0ab137911bc4fe |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6f8de927262ac12f6066cfe70d99ac51 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v2.0 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 78c3dfa3e7dc44c98ab1b1379122ecb1 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 34ab3d27262ac449cba6cfe704dbc11f |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v2.0 |
+--------------+----------------------------------+ +--------------+----------------------------------+
.. note:: .. note::
Each service that you add to your OpenStack environment requires one Each service that you add to your OpenStack environment requires one
or more service entities and one API endpoint in the Identity or more service entities and three API endpoint variants in the Identity
service. service.

242
doc/install-guide/source/keystone-users.rst
View File

@ -1,6 +1,5 @@
=================================
Create projects, users, and roles Create projects, users, and roles
================================= ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The Identity service provides authentication services for each OpenStack The Identity service provides authentication services for each OpenStack
service. The authentication service uses a combination of :term:`domains service. The authentication service uses a combination of :term:`domains
@ -9,169 +8,166 @@ service. The authentication service uses a combination of :term:`domains
.. note:: .. note::
For simplicity, this guide implicitly uses the ``default`` domain. For simplicity, this guide uses the ``default`` domain.
.. only:: debian
.. note::
The packages can automatically create the service entity and API
endpoint.
To create tenants, users, and roles
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
#. Create an administrative project, user, and role for administrative #. Create an administrative project, user, and role for administrative
operations in your environment: operations in your environment:
a. Create the ``admin`` project: * Create the ``admin`` project:
.. code-block:: console .. code-block:: console
$ openstack project create --description "Admin Project" admin $ openstack project create --domain default \
+-------------+----------------------------------+ --description "Admin Project" admin
| Field | Value | +-------------+----------------------------------+
+-------------+----------------------------------+ | Field | Value |
| description | Admin Project | +-------------+----------------------------------+
| enabled | True | | description | Admin Project |
| id | cf12a15c5ea84b019aec3dc45580896b | | domain_id | default |
| name | admin | | enabled | True |
+-------------+----------------------------------+ | id | 343d245e850143a096806dfaefa9afdc |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
.. note:: .. note::
OpenStack generates IDs dynamically, so you will see different OpenStack generates IDs dynamically, so you will see different
values in the example command output. values in the example command output.
b. Create the ``admin`` user: * Create the ``admin`` user:
.. code-block:: console .. code-block:: console
$ openstack user create --password-prompt admin $ openstack user create --domain default \
User Password: --password-prompt admin
Repeat User Password: User Password:
+------------+----------------------------------+ Repeat User Password:
| Field | Value | +-----------+----------------------------------+
+------------+----------------------------------+ | Field | Value |
| email | None | +-----------+----------------------------------+
| enabled | True | | domain_id | default |
| id | 4d411f2291f34941b30eef9bd797505a | | enabled | True |
| name | admin | | id | ac3377633149401296f6c0d92d79dc16 |
| username | admin | | name | admin |
+------------+----------------------------------+ +-----------+----------------------------------+
c. Create the ``admin`` role: * Create the ``admin`` role:
.. code-block:: console .. code-block:: console
$ openstack role create admin $ openstack role create admin
+-------+----------------------------------+ +-------+----------------------------------+
| Field | Value | | Field | Value |
+-------+----------------------------------+ +-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 | | id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin | | name | admin |
+-------+----------------------------------+ +-------+----------------------------------+
d. Add the ``admin`` role to the ``admin`` project and user: * Add the ``admin`` role to the ``admin`` project and user:
.. code-block:: console .. code-block:: console
$ openstack role add --project admin --user admin admin $ openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
| name | admin |
+-------+----------------------------------+
.. note:: .. note::
Any roles that you create must map to roles specified in the This command provides no output.
:file:`policy.json` file in the configuration file directory of each
OpenStack service. The default policy for most services grants .. note::
administrative access to the ``admin`` role. For more information,
see the `Operations Guide - Managing Projects and Any roles that you create must map to roles specified in the
Users <http://docs.openstack.org/openstack-ops/content/projects_users.html>`__. ``policy.json`` file in the configuration file directory of each
OpenStack service. The default policy for most services grants
administrative access to the ``admin`` role. For more information,
see the `Operations Guide - Managing Projects and
Users <http://docs.openstack.org/openstack-ops/content/projects_users.html>`__.
#. This guide uses a service project that contains a unique user for each #. This guide uses a service project that contains a unique user for each
service that you add to your environment. service that you add to your environment. Create the ``service``
project:
a. Create the ``service`` project: .. code-block:: console
.. code-block:: console $ openstack project create --domain default \
--description "Service Project" service
$ openstack project create --description "Service Project" service +-------------+----------------------------------+
+-------------+----------------------------------+ | Field | Value |
| Field | Value | +-------------+----------------------------------+
+-------------+----------------------------------+ | description | Service Project |
| description | Service Project | | domain_id | default |
| enabled | True | | enabled | True |
| id | 55cbd79c0c014c8a95534ebd16213ca1 | | id | 894cdfa366d34e9d835d3de01e752262 |
| name | service | | is_domain | False |
+-------------+----------------------------------+ | name | service |
| parent_id | None |
+-------------+----------------------------------+
#. Regular (non-admin) tasks should use an unprivileged project and user. #. Regular (non-admin) tasks should use an unprivileged project and user.
As an example, this guide creates the ``demo`` project and user. As an example, this guide creates the ``demo`` project and user.
a. Create the ``demo`` project: * Create the ``demo`` project:
.. code-block:: console .. code-block:: console
$ openstack project create --description "Demo Project" demo $ openstack project create --domain default \
+-------------+----------------------------------+ --description "Demo Project" demo
| Field | Value | +-------------+----------------------------------+
+-------------+----------------------------------+ | Field | Value |
| description | Demo Project | +-------------+----------------------------------+
| enabled | True | | description | Demo Project |
| id | ab8ea576c0574b6092bb99150449b2d3 | | domain_id | default |
| name | demo | | enabled | True |
+-------------+----------------------------------+ | id | ed0b60bf607743088218b0a533d5943f |
| is_domain | False |
| name | demo |
| parent_id | None |
+-------------+----------------------------------+
.. note:: .. note::
Do not repeat this step when creating additional users for this Do not repeat this step when creating additional users for this
project. project.
b. Create the ``demo`` user: * Create the ``demo`` user:
.. code-block:: console .. code-block:: console
$ openstack user create --password-prompt demo $ openstack user create --domain default \
User Password: --password-prompt demo
Repeat User Password: User Password:
+------------+----------------------------------+ Repeat User Password:
| Field | Value | +-----------+----------------------------------+
+------------+----------------------------------+ | Field | Value |
| email | None | +-----------+----------------------------------+
| enabled | True | | domain_id | default |
| id | 3a81e6c8103b46709ef8d141308d4c72 | | enabled | True |
| name | demo | | id | 58126687cbcc4888bfa9ab73a2256f27 |
| username | demo | | name | demo |
+------------+----------------------------------+ +-----------+----------------------------------+
c. Create the ``user`` role: * Create the ``user`` role:
.. code-block:: console .. code-block:: console
$ openstack role create user $ openstack role create user
+-------+----------------------------------+ +-------+----------------------------------+
| Field | Value | | Field | Value |
+-------+----------------------------------+ +-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab | | id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user | | name | user |
+-------+----------------------------------+ +-------+----------------------------------+
d. Add the ``user`` role to the ``demo`` project and user: * Add the ``user`` role to the ``demo`` project and user:
.. code-block:: console .. code-block:: console
$ openstack role add --project demo --user demo user $ openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value | .. note::
+-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab | This command provides no output.
| name | user |
+-------+----------------------------------+
.. note:: .. note::

119
doc/install-guide/source/keystone-verify.rst
View File

@ -1,6 +1,5 @@
================
Verify operation Verify operation
================ ~~~~~~~~~~~~~~~~
Verify operation of the Identity service before installing other Verify operation of the Identity service before installing other
services. services.
@ -10,7 +9,7 @@ services.
1. For security reasons, disable the temporary authentication 1. For security reasons, disable the temporary authentication
token mechanism: token mechanism:
Edit the :file:`/etc/keystone/keystone-paste.ini` Edit the ``/etc/keystone/keystone-paste.ini``
file and remove ``admin_token_auth`` from the file and remove ``admin_token_auth`` from the
``[pipeline:public_api]``, ``[pipeline:admin_api]``, ``[pipeline:public_api]``, ``[pipeline:admin_api]``,
and ``[pipeline:api_v3]`` sections. and ``[pipeline:api_v3]`` sections.
@ -20,7 +19,7 @@ services.
1. For security reasons, disable the temporary authentication 1. For security reasons, disable the temporary authentication
token mechanism: token mechanism:
Edit the :file:`/usr/share/keystone/keystone-dist-paste.ini` Edit the ``/usr/share/keystone/keystone-dist-paste.ini``
file and remove ``admin_token_auth`` from the file and remove ``admin_token_auth`` from the
``[pipeline:public_api]``, ``[pipeline:admin_api]``, ``[pipeline:public_api]``, ``[pipeline:admin_api]``,
and ``[pipeline:api_v3]`` sections. and ``[pipeline:api_v3]`` sections.
@ -31,38 +30,11 @@ services.
$ unset OS_TOKEN OS_URL $ unset OS_TOKEN OS_URL
3. As the ``admin`` user, request an authentication token from 3. As the ``admin`` user, request an authentication token:
the Identity version 2.0 API:
.. code-block:: console .. code-block:: console
$ openstack --os-auth-url http://controller:35357 \ $ openstack --os-auth-url http://controller:35357/v3 \
--os-project-name admin --os-username admin \
--os-auth-type password token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-03-24T18:55:01Z |
| id | ff5ed908984c4a4190f584d826d75fed |
| project_id | cf12a15c5ea84b019aec3dc45580896b |
| user_id | 4d411f2291f34941b30eef9bd797505a |
+------------+----------------------------------+
.. note::
This command uses the password for the ``admin`` user.
4. The Identity version 3 API adds support for domains that contain
projects and users. Projects and users can use the same names in
different domains. Therefore, in order to use the version 3 API,
requests must also explicitly contain at least the ``default``
domain or use IDs. For simplicity, this guide explicitly uses
the ``default`` domain so examples can use names instead of IDs.
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-domain-id default --os-user-domain-id default \ --os-project-domain-id default --os-user-domain-id default \
--os-project-name admin --os-username admin --os-auth-type password \ --os-project-name admin --os-username admin --os-auth-type password \
token issue token issue
@ -80,75 +52,11 @@ services.
This command uses the password for the ``admin`` user. This command uses the password for the ``admin`` user.
5. As the ``admin`` user, list projects to verify that the 4. As the ``demo`` user, request an authentication token:
``admin`` user can execute admin-only CLI commands and
that the Identity service contains the projects that you
created in :doc:`keystone-users`:
.. code-block:: console .. code-block:: console
$ openstack --os-auth-url http://controller:35357 \ $ openstack --os-auth-url http://controller:5000/v3 \
--os-project-name admin --os-username admin \
--os-auth-type password project list
Password:
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 55cbd79c0c014c8a95534ebd16213ca1 | service |
| ab8ea576c0574b6092bb99150449b2d3 | demo |
| cf12a15c5ea84b019aec3dc45580896b | admin |
+----------------------------------+---------+
.. note::
This command uses the password for the ``admin`` user.
6. As the ``admin`` user, list users to verify that the Identity service
contains the users that you created in :doc:`keystone-users`:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin \
--os-auth-type password user list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4d411f2291f34941b30eef9bd797505a | admin |
| 3a81e6c8103b46709ef8d141308d4c72 | demo |
+----------------------------------+-------+
.. note::
This command uses the password for the ``admin`` user.
7. As the ``admin`` user, list roles to verify that the Identity service
contains the role that you created in :doc:`keystone-users`:
.. code-block:: console
$ openstack --os-auth-url http://controller:35357 \
--os-project-name admin --os-username admin \
--os-auth-type password role list
Password:
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 9fe2ff9ee4384b1894a90878d3e92bab | user |
| cd2cb9a39e874ea69e5d4b896eb16128 | admin |
+----------------------------------+-------+
.. note::
This command uses the password for the ``admin`` user.
8. As the ``demo`` user, request an authentication token from
the Identity version 3 API:
.. code-block:: console
$ openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \ --os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \ --os-project-name demo --os-username demo --os-auth-type password \
token issue token issue
@ -167,16 +75,3 @@ services.
This command uses the password for the ``demo`` This command uses the password for the ``demo``
user and API port 5000 which only allows regular (non-admin) user and API port 5000 which only allows regular (non-admin)
access to the Identity service API. access to the Identity service API.
9. As the ``demo`` user, attempt to list users
to verify that it cannot execute admin-only CLI commands:
.. code-block:: console
$ openstack --os-auth-url http://controller:5000 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo \
--os-auth-type password user list
Password:
ERROR: openstack You are not authorized to perform the
requested action, admin_required. (HTTP 403)