This section describes how to install and configure the OpenStack Identity service on the controller node. Before you configure the OpenStack Identity service, you must create a database and an administration token. As the root user, connect to the database to create the keystone database and grant the proper access to it: $ mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; mysql> exit Replace KEYSTONE_DBPASS with a suitable password. Generate a random value to use as the administration token during initial configuration: # openssl rand -hex 10 # openssl rand 10 | hexdump -e '1/1 "%.2x"' Generate a random value to use as the administration token during initial configuration: # openssl rand -hex 10 Run the following command to install the packages: # apt-get install keystone python-keystoneclient # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient Edit the /etc/keystone/keystone.conf file. In the [DEFAULT] section, define the value of the initial administration token: [DEFAULT] ... admin_token = ADMIN_TOKEN Replace ADMIN_TOKEN with the random value that you generated in a previous step. In the [database] section, configure database access: [database] ... connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone Replace KEYSTONE_DBPASS with the password you chose for the database. In the [DEFAULT] section, configure the log directory: [DEFAULT] ... log_dir = /var/log/keystone By default, the Identity service uses public key infrastructure (PKI). Create generic certificates and keys and restrict access to the associated files: # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /etc/keystone/ssl # chmod -R o-rwx /etc/keystone/ssl Run the following command to populate the Identity service database: # su -s /bin/sh -c "keystone-manage db_sync" keystone Run the following command to install the packages: # apt-get install keystone python-keystoneclient Respond to prompts for database management. Configure the initial administration token: Use the random value that you generated in a previous step. If you install using non-interactive mode or you do not specify this token, the configuration tool generates a random value. Create the admin tenant and user: Register the Identity service in the catalog: Restart the Identity service: # service keystone restart Start the Identity service and configure it to start when the system boots: # service openstack-keystone start # chkconfig openstack-keystone on By default, the Ubuntu packages create a SQLite database. Because this configuration uses a SQL database server, you can remove the SQLite database file: # rm /var/lib/keystone/keystone.db By default, the Identity service stores expired tokens in the database indefinitely. The accumulation of expired tokens considerably increases the database size and might degrade service performance, particularly in test environments with limited resources. We recommend that you use cron to configure a periodic task that purges expired tokens hourly. Run the following command to purge expired tokens every hour and log the output to the /var/log/keystone/keystone-tokenflush.log file: # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \ >> /var/spool/cron/crontabs/keystone # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \ >> /var/spool/cron/keystone # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \ >> /var/spool/cron/tabs/keystone