%openstack; ]>

This section describes how to install and configure the OpenStack Identity service on the controller node. Before you configure the OpenStack Identity service, you must create a database and an administration token. To create the database, complete these steps: Use the database access client to connect to the database server as the root user: $ mysql -u root -p Create the keystone database: CREATE DATABASE keystone; Grant proper access to the keystone database: GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS'; Replace KEYSTONE_DBPASS with a suitable password. Exit the database access client. Generate a random value to use as the administration token during initial configuration: $ openssl rand -hex 10 $ openssl rand 10 | hexdump -e '1/1 "%.2x"' Run the following command to install the packages: # apt-get install keystone python-keystoneclient # yum install openstack-keystone python-keystoneclient # zypper install openstack-keystone python-keystoneclient Edit the /etc/keystone/keystone.conf file and complete the following actions: In the [DEFAULT] section, define the value of the initial administration token: [DEFAULT] ... admin_token = ADMIN_TOKEN Replace ADMIN_TOKEN with the random value that you generated in a previous step. In the [database] section, configure database access: [database] ... connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone Replace KEYSTONE_DBPASS with the password you chose for the database. In the [token] section, configure the UUID token provider and SQL driver: [token] ... provider = keystone.token.providers.uuid.Provider driver = keystone.token.persistence.backends.sql.Token In the [revoke] section, configure the SQL revocation driver: [revoke] ... driver = keystone.contrib.revoke.backends.sql.Revoke (Optional) To assist with troubleshooting, enable verbose logging in the [DEFAULT] section: [DEFAULT] ... verbose = True Create generic certificates and keys and restrict access to the associated files: # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /var/log/keystone # chown -R keystone:keystone /etc/keystone/ssl # chmod -R o-rwx /etc/keystone/ssl Populate the Identity service database: # su -s /bin/sh -c "keystone-manage db_sync" keystone Run the following command to install the packages: # apt-get install keystone python-keystoneclient will automatically be installed as it is a dependency of the keystone package. Respond to prompts for , which will fill the below database access directive. [database] ... connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone If you decide to not use dbconfig-common, then you will have to create the database and manage its access rights yourself, and run the following by hand. # keystone-manage db_sync Generate a random value to use as the administration token during initial configuration: $ openssl rand -hex 10 Configure the initial administration token: Use the random value that you generated in a previous step. If you install using non-interactive mode or you do not specify this token, the configuration tool generates a random value. Later on, the package will configure the below directive with the value you entered: [DEFAULT] ... admin_token = ADMIN_TOKEN Create the admin tenant and user: During the final stage of the package installation, it is possible to automatically create an admin tenant and an admin user. This can later be used for other OpenStack services to contact the Identity service. This is the equivalent of running the below commands: # keystone tenant-create --name admin --description "Admin Tenant" # keystone user-create --name admin --pass ADMIN_PASS --email root@localhost # keystone role-create --name admin # keystone user-role-add user-role-add --user admin --role admin --tenant admin         In Debian, the Keystone package offers automatic registration of Keystone in the service catalogue. This is equivalent of running the below commands: # keystone service-create --name keystone --type identity --description "OpenStack Identity" # keystone endpoint-create \ --service-id $(keystone service-list | awk '/ identity / {print $2}') \ --publicurl http://controller:5000/v2.0 \ --internalurl http://controller:5000/v2.0 \ --adminurl http://controller:35357/v2.0 \ --region regionOne Restart the Identity service: # service keystone restart Start the Identity service and configure it to start when the system boots: # systemctl enable openstack-keystone.service # systemctl start openstack-keystone.service On SLES: # service openstack-keystone start # chkconfig openstack-keystone on On openSUSE: # systemctl enable openstack-keystone.service # systemctl start openstack-keystone.service By default, the Ubuntu packages create a SQLite database. Because this configuration uses a SQL database server, you can remove the SQLite database file: # rm -f /var/lib/keystone/keystone.db By default, the Identity service stores expired tokens in the database indefinitely. The accumulation of expired tokens considerably increases the database size and might degrade service performance, particularly in environments with limited resources. The Keystone package already contains a cron job under /etc/cron.hourly/keystone, so it is not necessary to manually configure a periodic task that purges expired tokens hourly. You can however have a look at (and eventually customize) the already configured script. The Keystone package already contains a cron job under /etc/cron.hourly/openstack-keystone, so it is not necessary to manually configure a periodic task that purges expired tokens hourly. You can however have a look at (and eventually customize) the already configured script. We recommend that you use cron to configure a periodic task that purges expired tokens hourly: # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \ >> /var/spool/cron/crontabs/keystone # (crontab -l -u keystone 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \ >> /var/spool/cron/keystone