Install the Identity Service
Install the Identity Service on the controller node,
together with python-keystoneclient (which is a
dependency):
# apt-get install keystone
# yum install openstack-keystone python-keystoneclient
# zypper install openstack-keystone python-keystoneclient openstack-utils
Answer to the debconf and dbconfig-common questions for setting-up the
database.
The Identity Service uses a database to store information.
Specify the location of the database in the configuration
file. In this guide, we use a MySQL database on the controller
node with the username keystone. Replace
KEYSTONE_DBPASS
with a suitable password for the database user.
# openstack-config --set /etc/keystone/keystone.conf \
sql connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone
Edit
/etc/keystone/keystone.conf and change
the [sql] section.
...
[sql]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
...
Use the openstack-db command to create
the database and tables, as well as a database user called
keystone to connect to the database.
Replace
KEYSTONE_DBPASS
with the same password used in the previous step.
# openstack-db --init --service keystone --password KEYSTONE_DBPASS
By default, the Ubuntu packages create an SQLite database.
Delete the keystone.sqlite file created in
the /var/lib/keystone/ directory so that it
does not get used by mistake.
Use the password that you set previously to log in as
root. Create a keystone database
user:
# mysql -u root -p
mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
Start the keystone service and create its tables:
# keystone-manage db_sync
# service keystone restart
Define an authorization token to use as a shared secret
between the Identity Service and other OpenStack services.
Respond to the debconf prompt with the
value in the admin_token
directive in the
keystone.conf file. Use the
openssl rand -hex 10 command to generate
this password.
Later, you can verify that the
/etc/keystone/keystone.conf file
contains the password you have set using
debconf:
[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN
...
Respond to the prompts to create an administrative
tenant:
If this is the first time you have installed the Identity
Service, register the Identity Service in the service
catalog:
Define an authorization token to use as a shared secret
between the Identity Service and other OpenStack services. Use
openssl to generate a random token and
store it in the configuration file:
# ADMIN_TOKEN=$(openssl rand -hex 10)
# echo $ADMIN_TOKEN
# openstack-config --set /etc/keystone/keystone.conf DEFAULT \
admin_token $ADMIN_TOKEN
# openssl rand -hex 10
For SUSE Linux Enterprise use instead
as first command:
# ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"')
Edit
/etc/keystone/keystone.conf and change
the [DEFAULT] section, replacing
ADMIN_TOKEN with the results of the command.
[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN
...
By default, Keystone uses PKI tokens. Create the signing
keys and certificates:
# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
# chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log
# keystone-manage pki_setup --keystone-user openstack-keystone \
--keystone-group openstack-keystone
# chown -R openstack-keystone:openstack-keystone /etc/keystone/* \
/var/log/keystone/keystone.log
Set up the
/etc/keystone/default_catalog.templates
file:
# KEYSTONE_CATALOG=/etc/keystone/default_catalog.templates
# sed -e "s,%SERVICE_HOST%,192.168.0.10,g" \
-e "s/%S3_SERVICE_PORT%/8080/" \
$KEYSTONE_CATALOG.sample > $KEYSTONE_CATALOG
Restart the Identity Service:
# service keystone restart
Start the Identity Service and enable it to start when the
system boots:
# service openstack-keystone start
# chkconfig openstack-keystone on