openstack/openstack-manuals
Code Issues Proposed changes
a4b7225874
openstack-manuals/doc/install-guide/section_keystone-services.xml
Matthew Kassawara cd89eca969 Modify keystone content for Kilo 
Modify keystone content for Kilo as follows:

1) Replace default eventlet front-end with Apache front-end
   to provide a more production-style deployment.

   * Disable keystone service from starting up automatically
     because it creates port conflicts with Apache.
   * Use the Apache virtual host configuration template from
     the keystone source repository.
   * Use the WSGI components from the keystone source
     repository because the packages don't include them.
   * Will update source repository links after release.

2) Replace SQL back-end with Memcache back-end for tokens to
   provide a more production-style deployment.

   * Remove cron job that deletes expired tokens from the SQL
     database.

3) Enable version 3 API.

   * Change "tenant" to "project" to align with v3 API
     terminology.
   * Include tests to verify operation.

4) Replace python-keystoneclient with python-openstackclient.

   * Update openrc files to work with python-openstackclient.

5) Replace password entry on CLI with prompts.

6) Move service and endpoint creation section before user and
   project creation section to improve flow.

7) Add note about adding sections and options to default
   configuration files.

8) Disable temporary authentication token mechanism prior to
   service verification.

Many of these changes stem from keystone deprecations and
recommendations from the keystone PTL. Also, this patch only
addresses Ubuntu. For other distributions, please submit
additional patches rather than modifying this patch.

Implements: blueprint installguide-kilo
Change-Id: I9a2e53f14d6ed41df0085256c20904760a58ea25
2015-04-03 09:16:41 -05:00

118 lines
6.0 KiB
XML
Raw Blame History

<?xml version="1.0" encoding="UTF-8"?>
<section xmlns="http://docbook.org/ns/docbook"
xmlns:xi="http://www.w3.org/2001/XInclude"
xmlns:xlink="http://www.w3.org/1999/xlink"
version="5.0"
xml:id="keystone-services">
<title>Create the service entity and API endpoints</title>
<para>The Identity service provides a catalog of services and their
locations. Each service that you add to your OpenStack environment
requires a <glossterm>service</glossterm> entity and several
<glossterm baseform="API endpoint">API endpoints</glossterm> in the
catalog.</para>
<procedure>
<title>To configure prerequisites</title>
<para>By default, the Identity service database contains no information
to support conventional authentication and catalog services. You must
use a temporary authentication token that you created in
<xref linkend="keystone-install"/> to initialize the service entity
and API endpoints for the Identity service.</para>
<para>You must pass the value of the authentication token to the
<command>openstack</command> command with the
<parameter>--os-token</parameter> parameter or set the
<envar>OS_TOKEN</envar> environment variable. Similarly, you
must also pass the value of the Identity service URL to the
<command>openstack</command> command with the
<parameter>--os-url</parameter> parameter or set the
<envar>OS_URL</envar> environment variable. This guide
uses environment variables to reduce command length.</para>
<warning>
<para>For security reasons, do not use the temporary authentication
token for longer than necessary to initialize the Identity
service.</para>
</warning>
<step>
<para>Configure the authentication token:</para>
<screen><prompt>$</prompt> <userinput>export OS_TOKEN=<replaceable>ADMIN_TOKEN</replaceable></userinput></screen>
<para>Replace <replaceable>ADMIN_TOKEN</replaceable> with the
authentication token that you generated in
<xref linkend="keystone-install"/>. For example:</para>
<screen><prompt>$</prompt> <userinput>export OS_TOKEN=294a4c8a8a475f9b9836</userinput></screen>
</step>
<step>
<para>Configure the endpoint URL:</para>
<screen><prompt>$</prompt> <userinput>export OS_URL=http://<replaceable>controller</replaceable>:35357/v2.0</userinput></screen>
</step>
</procedure>
<procedure>
<title>To create the service entity and API endpoints</title>
<note os="debian">
<para>The packages can automatically create the service entity and
API endpoints.</para>
</note>
<step>
<para>The Identity service manages a catalog of services in your
OpenStack environment. Services use this catalog to determine
the other services available in your environment.</para>
<para>Create the service entity for the Identity service:</para>
<screen><prompt>$</prompt> <userinput>openstack service create --type identity \
--description "OpenStack Identity" keystone</userinput>
<computeroutput>+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 4ddaae90388b4ebc9d252ec2252d8d10 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+</computeroutput></screen>
<note>
<para>OpenStack generates IDs dynamically, so you will see
different values in the example command output.</para>
</note>
</step>
<step>
<para>The Identity service manages a catalog of API endpoints associated
with the services in your OpenStack environment. Services use this
catalog to determine how to communicate with other services in your
environment.</para>
<para>OpenStack uses three API endpoint variants for each service:
admin, internal, and public. The admin API endpoint allows modifying
users and tenants by default, while the public and internal APIs
do not. In a production environment, the variants might reside on
separate networks that service different types of users for security
reasons. For instance, the public API network might be reachable from
outside the cloud for management tools, the admin API network might be
protected, while the internal API network is connected to each host.
Also, OpenStack supports multiple regions for scalability. For
simplicity, this guide uses the management network for all
endpoint variations and the default <literal>regionOne</literal>
region.</para>
<para>Create the Identity service API endpoints:</para>
<screen><prompt>$</prompt> <userinput>openstack endpoint create \
--publicurl http://<replaceable>controller</replaceable>:5000/v2.0 \
--internalurl http://<replaceable>controller</replaceable>:5000/v2.0 \
--adminurl http://<replaceable>controller</replaceable>:35357/v2.0 \
--region regionOne \
identity</userinput>
<computeroutput>+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| adminurl | http://controller:35357/v2.0 |
| id | 4a9ffc04b8eb4848a49625a3df0170e5 |
| internalurl | http://controller:5000/v2.0 |
| publicurl | http://controller:5000/v2.0 |
| region | regionOne |
| service_id | 4ddaae90388b4ebc9d252ec2252d8d10 |
| service_name | keystone |
| service_type | identity |
+--------------+----------------------------------+</computeroutput></screen>
</step>
</procedure>
<note>
<para>Each service that you add to your OpenStack environment requires
one or more service entities and API endpoints in the Identity
service.</para>
</note>
</section>
View Git Blame Copy Permalink