Openstack installation : Identity Service – Keystone

Had followed steps given in https://docs.openstack.org – Content mostly from openstack.org – This is just a compilation on steps followed by me.  Minor changes may be observed as I had installed on Debian 9.6.

Previous Post : Install memcached
Next Post     : Install Image Service 
Recommended reading

The OpenStack Identity service provides a single point of integration for managing authentication, authorization, and a catalog of services.

On the controller node create a database and an administration token.

root@controller:~# mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 2
Server version: 10.1.37-MariaDB-0+deb9u1 Debian 9.6

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.01 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '<password>';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]>

Notes from : https://docs.openstack.org/newton/install-guide-debian/keystone-install.html

This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. The package handles all of the Apache configuration for you (including the activation of the mod_wsgi apache2 module and keystone configuration in Apache).

Install Keystone package

root@controller:~# apt install keystone

Update the db connection, token provider details in keystone configuration file /etc/keystone/keystone.conf

In [database] section

connection = mysql+pymysql://keystone:<password>@controller/keystone

In [token] section (Default would be commented out as #provider = uuid

provider = fernet

Populate the identity service database with required tables

root@controller:~# su -s /bin/sh -c "keystone-manage db_sync" keystone
2018-12-01 07:34:49.646 12745 INFO migrate.versioning.api [-] 66 -> 67... 
2018-12-01 07:34:53.144 12745 INFO migrate.versioning.api [-] done
...
...
2018-12-01 07:34:58.673 12745 INFO migrate.versioning.api [-] 108 -> 109... 
2018-12-01 07:34:58.815 12745 INFO migrate.versioning.api [-] done
2018-12-01 07:34:58.879 12745 INFO migrate.versioning.api [-] 0 -> 1... 
2018-12-01 07:34:58.888 12745 INFO migrate.versioning.api [-] done
...
...
2018-12-01 07:34:59.825 12745 INFO migrate.versioning.api [-] 3 -> 4... 
2018-12-01 07:35:00.175 12745 INFO migrate.versioning.api [-] done
root@controller:~#

After population

MariaDB [(none)]> use keystone
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| nonlocal_user          |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+
37 rows in set (0.00 sec)

MariaDB [keystone]> select * from user;
Empty set (0.00 sec)

MariaDB [keystone]>

Initialize fernet keys for user keystone

root@controller:~# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
2018-12-01 09:45:07.686 14446 INFO keystone.common.fernet_utils [-] key_repository does not appear to exist; attempting to create it
2018-12-01 09:45:07.687 14446 INFO keystone.common.fernet_utils [-] Created a new key: /etc/keystone/fernet-keys/0
2018-12-01 09:45:07.687 14446 INFO keystone.common.fernet_utils [-] Starting key rotation with 1 key files: ['/etc/keystone/fernet-keys/0']
2018-12-01 09:45:07.687 14446 INFO keystone.common.fernet_utils [-] Current primary key is: 0
2018-12-01 09:45:07.688 14446 INFO keystone.common.fernet_utils [-] Next primary key will be: 1
2018-12-01 09:45:07.688 14446 INFO keystone.common.fernet_utils [-] Promoted key 0 to be the primary: 1
2018-12-01 09:45:07.688 14446 INFO keystone.common.fernet_utils [-] Created a new key: /etc/keystone/fernet-keys/0
root@controller:~# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
2018-12-01 09:45:24.362 14453 INFO keystone.common.fernet_utils [-] key_repository does not appear to exist; attempting to create it
2018-12-01 09:45:24.362 14453 INFO keystone.common.fernet_utils [-] Created a new key: /etc/keystone/credential-keys/0
2018-12-01 09:45:24.362 14453 INFO keystone.common.fernet_utils [-] Starting key rotation with 1 key files: ['/etc/keystone/credential-keys/0']
2018-12-01 09:45:24.362 14453 INFO keystone.common.fernet_utils [-] Current primary key is: 0
2018-12-01 09:45:24.363 14453 INFO keystone.common.fernet_utils [-] Next primary key will be: 1
2018-12-01 09:45:24.363 14453 INFO keystone.common.fernet_utils [-] Promoted key 0 to be the primary: 1
2018-12-01 09:45:24.363 14453 INFO keystone.common.fernet_utils [-] Created a new key: /etc/keystone/credential-keys/0

Before boot strapping identity service

MariaDB [keystone]> select * from user;
Empty set (0.00 sec)

MariaDB [keystone]>

MariaDB [keystone]> select * from region;
Empty set (0.00 sec)

MariaDB [keystone]> select id,description from project;
+--------------------------+--------------------------+
| id                       | description              |
+--------------------------+--------------------------+
| <<keystone.domain.root>> |                          |
+--------------------------+--------------------------+
1 row in set (0.00 sec)

MariaDB [keystone]>

Bootstrap identity service

root@controller:~# keystone-manage bootstrap --bootstrap-password <password> --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:35357/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
2018-12-01 09:52:52.999 14552 WARNING keystone.assignment.core [-] Deprecated: Use of the identity driver config to automatically configure the same assignment driver has been deprecated, in the "O" release, the assignment driver will need to be expicitly configured if different than the default (SQL).
2018-12-01 09:52:53.129 14552 INFO keystone.cmd.cli [-] Created domain default
2018-12-01 09:52:53.149 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Created project admin
2018-12-01 09:52:53.185 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Created user admin
2018-12-01 09:52:53.204 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Created role admin
2018-12-01 09:52:53.233 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Granted admin on admin to user admin.
2018-12-01 09:52:53.241 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Created region RegionOne
2018-12-01 09:52:53.272 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Created admin endpoint http://controller:35357/v3/
2018-12-01 09:52:53.313 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Created internal endpoint http://controller:35357/v3/
2018-12-01 09:52:53.332 14552 INFO keystone.cmd.cli [req-2c393bf9-7996-4bb6-a11c-53ce6f938397 - - - - -] Created public endpoint http://controller:5000/v3/

 

After bootstrapping

 

MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [keystone]> select id, enabled, default_project_id from user;
+----------------------------------+---------+--------------------+
| id                               | enabled | default_project_id |
+----------------------------------+---------+--------------------+
| 1e6366fc80334706b2e57d37a706aa5c | 1       | NULL               |
+----------------------------------+---------+--------------------+
1 row in set (0.00 sec)

MariaDB [keystone]> select * from region;
+-----------+-------------+------------------+-------+
| id        | description | parent_region_id | extra |
+-----------+-------------+------------------+-------+
| RegionOne |             | NULL             | {}    |
+-----------+-------------+------------------+-------+
1 row in set (0.00 sec)

MariaDB [keystone]> select id, description from project;
+----------------------------------+-----------------------------------------------+
| id                               | description                                   |
+----------------------------------+-----------------------------------------------+
| <<keystone.domain.root>>         |                                               |
| a3e16bf71c96422eae74bc9f8c76c61b | Bootstrap project for initializing the cloud. |
| default                          | The default domain                            |
+----------------------------------+-----------------------------------------------+
3 rows in set (0.00 sec)

The openstack client makes uses the values of specific environment variables if present making the job easier.  Set environment variables for admin user account.

Note : Not working as root user.

sandeep@controller:~$ export OS_USERNAME=admin
sandeep@controller:~$ export OS_PASSWORD=<password>
sandeep@controller:~$ export OS_PROJECT_NAME=admin
sandeep@controller:~$ export OS_USER_DOMAIN_NAME=Default
sandeep@controller:~$ export OS_PROJECT_DOMAIN_NAME=Default
sandeep@controller:~$ export OS_AUTH_URL=http://controller:35357/v3
sandeep@controller:~$ export OS_IDENTITY_API_VERSION=3
sandeep@controller:~$ 

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects, users, and roles.  As suggested in source site proceeding with creating a service project and demo project.


sandeep@controller:~$ openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | d521359c57884296be10cd597d3c111f |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
+-------------+----------------------------------+
sandeep@controller:~$ openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 6710e31082a54074b3a6dce34d9933c5 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
+-------------+----------------------------------+
sandeep@controller:~$ openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | 3f4fb21c1b684611b16d564b440bfe3c |
| name                | demo                             |
| password_expires_at | None                             |
+---------------------+----------------------------------+
sandeep@controller:~$ openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | ca85732a04a44e14aea1139630eb4fb6 |
| name      | user                             |
+-----------+----------------------------------+
sandeep@controller:~$ openstack role add --project demo --user demo user
sandeep@controller:~$

Verify the identity service functionality

Unset the temporary OS_AUTH_URL and OS_PASSWORD environment variable:

sandeep@controller:~$ unset OS_AUTH_URL OS_PASSWORD
sandeep@controller:~$

As the admin user, request an authentication token:

sandeep@controller:~$ openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
Password: 
+------------+------------------------------------------------------------+
| Field      | Value                                                      |
+------------+------------------------------------------------------------+
| expires    | 2018-12-01 07:52:36+00:00                                  |
| id         | gAAAAABcAi-0FN0RbTZbO_sU7qmt0O48sGdIwPjoQ333WmcD51annahO9V |
|            | lP7QGnBCt5MaGRmX-I9zP03oo6SUoEnr27KvBrlkqOAutRCKDFCvwRaeSH |
|            | EGnAfzv1IiChP8NYCjBjsxcGwruFDK-1a1kS4NIrqAIUOhNokj4Ujrp5K7 |
|            | 8OVOPo-dg                                                  |
| project_id | a3e16bf71c96422eae74bc9f8c76c61b                           |
| user_id    | 1e6366fc80334706b2e57d37a706aa5c                           |
+------------+------------------------------------------------------------+    
sandeep@controller:~$

As the demo user, request an authentication token

sandeep@controller:~$ openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name demo --os-username demo token issue
Password:
+------------+------------------------------------------------------------+
| Field      | Value                                                      |
+------------+------------------------------------------------------------+
| expires    | 2018-12-01 07:53:17+00:00                                  |
| id         | gAAAAABcAi_dUwemfnY0MRJAvX83nW0bpMiQ_sU8rkXunh29MuYHOvjn5O |
|            | 6xPpNa3T1NASH97pkIjLtOgKY7Q9xq1OHErvg3R7MxOiXhKuatww-dz0WO |
|            | zDl70Juwn9bah9MwrNdUcgXI6uvXtO9ElkfAfyHFF5oGLn4hn1eR1Vqydw |
|            | 1H16mcBXw                                                  |
| project_id | 6710e31082a54074b3a6dce34d9933c5                           |
| user_id    | 3f4fb21c1b684611b16d564b440bfe3c                           |
+------------+------------------------------------------------------------+
sandeep@controller:~$

Until now use of environmental variables and command options were used to perform openstack operations.

OpenStack supports simple client environment scripts also known as OpenRC files. These scripts typically contain common options for all clients, but also support unique options.

Create client environment scripts for the admin and demo projects and users. Future portions of this guide reference these scripts to load appropriate credentials for client operations.

Create admin-openrc file with following contents

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=<password>
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Create demo-openrc file with following contents

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=<password>
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Load the admin-openrc file and issue an authentication token

sandeep@controller:~$ . admin-openrc
sandeep@controller:~$ openstack token issue
+------------+--------------------------------------------------------+
| Field      | Value                                                  |
+------------+--------------------------------------------------------+
| expires    | 2018-12-01 09:58:32+00:00                              |
| id         | gAAAAABcAk04Schouir-G-C0SoBpT5g8UU1rm_8riwxQ2SQuEgMAd7 |
|            | lJS-5VuhtJONnZW42idvhv5JeyM9tYv68EgEnwkL543o2MC2pOl80a |
|            | aESeLyAlY4SZyRbcOSte__gSCOOH2EmuNeET0q-kpuvHl_yJf1wODC |
|            | 9nfEv9qPyLgkMFCy8MIyQ                                  |
| project_id | a3e16bf71c96422eae74bc9f8c76c61b                       |
| user_id    | 1e6366fc80334706b2e57d37a706aa5c                       |
+------------+--------------------------------------------------------+
sandeep@controller:~$