Openstack installation : Keystone (Authentication Services)

Content from “”, listed here with minor changes – just noting down what I did – online notes.

Create database for keystone services

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '{password}';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '{password}';

Apache HTTP server is used to handle authentication requests, install it along with keystone

apt install --assume-yes keystone  apache2 libapache2-mod-wsgi

Update the configuration file : Edit /etc/keystone/keystone.conf file and complete the following actions . Note the section names where to make the configuration updates

# ...
connection = mysql+pymysql://keystone:{password}@controller/keystone

# ...
provider = fernet

Note : Comment out any other connection option in database section.

Populate the identity service database and initialize fernet key repositories

# su -s /bin/sh -c "keystone-manage db_sync" keystone
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap the identity service (default domain gets created)

keystone-manage bootstrap --bootstrap-password {password} --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

Edit /etc/apache2/apache2.conf file and configure the ServerName option to reference the controller node – Add if not already found

ServerName controller

Restart apache and keystone

# service apache2 restart

When using the openstack client to perform operations invariably we need to pass the username, password, authentication URL, domain, etc., as command line parameters. Alternately we can have openstack client specific environment variables hold the value for the same – to avoid providing as command line parameters every time. For convenience create openstack client environment script ‘admin-openrc’ with the following contents

export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD={password}
export OS_AUTH_URL=http://controller:5000/v3

Load / Set the client environment variables (not as root user)

$ . admin-openrc

Create a project ‘service’ that contains a unique user for each service that will be added to the environment

sandeep@controller:~$ openstack project create --domain default --description "Service Project" service
| Field | Value |
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 7a9d86ac1bde48eea52ebb562599c9d3 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |

Verify the functioning of keystone services

sandeep@controller:~$ openstack token issue
| Field | Value |
| expires | 2019-01-14T13:36:17+0000 |
| id | gAAAAABcPIJBUrlkBTiqVwkyhmKirFSx5Wnod-4YFeMAAayv2tr_W0nNJgmy_ThI0zyFb0HJ7SweBewFYxlYinymw0DA8iIQIyGU3tqm-9JNj7ZZUS8t4Gr3ndOCzccRYi9NdLXZOhlq8Ye6L1uGqyA0bQjbGZSSSkE_iqunWyysWRjNDTgo9UQ |
| project_id | fa8d2cf9a9ca4ed79c3379de4f215a30 |
| user_id | 580026fd75d3441c9d10c247e1bdf814 |

About sandeep

Passionate about sharing information on "how to".
This entry was posted in Installation / How To, Notes and tagged , , , , , , . Bookmark the permalink.