Turn on your cloud install openstack HAVANA keystone


All OpenStack services/components use REST based APIs (A REST API uses the four HTTP methods GET, POST, PUT and DELETE to execute different operations) to interact with each other. Each component in Openstack depends on its API endpoints: nova-api, glance-api, cinder-api etc which all are exposed over HTTP.

This is how the Identity Service (Keystone) works, upon providing a valid username/password combination, a token is given to the user by keystone. The user client can cache the token and from there on use it with any OpenStack API request. The OpenStack API endpoints take the token out of user requests and validate it against the Keystone authentication backend, thereby confirming the legitimacy of the call. The token is valid for a certain amount of time and can be cached and used for authentication requests thus making operations faster and secure. Just imagine how much time would it take to authenticate every request using traditional lookup for username/password stored in a MySQL database.

Turn on your cloud install openstack HAVANA keystone

Now that we understand how keystone works lets install it.

On the Controller Node

Install mysql server, tweak some settings and restart it

Install keystone package

Create database to be used by keystone.

The first challenge at hand is to authenticate against keystone without a username and password. Just after the install the database is empty and there is no username and password to authenticate against. You need to authenticate first in order to talk to keystone and create new users. To manage our OpenStack Identity Service(Keystone), we have to authenticate with the service itself. Without any users configured though, we make use of an admin token to send directly back to the admin port of OpenStack Identity Service. These are also known as a service token and service port. These details are configured directly in /etc/keystone/keystone.conf, as follows

Edit keystone conf file and put in the admin token along with the mysql connection details.

Restart keystone service.

Populate keystone database with the schema

Next we will install the keystone client, this will install the client binary which will be used to interact with keystone.

Now we can use the keystone client binary to create new users and tenants. To authenticate export the service_token and endpoint enviornment variable. (This has to done initially as we do not have any user in the database.)

Create a new role for administrative purposes

Now lets create a tenant. A tenant is nothing but a project, you would want to create new tenant for a new project. I am creating a tenant for my UAT enviornment.

Now we will create a new user to manage this tenant. Note we need to pass the newly created Tenant’s ID when creating a user for the tenant. You can use the keystone tenant-list command to find out the id

Next add user ryan to admin role for the tenant UAT. Use keystone user-list to find out user-id for ryan.

Next we need to add various services to Service Catalog. The keystone catalog consist of all the information regarding the services which will authenticate against it.

Lets create the endpoints next. Find out the service id’s of all the services using keystone service-list. The regions are nothing but geographical separate locations here.

Next we need to create users for each component. These users will be used by respective services to authenticate and perform tasks. As an example to spawn a new machine the nova component would authenticate using nova user and ask for images from glance to be used to create an instance. Also we would create a service tenant to be specifically used by these services and add all the users to admin role for this tenant.

Create a new Service Tenant for the services.

Create users for each of the components

Get the nova user id

Get the admin role id

Assign the nova user the admin role in service tenant

Get the glance user id

Assign the glance user the admin role in service tenant

Get the keystone user id

Assign the keystone user the admin role in service tenant

Get the cinder user id

Assign the cinder user the admin role in service tenant

Get the neutron user id

Grant admin role to neutron service user

Get the heat user id

Grant admin role to heat service user

Get the ceilometer user id

Grant admin role to ceilometer service user

Keystone is set now and should be working. Now how to test it why not ask for a token then now that we have a user ryan who is part of admin role. Before asking for a token, you need to create a credentials file which is nothing but setting parameters telling the tenant name username password and service end point for keystone

Logout and login back again. Moment of truth

keystone02 300x176 Turn on your cloud install openstack HAVANA keystone

Congrats you have a working keystone instance. Next we will work on Glance.