This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For performance, this configuration deploys the Apache HTTP server to handle requests and Memcached to store tokens instead of an SQL database.
Before you configure the OpenStack Identity service, you must create a database and an administration token.
To create the database, complete the following actions:
Use the database access client to connect to the database server as the root user:
$ mysql -u root -p
Create the keystone database:
CREATE DATABASE keystone;
Grant proper access to the keystone database:
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
Replace KEYSTONE_DBPASS with a suitable password.
Exit the database access client.
Generate a random value to use as the administration token during initial configuration:
$ openssl rand -hex 10
Note
Default configuration files vary by distribution. You might need to add these sections and options rather than modifying existing sections and options. Also, an ellipsis (...) in the configuration snippets indicates potential default configuration options that you should retain.
Note
In Kilo and Liberty releases, the keystone project deprecates eventlet in favor of a separate web server with WSGI extensions. This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on port 5000 and 35357. By default, the keystone service still listens on ports 5000 and 35357. Therefore, this guide disables the keystone service. The keystone project plans to remove eventlet support in Mitaka.
Run the following command to install the packages:
# zypper install openstack-keystone apache2-mod_wsgi \
memcached python-python-memcached
Start the Memcached service and configure it to start when the system boots:
# systemctl enable memcached.service
# systemctl start memcached.service
Edit the /etc/keystone/keystone.conf file and complete the following actions:
In the [DEFAULT] section, define the value of the initial administration token:
[DEFAULT]
...
admin_token = ADMIN_TOKEN
Replace ADMIN_TOKEN with the random value that you generated in a previous step.
In the [database] section, configure database access:
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
Replace KEYSTONE_DBPASS with the password you chose for the database.
In the [memcache] section, configure the Memcached service:
[memcache]
...
servers = localhost:11211
In the [token] section, configure the UUID token provider and Memcached driver:
[token]
...
provider = uuid
driver = memcache
In the [revoke] section, configure the SQL revocation driver:
[revoke]
...
driver = sql
(Optional) To assist with troubleshooting, enable verbose logging in the [DEFAULT] section:
[DEFAULT]
...
verbose = True
Populate the Identity service database:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
Edit the /etc/sysconfig/apache2 file and configure the APACHE_SERVERNAME option to reference the controller node:
APACHE_SERVERNAME="controller"
Create the /etc/apache2/conf.d/wsgi-keystone.conf file with the following content:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Recursively change the ownership of the /etc/keystone directory:
# chown -R keystone:keystone /etc/keystone
Activate the Apache module mod_version:
# a2enmod version
Start the Apache HTTP service and configure it to start when the system boots:
# systemctl enable apache2.service
# systemctl start apache2.service
Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.