mirror of
https://github.com/clearlinux/clear-linux-documentation.git
synced 2026-05-14 10:53:55 +00:00
418 lines
16 KiB
ReStructuredText
418 lines
16 KiB
ReStructuredText
.. _openstack_identity:
|
|
|
|
Identity Service
|
|
###################
|
|
|
|
The OpenStack Identity service provides a single point of integration for
|
|
managing authentication, authorization, and service catalog services.
|
|
Additionally, it provides information about users but that are not included in
|
|
OpenStack (such as LDAP services) can be integrated into a pre-existing
|
|
infrastructure.
|
|
|
|
When installing OpenStack Identity service, you must register each
|
|
service in your OpenStack installation. Identity service can then track
|
|
which OpenStack services are installed and where they are located on
|
|
the network.
|
|
|
|
Install and configure
|
|
~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
This section describes how to install and configure the OpenStack
|
|
Identity service, code-named keystone, on the controller node. For
|
|
performance, this configuration deploys the Nginx* HTTP server to handle
|
|
requests.
|
|
|
|
Prerequisites
|
|
-------------
|
|
|
|
Before you configure the OpenStack Identity service, you must create a
|
|
database and an administration token.
|
|
|
|
#. To create the database, complete the following actions:
|
|
|
|
* Use the database access client to connect to the database server as the
|
|
``root`` user.::
|
|
|
|
$ mysql -u root -p
|
|
|
|
* Create the ``keystone`` database.::
|
|
|
|
CREATE DATABASE keystone;
|
|
|
|
* Grant proper access to the ``keystone`` databaseReplace ``KEYSTONE_DBPASS``
|
|
with a suitable password.::
|
|
|
|
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
|
|
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
|
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
|
|
IDENTIFIED BY 'KEYSTONE_DBPASS';
|
|
|
|
|
|
* Exit the database access client.
|
|
|
|
#. Generate a random value to use as the administration token during
|
|
initial configuration::
|
|
|
|
$ openssl rand -hex 10
|
|
|
|
Install and configure components
|
|
--------------------------------
|
|
|
|
#. Run the following command to install the packages.::
|
|
|
|
# swupd bundle-add openstack-identity
|
|
# swupd verify --fix
|
|
|
|
#. Custom configurations will be located at ``/etc/keystone/``.
|
|
|
|
* Create the ``/etc/keystone`` directory.::
|
|
|
|
# mkdir /etc/keystone
|
|
|
|
* Create keystone configuration file ``/etc/keystone/keystone.conf``.::
|
|
|
|
# touch /etc/keystone/keystone.conf
|
|
|
|
#. Edit the ``/etc/keystone/keystone.conf`` file and complete the following
|
|
actions:
|
|
|
|
* In the ``[DEFAULT]`` section, define the value of the initial
|
|
administration token. Replace ``ADMIN_TOKEN`` with the random value that
|
|
you generated in a previous step.::
|
|
|
|
[DEFAULT]
|
|
...
|
|
admin_token = ADMIN_TOKEN
|
|
|
|
* In the ``[database]`` section, configure database access. Replace
|
|
``KEYSTONE_DBPASS`` with the password you chose for the database.::
|
|
|
|
[database]
|
|
...
|
|
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
|
|
|
|
|
|
#. Ensure files have proper ownership by running the following command::
|
|
|
|
# systemctl restart update-triggers.target
|
|
|
|
#. Populate the Identity service database::
|
|
|
|
# su -s /bin/sh -c "keystone-manage db_sync" keystone
|
|
|
|
Finalize the installation
|
|
-------------------------
|
|
|
|
#. Keystone is deployed as a uwsgi module. To start the Identity
|
|
service, you should enable and start the nginx service.::
|
|
|
|
# systemctl enable nginx uwsgi@keystone-admin.socket \
|
|
uwsgi@keystone-public.socket
|
|
|
|
# systemctl start nginx uwsgi@keystone-admin.socket \
|
|
uwsgi@keystone-public.socket
|
|
|
|
|
|
Create the service entity and API endpoints
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
The Identity service provides a catalog of services and their locations.
|
|
Each service that you add to your OpenStack environment requires a
|
|
service entity and several API endpoints in the catalog.
|
|
|
|
Prerequisites
|
|
-------------
|
|
|
|
You must pass the value of the authentication token to the `openstack`
|
|
command with the ``--os-token`` parameter or set the OS_TOKEN
|
|
environment variable. Similarly, you must also pass the value of the
|
|
Identity service URL to the `openstack` command with the ``--os-url``
|
|
parameter or set the OS_URL environment variable. This guide uses
|
|
environment variables to reduce command length.
|
|
|
|
#. Configure the authentication token::
|
|
|
|
$ export OS_TOKEN=ADMIN_TOKEN
|
|
|
|
Replace ``ADMIN_TOKEN`` with the authentication token that you
|
|
generated before. For example::
|
|
|
|
$ export OS_TOKEN=294a4c8a8a475f9b9836
|
|
|
|
#. Configure the endpoint URL::
|
|
|
|
$ export OS_URL=http://controller:35357/v3
|
|
|
|
#. Configure the Identity API version::
|
|
|
|
$ export OS_IDENTITY_API_VERSION=3
|
|
|
|
#. Install the OpenStack Python clients bundle::
|
|
|
|
# swupd bundle-add openstack-python-clients
|
|
# swupd verify --fix
|
|
|
|
|
|
Create the service entity and API endpoints
|
|
-------------------------------------------
|
|
|
|
|
|
#. The Identity service manages a catalog of services in your OpenStack
|
|
environment. Services use this catalog to determine the other services
|
|
available in your environment.
|
|
|
|
Create the service entity for the Identity service::
|
|
|
|
$ openstack service create \
|
|
--name keystone --description "OpenStack Identity" identity
|
|
+-------------+----------------------------------+
|
|
| Field | Value |
|
|
+-------------+----------------------------------+
|
|
| description | OpenStack Identity |
|
|
| enabled | True |
|
|
| id | 4ddaae90388b4ebc9d252ec2252d8d10 |
|
|
| name | keystone |
|
|
| type | identity |
|
|
+-------------+----------------------------------+
|
|
|
|
#. The Identity service manages a catalog of API endpoints associated with
|
|
the services in your OpenStack environment. Services use this catalog to
|
|
determine how to communicate with other services in your environment.
|
|
|
|
OpenStack uses three API endpoint variants for each service: admin,
|
|
internal, and public. The admin API endpoint allows modifying users and
|
|
tenants by default, while the public and internal APIs do not allow these
|
|
operations. In a production environment, the variants might reside on
|
|
separate networks that service different types of users for security
|
|
reasons. For instance, the public API network might be visible from the
|
|
Internet so customers can manage their clouds. The admin API network
|
|
might be restricted to operators within the organization that manages
|
|
cloud infrastructure. The internal API network might be restricted to
|
|
the hosts that contain OpenStack services. Also, OpenStack supports
|
|
multiple regions for scalability. For simplicity, this guide uses the
|
|
management network for all endpoint variations and the default
|
|
``RegionOne`` region.
|
|
|
|
Create the Identity service API endpoints::
|
|
|
|
$ openstack endpoint create --region RegionOne \
|
|
identity public http://controller:5000/v3
|
|
+--------------+----------------------------------+
|
|
| Field | Value |
|
|
+--------------+----------------------------------+
|
|
| enabled | True |
|
|
| id | 30fff543e7dc4b7d9a0fb13791b78bf4 |
|
|
| interface | public |
|
|
| region | RegionOne |
|
|
| region_id | RegionOne |
|
|
| service_id | 8c8c0927262a45ad9066cfe70d46892c |
|
|
| service_name | keystone |
|
|
| service_type | identity |
|
|
| url | http://controller:5000/v3 |
|
|
+--------------+----------------------------------+
|
|
|
|
$ openstack endpoint create --region RegionOne \
|
|
identity internal http://controller:5000/v3
|
|
+--------------+----------------------------------+
|
|
| Field | Value |
|
|
+--------------+----------------------------------+
|
|
| enabled | True |
|
|
| id | 57cfa543e7dc4b712c0ab137911bc4fe |
|
|
| interface | internal |
|
|
| region | RegionOne |
|
|
| region_id | RegionOne |
|
|
| service_id | 6f8de927262ac12f6066cfe70d99ac51 |
|
|
| service_name | keystone |
|
|
| service_type | identity |
|
|
| url | http://controller:5000/v3 |
|
|
+--------------+----------------------------------+
|
|
|
|
$ openstack endpoint create --region RegionOne \
|
|
identity admin http://controller:35357/v3
|
|
+--------------+----------------------------------+
|
|
| Field | Value |
|
|
+--------------+----------------------------------+
|
|
| enabled | True |
|
|
| id | 78c3dfa3e7dc44c98ab1b1379122ecb1 |
|
|
| interface | admin |
|
|
| region | RegionOne |
|
|
| region_id | RegionOne |
|
|
| service_id | 34ab3d27262ac449cba6cfe704dbc11f |
|
|
| service_name | keystone |
|
|
| service_type | identity |
|
|
| url | http://controller:35357/v3 |
|
|
+--------------+----------------------------------+
|
|
|
|
Creating projects, users and roles
|
|
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
|
|
|
Complete the following steps to create projects, users and roles:
|
|
|
|
#. Create an administrative project, user, and role for administrative
|
|
operations in your environment:
|
|
|
|
* Create the ``admin`` project::
|
|
|
|
$ openstack project create --domain default \
|
|
--description "Admin Project" admin
|
|
+-------------+----------------------------------+
|
|
| Field | Value |
|
|
+-------------+----------------------------------+
|
|
| description | Admin Project |
|
|
| domain_id | default |
|
|
| enabled | True |
|
|
| id | 343d245e850143a096806dfaefa9afdc |
|
|
| is_domain | False |
|
|
| name | admin |
|
|
| parent_id | None |
|
|
+-------------+----------------------------------+
|
|
|
|
* Create the ``admin`` user::
|
|
|
|
$ openstack user create --domain default \
|
|
--password-prompt admin
|
|
User Password:
|
|
Repeat User Password:
|
|
+-----------+----------------------------------+
|
|
| Field | Value |
|
|
+-----------+----------------------------------+
|
|
| domain_id | default |
|
|
| email | admin@example.com |
|
|
| enabled | True |
|
|
| id | ac3377633149401296f6c0d92d79dc16 |
|
|
| name | admin |
|
|
+-----------+----------------------------------+
|
|
|
|
* Create the ``admin`` role::
|
|
|
|
$ openstack role create admin
|
|
+-------+----------------------------------+
|
|
| Field | Value |
|
|
+-------+----------------------------------+
|
|
| id | cd2cb9a39e874ea69e5d4b896eb16128 |
|
|
| name | admin |
|
|
+-------+----------------------------------+
|
|
|
|
* Add the ``admin`` role to the ``admin`` project and user::
|
|
|
|
$ openstack role add --project admin --user admin admin
|
|
|
|
#. This guide uses a service project that contains a unique user for each
|
|
service that you add to your environment. Create the ``service``
|
|
project::
|
|
|
|
$ openstack project create --domain default \
|
|
--description "Service Project" service
|
|
+-------------+----------------------------------+
|
|
| Field | Value |
|
|
+-------------+----------------------------------+
|
|
| description | Service Project |
|
|
| domain_id | default |
|
|
| enabled | True |
|
|
| id | 894cdfa366d34e9d835d3de01e752262 |
|
|
| is_domain | False |
|
|
| name | service |
|
|
| parent_id | None |
|
|
+-------------+----------------------------------+
|
|
|
|
#. Regular (non-admin) tasks should use an unprivileged project and user.
|
|
As an example, this guide creates the ``demo`` project and user.
|
|
|
|
* Create the ``demo`` project::
|
|
|
|
$ openstack project create --domain default \
|
|
--description "Demo Project" demo
|
|
+-------------+----------------------------------+
|
|
| Field | Value |
|
|
+-------------+----------------------------------+
|
|
| description | Demo Project |
|
|
| domain_id | default |
|
|
| enabled | True |
|
|
| id | ed0b60bf607743088218b0a533d5943f |
|
|
| is_domain | False |
|
|
| name | demo |
|
|
| parent_id | None |
|
|
+-------------+----------------------------------+
|
|
|
|
* Create the ``demo`` user::
|
|
|
|
$ openstack user create --domain default \
|
|
--password-prompt demo
|
|
User Password:
|
|
Repeat User Password:
|
|
+-----------+----------------------------------+
|
|
| Field | Value |
|
|
+-----------+----------------------------------+
|
|
| domain_id | default |
|
|
| email | demo@example.com |
|
|
| enabled | True |
|
|
| id | 58126687cbcc4888bfa9ab73a2256f27 |
|
|
| name | demo |
|
|
+-----------+----------------------------------+
|
|
|
|
* Create the ``user`` role::
|
|
|
|
$ openstack role create user
|
|
+-------+----------------------------------+
|
|
| Field | Value |
|
|
+-------+----------------------------------+
|
|
| id | 997ce8d05fc143ac97d83fdfb5998552 |
|
|
| name | user |
|
|
+-------+----------------------------------+
|
|
|
|
* Add the ``user`` role to the ``demo`` project and user::
|
|
|
|
$ openstack role add --project demo --user demo user
|
|
|
|
Verify operation
|
|
~~~~~~~~~~~~~~~~
|
|
|
|
Verify operation of the Identity service before installing other
|
|
services.
|
|
|
|
#. For security reasons, remove admin_token from
|
|
``/etc/keystone/keystone.conf``:
|
|
|
|
Edit the ``[DEFAULT]`` section and remove ``admin_token``.
|
|
|
|
#. Restart the keystone-admin service to reload the changes::
|
|
|
|
# systemctl restart uwsgi@keystone-admin.service
|
|
|
|
#. Unset the temporary ``OS_TOKEN`` and ``OS_URL`` environment variables::
|
|
|
|
$ unset OS_TOKEN OS_URL
|
|
|
|
#. As the ``admin`` user, request an authentication token::
|
|
|
|
$ openstack --os-auth-url http://controller:35357/v3 \
|
|
--os-project-domain-id default --os-user-domain-id default \
|
|
--os-project-name admin --os-username admin --os-auth-type password \
|
|
token issue
|
|
Password:
|
|
+------------+----------------------------------+
|
|
| Field | Value |
|
|
+------------+----------------------------------+
|
|
| expires | 2015-03-24T18:55:01Z |
|
|
| id | ff5ed908984c4a4190f584d826d75fed |
|
|
| project_id | cf12a15c5ea84b019aec3dc45580896b |
|
|
| user_id | 4d411f2291f34941b30eef9bd797505a |
|
|
+------------+----------------------------------+
|
|
|
|
#. As the ``demo`` user, request an authentication token::
|
|
|
|
$ openstack --os-auth-url http://controller:5000/v3 \
|
|
--os-project-domain-id default --os-user-domain-id default \
|
|
--os-project-name demo --os-username demo --os-auth-type password \
|
|
token issue
|
|
Password:
|
|
+------------+----------------------------------+
|
|
| Field | Value |
|
|
+------------+----------------------------------+
|
|
| expires | 2014-10-10T12:51:33Z |
|
|
| id | 1b87ceae9e08411ba4a16e4dada04802 |
|
|
| project_id | 4aa51bb942be4dd0ac0555d7591f80a6 |
|
|
| user_id | 7004dfa0dda84d63aef81cf7f100af01 |
|
|
+------------+----------------------------------+
|
|
|
|
Next topic: :ref:`openstack_identity-openrc`. |