Generating and configuring tokens PKIs
Keystone uses cryptographically signed tokens with a private key and is matched against x509 certificate with a public key. Chapter 4, Keystone Identity Service discusses more advanced configurations. In this chapter, we use keystone-manage pki_setup command to generate PKI key pairs and to configure Keystone to use it.
How to do it…
Proceed with the following steps:
- Generate PKI keys using
keystone-manage pki_setupcommand:[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystoneNote
In
keystone-manage pki_setup, we use Keystone Linux user and group accounts, which were created whenopenstack-keystonepackage was installed. - Change ownership of the generated PKI files:
[root@controller ~]# chown -R keystone:keystone /var/log/keystone /etc/keystone/ssl/ - Configure Keystone service to use the generated PKI files:
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing token_format PKI [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing certfile /etc/keystone/ssl/certs/signing_cert.pem [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing keyfile /etc/keystone/ssl/private/signing_key.pem [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing ca_certs /etc/keystone/ssl/certs/ca.pem [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing key_size 1024 [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing valid_days 3650 [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf signing ca_password None
Starting and enabling service
At this point, Keystone is configured and readily run as follows:
[root@controller ~]# systemctl start openstack-keystone
Enable Keystone to start after system reboot:
[root@controller ~]# systemctl enable openstack-keystone
Configuring Keystone endpoints
We need to configure a Keystone service endpoint for other services to operate properly:
- Set the
SERVICE_TOKENenvironment parameter using thekeystone_admin_tokenwe generated on basic Keystone configuration step:[root@controller ~]# export SERVICE_TOKEN=`cat ~/keystone_admin_token` - Set the
SERVICE_ENDPOINTenvironment parameter with Keystone's endpoint URL using your controller's IP address:[root@controller ~]# export SERVICE_ENDPOINT="http://10.10.0.1:35357/v2.0" - Create a Keystone service entry:
[root@el7-icehouse-controller ~]# keystone service-create --name=keystone --type=identity --description="Keystone Identity service"An output of a successful execution should look similar to the following, with a different unique ID:
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity service | | enabled | True | | id | 1fa0e426e1ba464d95d16c6df0899047 | | name | keystone | | type | identity | +-------------+----------------------------------+
The
endpoint-createcommand allows us to set a different IP addresses that are accessible from public and from internal sources. At this point, we may use our controller's management NIC IP to access Keystone endpoint. - Create Keystone service endpoint using keystone endpoint-create command:
[root@controller ~]# keystone endpoint-create --service keystone --publicurl 'http://10.10.0.1:5000/v2.0' --adminurl 'http://10.10.0.1:35357/v2.0'--internalurl 'http://10.10.0.1:5000/v2.0' - Create services tenant:
[root@controller ~(keystone_admin)]# keystone tenant-create --name services --description "Services Tenant"
Keystone administrator account
- Create an administrative account within Keystone:
[root@controller ~]# keystone user-create --name admin --pass password - Create the
adminrole:[root@controller ~]# keystone role-create --name admin - Create an
admintenant:[root@controller ~]# keystone tenant-create --name admin - Add an
adminroles to the admin user with theadmintenant:[root@el7-icehouse-controller ~]# keystone user-role-add --user admin --role admin --tenant admin - Create
keystonerc_adminfile with the following content:[root@controller ~]# cat ~/keystonerc_admin export OS_USERNAME=admin export OS_TENANT_NAME=admin export OS_PASSWORD=password export OS_AUTH_URL=http://10.10.0.1:35357/v2.0/ export PS1='[\u@\h \W(keystone_admin)]\$ '
- To load the environment variables, run source command:
[root@controller ~]# source keystonerc_admin
Keystone user account
We may also create an unprivileged user account that has no administration permissions on our newly created OpenStack environment:
- Create the user account in Keystone:
[root@controller ~(keystone_admin)]# keystone user-create --name USER --pass password - Create a new tenant:
[root@el7-icehouse-controller ~(keystone_admin)]# keystone tenant-create --name TENANT - Assign the user account to the newly created tenant:
[root@el7-icehouse-controller ~(keystone_admin)]# keystone user-role-add --user USER --role _member_ --tenant TENANT - Create keystonerc_user file with the following content:
[root@controller ~(keystone_admin)]# cat ~/keystonerc_user export OS_USERNAME=USER export OS_TENANT_NAME=TENANT export OS_PASSWORD=password export OS_AUTH_URL=http://10.10.0.1:5000/v2.0/ export PS1='[\u@\h \W(keystone_user)]\$ '
There's more…
If installation and configuration of Keystone service was successful, Keystone should be operational, and we execute a keystone command to verify that it is operational.
Verify successful installation
Use the command #tenant-list to list the existing tenants:
[root@controller ~(keystone_admin)]# keystone tenant-list
The output of successful tenant creation should look like this:
+----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | a5b7bf37d1b646cb8ec0eb35481204c4 | admin | True | | fafb926db0674ad9a34552dc05ac3a18 | services | True | +----------------------------------+----------+---------+
