What do you get with eBook?

Instant access to your Digital eBook purchase

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

OpenStack Cloud Computing Cookbook, Third Edition

Chapter 1. Keystone – OpenStack Identity Service

In this chapter, we will cover:

Installing the OpenStack Identity Service
Configuring OpenStack Identity for SSL communication
Creating tenants in Keystone
Configuring roles in Keystone
Adding users to Keystone
Defining service endpoints
Creating the service tenant and service users
Configuring OpenStack Identity for LDAP Integration

Installing the OpenStack Identity Service

We will be performing an installation and configuration of the OpenStack Identity service, known as Keystone, using the Ubuntu Cloud Archive. Once configured, connecting to our OpenStack cloud environment will be performed through our new OpenStack Identity service.

The backend datastore for our OpenStack Identity service will be a MariaDB database. The environment we will be installing is shown in the following figure. In this chapter, we will be concentrating on the Controller host.

Installing the OpenStack Identity Service

Getting ready

To ensure that we're running the Ubuntu Cloud Archive, we must first configure our Ubuntu 14.04 installation to use this service. For more information, visit http://bit.ly/OpenStackCookbookCloudArchive.

Tip

All of the steps can be found at http://www.openstackcookbook.com/.

We will configure Keystone to use MariaDB as the database backend, so this needs to be installed prior to installing Keystone.

Tip

If MariaDB is not installed, visit http://bit.ly/OpenStackCookbookPreReqs for instructions on how to do this.

Ensure that you have a suitable server available for installation of the OpenStack Identity service components. If you are using the accompanying Vagrant environment, as described in the Preface, this will be the controller node.

Make sure that you are logged in to the controller node and ensure that it has Internet access to allow us to install the required packages in our environment for running Keystone. If you created this node with Vagrant, you can execute the following command:

vagrant ssh controller

The instructions here assume that the controller node has two IP addresses. It will have a front-facing IP address, 192.168.100.200, and a backside IP address, 172.16.0.200, (which is also the address of the MariaDB server). The reason it has two addresses is that internal data will communicate over the backside IP address (for example, database traffic), and any Keystone traffic will traverse the front.

How to do it...

Carry out the following instructions to install the OpenStack Identity service:

Installation of the OpenStack Identity service is done by specifying the Keystone package in Ubuntu, and we do this as follows:
```
sudo apt-get update
sudo apt-get install ntp keystone python-keyring
```
Once installed, we need to configure the backend database store, so we first create the keystone database in MariaDB. We do this as follows (here, we have a user in MariaDB called root with the password openstack, which can create databases):
```
MYSQL_ROOT_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "CREATE DATABASE \
    keystone;"
```

It is good practice to create a user that is specific to our OpenStack Identity service, so we create a Keystone user in the database as follows:

MYSQL_KEYSTONE_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "GRANT ALL PRIVILEGES ON \keystone.* TO 'keystone'@'localhost' IDENTIFIED BY \'$MYSQL_KEYSTONE_PASS';"
mysql -uroot -p$MYSQL_ROOT_PASS -e "GRANT ALL PRIVILEGES ON \keystone.* TO 'keystone'@'%' IDENTIFIED BY \'$MYSQL_KEYSTONE_PASS';"

We then need to configure the OpenStack Identity service by editing the /etc/keystone/keystone.conf file to have the following content:

[DEFAULT]
admin_token = ADMIN
log_dir=/var/log/keystone

[database]
connection = mysql://keystone:openstack@172.16.0.200/keystone

[extra_headers]
Distribution = Ubuntu
use_syslog = True
syslog_log_facility = LOG_LOCAL0

We can now restart the keystone service to pick up these changes:
```
sudo stop keystone
sudo start keystone
```
With keystone started, we can now populate the keystone database with the required tables by issuing the following command:
```
sudo keystone-manage db_sync
```

Congratulations! We have now installed the OpenStack Identity service and it is ready for use in our OpenStack environment.

How it works...

A convenient way to install the OpenStack Identity service in our OpenStack environment is by using the Ubuntu packages. Once installed, we configure our MariaDB database server with a keystone database and set up the keystone.conf configuration file with the corresponding values. After starting the Keystone service, running the keystone-manage db_sync command populates the keystone database with the appropriate tables ready for us to add in the required users, roles, and tenants required in our OpenStack environment.

Configuring OpenStack Identity for SSL communication

One of the many updates to this book will be a more hardened all-around approach. To that end, we begin by enabling SSL communication for services with Keystone by default. It is important to note that we will be doing this via self-signed certificates to illustrate how to configure the services. It is strongly recommended that you acquire the appropriate certificates from a Certificate Authority (CA) for deployment in production.

Getting ready

Ensure that you are logged in to the controller node and that it has Internet access to allow us to install the required packages in our environment for running Keystone. If you created this node with Vagrant, you can execute the following command:

vagrant ssh controller

How to do it...

Carry out the following instructions to configure the Keystone service:

Before we can configure Keystone to use SSL, we need to generate the required OpenSSL Certificates. To do so, log in to the server that is running Keystone and issue the following commands:
```
sudo apt-get install python-keystoneclient
keystone-manage ssl_setup --keystone-user keystone \--keystone-group keystone
```
Tip
The command keystone-manage ssl_setup is not intended for production use. This is a convenient tool for creating self-signed certificates for Keystone.
Once our certificates are generated, we can use them when communicating with our Keystone service. We can refer to the generated CA file for our other services by placing this in an accessible place. To do so, issue the following commands:
```
sudo cp /etc/keystone/ssl/certs/ca.pem /etc/ssl/certs/ca.pem
sudo c_rehash /etc/ssl/certs/ca.pem
```
We also take the same CA and CA Key file to use on our client, so copy these where you will be running the relevant python-*client tools. In our Vagrant environment, we can copy this to our host as follows:
```
sudo cp /etc/keystone/ssl/certs/ca.pem /vagrant/ca.pem
sudo cp /etc/keystone/ssl/certs/cakey.pem /vagrant/cakey.pem
```

We then need to edit the Keystone configuration file /etc/keystone/keystone.conf to include the following section:

[ssl]
enable = True
certfile = /etc/keystone/ssl/certs/keystone.pem
keyfile = /etc/keystone/ssl/private/keystonekey.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
cert_subject=/C=US/ST=Unset/L=Unset/O=Unset/CN=192.168.100.200
ca_key = /etc/keystone/ssl/certs/cakey.pem

Finally, restart the Keystone service:
```
sudo stop keystone
sudo start keystone
```

How it works...

The OpenStack services normally intercommunicate via standard HTTP requests. This provides a large degree of flexibility, but it comes at the cost of all communication happening in plain text. By adding SSL certificates and changing Keystone's configuration, all communication with Keystone will now be encrypted via HTTPS.

Creating tenants in Keystone

A tenant in OpenStack is a project, and the two terms are generally used interchangeably. Users can't be created without having a tenant assigned to them, so these must be created first. For this section, we will create a tenant called cookbook for our users.

Getting ready

We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export OS_TENANT_NAME=cookbook
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/
export OS_NO_CACHE=1
export OS_KEY=/vagrant/cakey.pem
export OS_CACERT=/vagrant/ca.pem

Tip

You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment issue the following command to get access to the Controller:

vagrant ssh controller

How to do it...

To create a tenant in our OpenStack environment, perform the following steps:

We start by creating a tenant called cookbook:

keystone tenant-create \
    --name cookbook \
    --description "Default Cookbook Tenant" \
    --enabled true

This will produce output similar to:

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |     Default Cookbook Tenant      |
|   enabled   |               True               |
|      id     | fba7b31689714d1ab39a751bc9483efd |
|     name    |             cookbook             |
+-------------+----------------------------------+

We also need an admin tenant so that when we create users in this tenant, they have access to our complete environment. We do this in the same way as in the previous step:
```
keystone tenant-create \
    --name admin \
    --description "Admin Tenant" \
    --enabled true
```

How it works...

Creation of the tenants is achieved by using the keystone client, specifying the tenant-create option with the following syntax:

keystone tenant-create \
    --name tenant_name \
    --description "A description" \
    --enabled true

The tenant_name is an arbitrary string and must not contain spaces. On creation of the tenant, this returns an ID associated with it that we use when adding users to this tenant. To see a list of tenants and the associated IDs in our environment, we can issue the following command:

keystone tenant-list

Configuring roles in Keystone

Roles are the permissions given to users within a tenant. Here, we will configure two roles: an admin role that allows for the administration of our environment, and a member role that is given to ordinary users who will be using the cloud environment.

Getting ready

We will be using the keystone client to operate Keystone. If the python-keystoneclient tool isn't available, follow the steps described at http://bit.ly/OpenStackCookbookClientInstall.

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export OS_TENANT_NAME=cookbook
export OS_USERNAME=admin
export OS_PASSWORD=openstack
export OS_AUTH_URL=https://192.168.100.200:5000/v2.0/
export OS_NO_CACHE=1
export OS_KEY=/vagrant/cakey.pem
export OS_CACERT=/vagrant/ca.pem

Tip

You can use the controller node if no other machines are available on your network, as this has the python-keystoneclient and the relevant access to the OpenStack environment. If you are using the Vagrant environment, issue the following command to get access to the Controller:

vagrant ssh controller

How to do it...

To create the required roles in our OpenStack environment, perform the following steps:

Create the admin role as follows:

# admin role
keystone role-create --name admin
You will get an output like this:
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 625b81ae9f024366bbe023a62ab8a18d |
|   name   |              admin               |
+----------+----------------------------------+

To create the Member role, we repeat the step and specify the Member role:
```
# Member role
keystone role-create --name Member
```

How it works...

Creation of the roles is simply achieved by using the keystone client and specifying the role-create option with the following syntax:

keystone role-create --name role_name

The role_name attribute can't be arbitrary for admin and Member roles. The admin role has been set by default in /etc/keystone/policy.json as having administrative rights:

{
    "admin_required": [["role:admin"], ["is_admin:1"]]
}

The Member role is also configured by default in the OpenStack Dashboard, Horizon, for a non-admin user created through the web interface.

On creation of the role, the ID associated with is returned, and we can use it when assigning roles to users. To see a list of roles and the associated IDs in our environment, we can issue the following command:

keystone role-list

Description

OpenStack Open Source software is one of the most used cloud infrastructures to support software development and big data analysis. It is developed by a thriving community of individual developers from around the globe and backed by most of the leading players in the cloud space today. It is simple to implement, massively scalable, and can store a large pool of data and networking resources. OpenStack has a strong ecosystem that helps you provision your cloud storage needs. Add OpenStack's enterprise features to reduce the cost of your business. This book will show you the steps to build up a private cloud environment. At the beginning, you'll discover the uses of cloud services such as the identity service, image service, and compute service. You'll dive into Neutron, the OpenStack Networking service, and get your hands dirty with configuring ML2, networks, routers, and Distributed Virtual Routers. You’ll then gather more expert knowledge on OpenStack cloud computing by managing your cloud's security and migration. After that, we delve in to OpenStack Object storage and how to manage servers and work with objects, cluster, and storage functionalities. Also, as you go deeper into the realm of OpenStack, you'll learn practical examples of Block storage, LBaaS, and FWaaS: installation and configuration covered ground up. Finally, you will learn OpenStack dashboard, Ansible and Foreman, Keystone, and other interesting topics.

What you will learn

Understand, install, configure, and manage Nova-the OpenStack Cloud Compute resource Configure ML2, networks, routers, and Distributed Virtual Routers with Neutron Use and secure Keystone, the OpenStack Authentication service Install and set up Swift and Container Replication between datacenters Gain hands-on experience and familiarity with Horizon, the OpenStack Dashboard user interface Automate complete solutions with our recipes on Heat, the OpenStack Orchestration service Use Ansible and Foreman to automate OpenStack installations successfully Follow practical advice and examples to run OpenStack in production

What do you get with eBook?

Instant access to your Digital eBook purchase

Download this book in EPUB and PDF formats

Access this title in our online reader with advanced features

DRM FREE - Read whenever, wherever and however you want

Frequently bought together

OpenStack Cloud Computing Cookbook, Third Edition

€41.99

€41.99

€41.99

Total € 125.97

Amazon Customer Nov 28, 2015

Great book overall. These days I don't think that you should deploy OpenStack this way, even for dev support systems. However it is a great learning experience to do it manually and this book takes that approach, and you learn a lot along the way.

Amazon Verified review

M. Silvia Jun 08, 2016

A great overview and walkthrough of core components.

Carles Mateo Aug 16, 2017

I was after something for OpenStack's Ocata deployment from the scratch, from the OpenStack's git repositories.It was surprised to see that It covers operating with OpenStack by using Ubuntu Cloud Edition and some vagrant images, (so not Ocata), but the recipes are good, and the book was interesting, so I give it 4 stars.I would like OpenStack books to clearly indicate which version they cover.

codemanic Sep 01, 2017

not worth the price

Davide M. Mar 03, 2016

Inizialmente ero particolarmente soddisfatto per le novità pubblicate, dato che davano per compatibile anche le ultime versioni di OpenStack (Kilo). Ma in realtà non è così, ci sono una miriade di problemi di compatibilità ed è necessario perdere tantissimo tempo per configurare un ambiente corretto. Quasi inutile.

OpenStack Cloud Computing Cookbook, Third Edition: Over 110 effective recipes to help you build and operate OpenStack cloud computing, storage, networking, and automation

What do you get with eBook?

OpenStack Cloud Computing Cookbook, Third Edition

Chapter 1. Keystone – OpenStack Identity Service

Introduction

Installing the OpenStack Identity Service

Getting ready

Tip

Tip

How to do it...

How it works...

Configuring OpenStack Identity for SSL communication

Getting ready

How to do it...

Tip

How it works...

Creating tenants in Keystone

Getting ready

Tip

How to do it...

How it works...

Configuring roles in Keystone

Getting ready

Tip

How to do it...

How it works...

Page 1 of 10

Description

What you will learn

Product Details

What do you get with eBook?

Product Details

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

People who bought this also bought

About the author

FAQs

OpenStack Cloud Computing Cookbook, Third Edition: Over 110 effective recipes to help you build and operate OpenStack cloud computing, storage, networking, and automation

What do you get with eBook?

Contact Details

Billing Address

Tip

Description

What you will learn

Product Details

What do you get with eBook?

Contact Details

Billing Address

Product Details

Packt Subscriptions

Frequently bought together

Table of Contents

Recommendations for you

Customer reviews

People who bought this also bought

About the author

FAQs