Keystone – Identity service on Controller Node

Posted on by sandeep

Note : All services typically involve passwords associated with them for accessing. In view of keeping the learning time/curve short/simple had preferred to use a single password for all.

Create database and grant privileges : From MySQL prompt

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'commonpass';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'commonpass';
FLUSH PRIVILEGES;
exit;

Install package

apt -y install keystone

Update configurations in /etc/keystone/keystone.conf – respective sections as show below

[database]
connection = mysql+pymysql://keystone:commonpass@controller/keystone

[token]
provider = fernet

Populate the Identity service database

su -s /bin/sh -c "keystone-manage db_sync" keystone

Initialize Fernet key repositories. (associate the user/group for running of keystone)

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap the Identity service 

keystone-manage bootstrap --bootstrap-password commonpass --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

Edit the /etc/apache2/apache2.conf and add the following configuration and restart apache

ServerName controller

service apache2 restart

Set environment variables for administrative account 

export OS_USERNAME=admin
export OS_PASSWORD=commonpass
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

Domains, projects, users and roles

“default” domain already exists from the keystone-manage bootstrap step – so skipping creating a domain.

Create a project named “service” (to be in line with the step by step guide being referred)

openstack project create --domain default --description "Service Project" service

Create a project with user account for under previleged or non admin users

openstack project create --domain default --description "Kubernetes Project" kproject

openstack user create --domain default --password-prompt kuser

openstack role create krole

openstack role add --project kproject --user kuser krole

Verify token issue for admin and non-admin user

unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
Password:
Password:
+------------+----------------------------------------+
| Field      | Value                                  |
+------------+----------------------------------------+
| expires    | 2020-10-07T05:01:31+0000               |
| id         | gAAAAABffT2bKOhUzX3VC8MoyaEY3aI8r…0I   |
| project_id | fff0b7a4d94448498d8703c8aa1a5d8b       |
| user_id    | 5326b26027b143aaae10d7bf0f1fee6b       |
+------------+----------------------------------------+
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name kproject --os-username kuser token issue
Password:
Password:
+------------+----------------------------------------+
| Field      | Value                                  |
+------------+----------------------------------------+
| expires    | 2020-10-07T05:02:24+0000               |
| id         | gAAAAABffT3QXC4HjiE5viiu-ZLlXqYRy…IM   |
| project_id | 4948fbd742b74910a0620ef93b92f91e       |
| user_id    | 36a722e921d242f9944b4754015ec734       |
+------------+----------------------------------------+

The openstack client makes user of environment variables if set or expect the inputs as part of command line arugments. Create two client environment scripts which can be ‘sourced‘ as and when required.

Create admin-openrc with following contents

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=commonpass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Create user-openrc with following contents

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=kproject
export OS_USERNAME=kuser
export OS_PASSWORD=commonpass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Using the scripts

. admin-openrc
openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2020-10-07T05:17:29+0000         |
| id         | gAAAAABffUFZlSRmx2bYNFec1…DpWw   |
| project_id | fff0b7a4d94448498d8703c8aa1a5d8b |
| user_id    | 5326b26027b143aaae10d7bf0f1fee6b |
+------------+----------------------------------+
. user-openrc
openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2020-10-07T05:17:38+0000         |
| id         | gAAAAABffUFio8WX5cpHERZD…hS3GE   |
| project_id | 4948fbd742b74910a0620ef93b92f91e |
| user_id    | 36a722e921d242f9944b4754015ec734 |
+------------+----------------------------------+