Skip to content

Home Lab

Notes from my learning sessions

Menu
Menu

Keystone – Identity service on Controller Node

Posted on October 9, 2020October 20, 2020 by sandeep

Note : All services typically involve passwords associated with them for accessing. In view of keeping the learning time/curve short/simple had preferred to use a single password for all.

Create database and grant privileges : From MySQL prompt

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'commonpass';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'commonpass';
FLUSH PRIVILEGES;
exit;

Install package

apt -y install keystone

Update configurations in /etc/keystone/keystone.conf – respective sections as show below

[database]
connection = mysql+pymysql://keystone:commonpass@controller/keystone

[token]
provider = fernet

Populate the Identity service database

su -s /bin/sh -c "keystone-manage db_sync" keystone

Initialize Fernet key repositories. (associate the user/group for running of keystone)

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap the Identity service

keystone-manage bootstrap --bootstrap-password commonpass --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

Edit the /etc/apache2/apache2.conf and add the following configuration and restart apache

ServerName controller

service apache2 restart

Set environment variables for administrative account

export OS_USERNAME=admin
export OS_PASSWORD=commonpass
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

Domains, projects, users and roles

“default” domain already exists from the keystone-manage bootstrap step – so skipping creating a domain.

Create a project named “service” (to be in line with the step by step guide being referred)

openstack project create --domain default --description "Service Project" service

Create a project with user account for under previleged or non admin users

openstack project create --domain default --description "Kubernetes Project" kproject

openstack user create --domain default --password-prompt kuser

openstack role create krole

openstack role add --project kproject --user kuser krole

Verify token issue for admin and non-admin user

unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
Password:
Password:
+------------+----------------------------------------+
| Field      | Value                                  |
+------------+----------------------------------------+
| expires    | 2020-10-07T05:01:31+0000               |
| id         | gAAAAABffT2bKOhUzX3VC8MoyaEY3aI8r…0I   |
| project_id | fff0b7a4d94448498d8703c8aa1a5d8b       |
| user_id    | 5326b26027b143aaae10d7bf0f1fee6b       |
+------------+----------------------------------------+
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name kproject --os-username kuser token issue
Password:
Password:
+------------+----------------------------------------+
| Field      | Value                                  |
+------------+----------------------------------------+
| expires    | 2020-10-07T05:02:24+0000               |
| id         | gAAAAABffT3QXC4HjiE5viiu-ZLlXqYRy…IM   |
| project_id | 4948fbd742b74910a0620ef93b92f91e       |
| user_id    | 36a722e921d242f9944b4754015ec734       |
+------------+----------------------------------------+

The openstack client makes user of environment variables if set or expect the inputs as part of command line arugments. Create two client environment scripts which can be ‘sourced‘ as and when required.

Create admin-openrc with following contents

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=commonpass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Create user-openrc with following contents

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=kproject
export OS_USERNAME=kuser
export OS_PASSWORD=commonpass
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Using the scripts

. admin-openrc
openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2020-10-07T05:17:29+0000         |
| id         | gAAAAABffUFZlSRmx2bYNFec1…DpWw   |
| project_id | fff0b7a4d94448498d8703c8aa1a5d8b |
| user_id    | 5326b26027b143aaae10d7bf0f1fee6b |
+------------+----------------------------------+
. user-openrc
openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2020-10-07T05:17:38+0000         |
| id         | gAAAAABffUFio8WX5cpHERZD…hS3GE   |
| project_id | 4948fbd742b74910a0620ef93b92f91e |
| user_id    | 36a722e921d242f9944b4754015ec734 |
+------------+----------------------------------+

Recent Posts

  • Openstack Xena on Ubuntu 20.04 – Cinder
  • Preparing custom Debian 11 MATE image
  • Setup Ubuntu 20.04 repository mirror server
  • Preparing custom Debian 11 server cloud image
  • Complile Linux Kernel (on Debian 11)
  • Openstack Xena – Test Home Lab
  • Openstack Xena on Ubuntu 20.04 – Horizon
  • Openstack Xena on Ubuntu 20.04 -Home Lab
  • Openstack Xena on Ubuntu 20.04 – Neutron
  • Openstack Xena on Ubuntu 20.04 – Nova

Archives

  • April 2022
  • March 2022
  • February 2022
  • December 2021
  • October 2021
  • September 2021
  • October 2020
  • February 2020
  • January 2020
  • December 2019
© 2022 Home Lab | Powered by Minimalist Blog WordPress Theme