Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency):
# apt-get install keystone
The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username
keystone
. Replace
with a suitable password for the database user.KEYSTONE_DBPASS
Edit
/etc/keystone/keystone.conf
and change the[database]
section:... [database] # The SQLAlchemy connection string used to connect to the database connection = mysql://keystone:
KEYSTONE_DBPASS
@controller
/keystone ...By default, the Ubuntu packages create a SQLite database. Delete the
keystone.db
file created in the/var/lib/keystone/
directory so that it does not get used by mistake:# rm /var/lib/keystone/keystone.db
Use the password that you set previously to log in as root. Create a
keystone
database user:$ mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY '
KEYSTONE_DBPASS
'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS
'; mysql> exitCreate the database tables for the Identity Service:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
# openssl rand -hex 10
Edit
/etc/keystone/keystone.conf
and change the[DEFAULT]
section, replacing ADMIN_TOKEN with the results of the command:[DEFAULT] # A "shared secret" between keystone and other openstack services admin_token = ADMIN_TOKEN ...
Configure the log directory. Edit the
/etc/keystone/keystone.conf
file and update the[DEFAULT]
section:[DEFAULT] ... log_dir = /var/log/keystone
Restart the Identity Service:
# service keystone restart
By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using
cron
to purge expired tokens hourly.Run the following command to purge expired tokens every hour and log the output to
/var/log/keystone/keystone-tokenflush.log
:# (crontab -l 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/crontabs/root