Install the Identity Service

Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency):
```
# apt-get install keystone
```
The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user.
Edit /etc/keystone/keystone.conf and change the [database] section:
```
...
[database]
# The SQLAlchemy connection string used to connect to the database
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
...
      
```
By default, the Ubuntu packages create a SQLite database. Delete the keystone.db file created in the /var/lib/keystone/ directory so that it does not get used by mistake:
```
# rm /var/lib/keystone/keystone.db
```

Use the password that you set previously to log in as root. Create a keystone database user:

$ mysql -u root -p
mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
  IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
  IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> exit

Create the database tables for the Identity Service:

# su -s /bin/sh -c "keystone-manage db_sync" keystone

Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
```
# openssl rand -hex 10
```
Edit /etc/keystone/keystone.conf and change the [DEFAULT] section, replacing ADMIN_TOKEN with the results of the command:
```
[DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN_TOKEN
...
```
Configure the log directory. Edit the /etc/keystone/keystone.conf file and update the [DEFAULT] section:
```
[DEFAULT]
...
log_dir = /var/log/keystone
```
Restart the Identity Service:
```
# service keystone restart
```
By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using cron to purge expired tokens hourly.
1. Run the following command to purge expired tokens every hour and log the output to /var/log/keystone/keystone-tokenflush.log:
```
# (crontab -l 2>&1 | grep -q token_flush) || \
echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/crontabs/root
```

Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

Legal notices