Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency):
# zypper install openstack-keystone python-keystoneclient openstack-utils
The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username
keystone
. Replace
with a suitable password for the database user.KEYSTONE_DBPASS
# openstack-config --set /etc/keystone/keystone.conf \ database connection mysql://keystone:
KEYSTONE_DBPASS
@controller
/keystoneUse the password that you set previously to log in as root. Create a
keystone
database user:$ mysql -u root -p mysql> CREATE DATABASE keystone; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ IDENTIFIED BY '
KEYSTONE_DBPASS
'; mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \ IDENTIFIED BY 'KEYSTONE_DBPASS
'; mysql> exitDefine an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
# ADMIN_TOKEN=$(openssl rand -hex 10) # echo $ADMIN_TOKEN # openstack-config --set /etc/keystone/keystone.conf DEFAULT \ admin_token $ADMIN_TOKEN
For SUSE Linux Enterprise use instead as first command:
# ADMIN_TOKEN=$(openssl rand 10|hexdump -e '1/1 "%.2x"')
By default, Keystone uses PKI tokens. Create the signing keys and certificates and restrict access to the generated data:
# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone # chown -R keystone:keystone /etc/keystone/ssl # chmod -R o-rwx /etc/keystone/ssl
Start the Identity Service and enable it to start when the system boots:
# service openstack-keystone start # chkconfig openstack-keystone on
By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using
cron
to purge expired tokens hourly.Run the following command to purge expired tokens every hour and log the output to
/var/log/keystone/keystone-tokenflush.log
:# (crontab -l 2>&1 | grep -q token_flush) || \ echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/tabs/root