Atom feed of this document
  
 

 Install the Identity Service

  1. Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency):

    # zypper install openstack-keystone python-keystoneclient openstack-utils
  2. The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user.

    # openstack-config --set /etc/keystone/keystone.conf \
       database connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone
  3. Use the password that you set previously to log in as root. Create a keystone database user:

    $ mysql -u root -p
    mysql> CREATE DATABASE keystone;
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
      IDENTIFIED BY 'KEYSTONE_DBPASS';
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
      IDENTIFIED BY 'KEYSTONE_DBPASS';
    mysql> exit
  4. Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:

    # ADMIN_TOKEN=$(openssl rand -hex 10)
    # echo $ADMIN_TOKEN
    # openstack-config --set /etc/keystone/keystone.conf DEFAULT \
       admin_token $ADMIN_TOKEN

    For SUSE Linux Enterprise use instead as first command:

    # ADMIN_TOKEN=$(openssl rand 10|hexdump  -e '1/1 "%.2x"')
  5. By default, Keystone uses PKI tokens. Create the signing keys and certificates and restrict access to the generated data:

    # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
    # chown -R keystone:keystone /etc/keystone/ssl
    # chmod -R o-rwx /etc/keystone/ssl
  6. Start the Identity Service and enable it to start when the system boots:

    # service openstack-keystone start
    # chkconfig openstack-keystone on
  7. By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using cron to purge expired tokens hourly.

    1. Run the following command to purge expired tokens every hour and log the output to /var/log/keystone/keystone-tokenflush.log:

      # (crontab -l 2>&1 | grep -q token_flush) || \
      echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/tabs/root
Questions? Discuss on ask.openstack.org
Found an error? Report a bug against this page

loading table of contents...