From Fedora Project Wiki

mNo edit summary
(Add section on configuring nova to use keystone)
Line 1: Line 1:
Updates for Fedora 17 / OpenStack >= Essex-4
Updates for Fedora 17 / OpenStack >= Essex-4
== Configuring keystone for authentication ==
Keystone is the openstack identity service, providing a central place to
set up openstack users, groups, and accounts that can be shared across all
other services. This deprecates the old style user accounts manually set
up with nova-manage.
Setting up keystone is required for using the Openstack dashboard.
=== Initial setup ===


* install Keystone
* install Keystone
Line 17: Line 28:


* change default administrative token in keystone.conf
* change default administrative token in keystone.conf
  $> sudo openstack-config-set /etc/keystone/keystone.conf DEFAULT admin_token $(openssl rand -hex 10)
$> ADMIN_TOKEN=$(openssl rand -hex 10)
  $> sudo openstack-config-set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN


* start and enable Keystone service
* start and enable Keystone service
Line 38: Line 50:
  | 25fe47659d6a4255a663e6add1979d6c | True    | admin@example.com | demo  |
  | 25fe47659d6a4255a663e6add1979d6c | True    | admin@example.com | demo  |
  +----------------------------------+---------+-------------------+-------+
  +----------------------------------+---------+-------------------+-------+
=== Configure nova to use keystone ===
* Change nova configuration to use keystone:
$> sudo sed -i -e 's/# \(pipeline = .*\keystonecontext\)/\1/g' /etc/nova/api-paste.ini
$> sudo openstack-config-set /etc/nova/api-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo systemctl restart openstack-nova-api.service
* Verify that connecting to nova with keystone (required variable exports from keystone section)
$> nova --version 1.1 flavor-list
+----+-----------+-----------+------+----------+-------+-------------+
| ID |    Name  | Memory_MB | Swap | Local_GB | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+----------+-------+-------------+
| 1  | m1.tiny  | 512      |      | 0        | 1    | 1.0        |
| 2  | m1.small  | 2048      |      | 10      | 1    | 1.0        |
| 3  | m1.medium | 4096      |      | 10      | 2    | 1.0        |
| 4  | m1.large  | 8192      |      | 10      | 4    | 1.0        |
| 5  | m1.xlarge | 16384    |      | 10      | 8    | 1.0        |
+----+-----------+-----------+------+----------+-------+-------------+

Revision as of 00:17, 4 March 2012

Updates for Fedora 17 / OpenStack >= Essex-4

Configuring keystone for authentication

Keystone is the openstack identity service, providing a central place to set up openstack users, groups, and accounts that can be shared across all other services. This deprecates the old style user accounts manually set up with nova-manage.

Setting up keystone is required for using the Openstack dashboard.

Initial setup

  • install Keystone
$> sudo yum install --enablerepo=updates-testing openstack-keystone python-keystoneclient

Should get installed:

python-keystoneclient >= 2012.1-0.5.e4
openstack-keystone >= 2012.1-0.9.e4
  • configure Keystone database
$> sudo openstack-keystone-db-setup
Please enter the password for the 'root' MySQL user: 
Verified connectivity to MySQL.
Creating 'keystone' database.
Asking openstack-keystone to sync the databse.
Complete!
  • change default administrative token in keystone.conf
$> ADMIN_TOKEN=$(openssl rand -hex 10)
$> sudo openstack-config-set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
  • start and enable Keystone service
$> sudo systemctl start openstack-keystone.service
$> sudo systemctl enable openstack-keystone.service
  • create sample Tenants, Users and Roles
$> sudo ADMIN_PASSWORD=verybadpass openstack-keystone-sample-data
  • test Keystone CLI is working
export OS_USERNAME=admin
export OS_PASSWORD=verybadpass
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0/
keystone user-list
+----------------------------------+---------+-------------------+-------+
|                id                | enabled |       email       |  name |
+----------------------------------+---------+-------------------+-------+
| 05742d10109540d2892d17ec312a6cd9 | True    | admin@example.com | admin |
| 25fe47659d6a4255a663e6add1979d6c | True    | admin@example.com | demo  |
+----------------------------------+---------+-------------------+-------+


Configure nova to use keystone

  • Change nova configuration to use keystone:
$> sudo sed -i -e 's/# \(pipeline = .*\keystonecontext\)/\1/g' /etc/nova/api-paste.ini
$> sudo openstack-config-set /etc/nova/api-paste.ini filter:authtoken admin_token $ADMIN_TOKEN
$> sudo systemctl restart openstack-nova-api.service
  • Verify that connecting to nova with keystone (required variable exports from keystone section)
$> nova --version 1.1 flavor-list
+----+-----------+-----------+------+----------+-------+-------------+
| ID |    Name   | Memory_MB | Swap | Local_GB | VCPUs | RXTX_Factor |
+----+-----------+-----------+------+----------+-------+-------------+
| 1  | m1.tiny   | 512       |      | 0        | 1     | 1.0         |
| 2  | m1.small  | 2048      |      | 10       | 1     | 1.0         |
| 3  | m1.medium | 4096      |      | 10       | 2     | 1.0         |
| 4  | m1.large  | 8192      |      | 10       | 4     | 1.0         |
| 5  | m1.xlarge | 16384     |      | 10       | 8     | 1.0         |
+----+-----------+-----------+------+----------+-------+-------------+