Configuring Keystone in OpenStack (Essex)



Similar documents
1 Keystone OpenStack Identity Service

Introduction to Openstack, an Open Cloud Computing Platform. Libre Software Meeting

Getting Started with the CLI and APIs using Cisco Openstack Private Cloud

OpenStack Beginner s Guide (for Ubuntu - Precise)

How To Create A Port On A Neutron.Org Server On A Microsoft Powerbook (Networking) On A Macbook 2 (Netware) On An Ipad Or Ipad On A

Red Hat OpenStack Platform 8 DNS-as-a-Service Guide

Prepared for: How to Become Cloud Backup Provider

Summarized OpenStack Install Guide

Introduction to CloudScript

Keywords OpenStack, private cloud, infrastructure, AWS, IaaS

User and Programmer Guide for the FI- STAR Monitoring Service SE

Ulteo Open Virtual Desktop Installation

WP4: Cloud Hosting Chapter Object Storage Generic Enabler

INUVIKA OVD INSTALLING INUVIKA OVD ON UBUNTU (TRUSTY TAHR)

Copyright Pivotal Software Inc, of 10

Red Hat Enterprise Linux OpenStack Platform 7 Users and Identity Management Guide

A SHORT INTRODUCTION TO DUPLICITY WITH CLOUD OBJECT STORAGE. Version

ULTEO OPEN VIRTUAL DESKTOP UBUNTU (PRECISE PANGOLIN) SUPPORT

Setting up your virtual infrastructure using FIWARE Lab Cloud

Installation documentation for Ulteo Open Virtual Desktop

Pasquale Vitale Engineering Ingegneria Informatica. FIWARE LAB Cloud Portal

OpenStack Cloud Convergence with Emulex OCe14000 Ethernet Adapters

Sahara. Release rc2. OpenStack Foundation

How To Install Openstack On Ubuntu (Amd64)

Installing an open source version of MateCat

Anexo 1 : Ficheros de instalación Scripts

Ubuntu Cloud Infrastructure - Jumpstart Deployment Customer - Date

Ubuntu OpenStack Fundamentals Training

Lucid Key Server v2 Installation Documentation.

docs.rackspace.com/api

Manila OpenStack File Sharing Service

Ubuntu OpenStack on VMware vsphere: A reference architecture for deploying OpenStack while limiting changes to existing infrastructure

JAMF Software Server Installation Guide for Linux. Version 8.6

Australian Journal of Basic and Applied Sciences

Cloud Elements ecommerce Hub Provisioning Guide API Version 2.0 BETA

INSTALLING KAAZING WEBSOCKET GATEWAY - HTML5 EDITION ON AN AMAZON EC2 CLOUD SERVER

Release Notes for Fuel and Fuel Web Version 3.0.1

EMC Data Protection Search

Creating a DUO MFA Service in AWS

How To Install Linux, Apache, MySQL, PHP (LAMP) stack on Ubuntu

AVG Business Secure Sign On Active Directory Quick Start Guide

Salesforce Files Connect Implementation Guide

Active Directory Management. Agent Deployment Guide

insync Installation Guide

Perforce Helix Threat Detection On-Premise Deployment Guide

How To Use Kiteworks On A Microsoft Webmail Account On A Pc Or Macbook Or Ipad (For A Webmail Password) On A Webcomposer (For An Ipad) On An Ipa Or Ipa (For

Network Management & Monitoring Request Tracker (RT) Installation and Configuration

Source Code Management for Continuous Integration and Deployment. Version 1.0 DO NOT DISTRIBUTE

OpenStack Installation Guide for Red Hat Enterprise Linux, CentOS, and Fedora

CLOUD CRUISER FOR WINDOWS AZURE PACK

Quick Start Guide for Parallels Virtuozzo

SOA Software API Gateway Appliance 7.1.x Administration Guide

AVG Business SSO Connecting to Active Directory

Cloud on TEIN Part I: OpenStack Cloud Deployment. Vasinee Siripoonya Electronic Government Agency of Thailand Kasidit Chanchio Thammasat University

Cloud Services ADM. Agent Deployment Guide

Wind River. Intelligent Device Platform XT EMS Profile EMS DEVICE MANAGEMENT USER'S GUIDE WIND RIVER 1.0

Acronis Storage Gateway

MySQL Backups: From strategy to Implementation

Windows Azure Pack Installation and Initial Configuration

Install BA Server with Your Own BA Repository

docs.rackspace.com/api

CDH installation & Application Test Report

Installation of PHP, MariaDB, and Apache

Configuring MailArchiva with Insight Server

Partek Flow Installation Guide

Using Microsoft Windows Authentication for Microsoft SQL Server Connections in Data Archive

Intel Internet of Things (IoT) Developer Kit


SnapLogic Sidekick Guide

FileMaker 11. ODBC and JDBC Guide

Use Enterprise SSO as the Credential Server for Protected Sites

Web Sites, Virtual Machines, Service Management Portal and Service Management API Beta Installation Guide

INTEGRATION GUIDE. DIGIPASS Authentication for Salesforce using IDENTIKEY Federation Server

QuickStart Guide for Managing Mobile Devices. Version 9.2

OpenStack Introduction. November 4, 2015

Amazon EFS (Preview) User Guide

A SHORT INTRODUCTION TO BITNAMI WITH CLOUD & HEAT. Version

Importing data from Linux LDAP server to HA3969U

IBM Cloud Manager with OpenStack. REST API Reference, version 4.1

An Oracle White Paper September Oracle WebLogic Server 12c on Microsoft Windows Azure

Apache HTTP Server. Implementation Guide. (Version 5.7) Copyright 2013 Deepnet Security Limited

OnCommand Performance Manager 1.1

Riverbed Cascade Shark Common REST API v1.0

Configuration Manager Error Messages

IT Support Tracking with Request Tracker (RT)

Transcription:

WHITE PAPER Configuring Keystone in OpenStack (Essex) Joshua Tobin April 2012 Copyright Canonical 2012 www.canonical.com

Executive introduction Keystone is an identity service written in Python that provides a pluggable back end, designed to support various protocols for authentication and authorisation (Basic Auth, OAuth, and OpenID, to give a few examples). Simply put, it allows clients to obtain security tokens to access different cloud services. Keystone was spawned from the OpenStack project and is designed to work with the OpenStack API. The following tutorial is a brief walk-through the configuration of Keystone, based on the Essex-4 OpenStack release in Ubuntu 12.04. There were major changes made to Keystone during Essex-3 and Essex-4, so be sure you re using the latest Essex-4 code. It is important to familiarise yourself with a few key concepts before continuing with the tutorial. Joshua Tobin is a member of the Professional Engineering Services team at Canonical. As a Services Engineer he is thrilled to be working on all things OpenStack related. Prior to Canonical, Tobin spent five years as DevOps helping to scale the MMOG 3D virtual world of Second Life. Throughout the tutorial, it is assumed we have three hosts, each with a separate IP address. The first host will be running the nova-api, the second host will consist of MySQL/Glance/Keystone and the third host will be referenced as a swift endpoint. Copyright Canonical 2012 Page 2 of 11

Contents EXECUTIVE INTRODUCTION 1 CONFIGURING KEYSTONE 3 PROFESSIONAL SERVICES FROM CANONICAL 11 Copyright Canonical 2012 Page 3 of 11

Configuring Keystone Let s start by setting up a MySQL database. Note that the identity service supports various other stores such as LDAP, however these will not be covered here. Before installing MySQL, we first pre-seed the root user by configuring the password: $ MYSQL_PASS=ubunturocks $ cat <<MYSQL_PRESEED sudo debconf-set-selections mysql-server-5.1 mysql-server/root_password password $MYSQL_PASS mysql-server-5.1 mysql-server/root_password_again password $MYSQL_PASS mysql-server-5.1 mysql-server/start_on_boot boolean true MYSQL_PRESEED Install from apt sources: $ sudo apt-get install -y mysql-server Configure MySQL to listen on all interfaces: $ sudo sed -i s/127.0.0.1/0.0.0.0/g /etc/mysql/my.cnf Restart MySQL: $ sudo service mysql restart Lastly, we need to configure a Keystone user and permissions for MySQL: $ mysql -u root -p mysql> CREATE DATABASE keystone; CREATE USER keystone @ localhost IDENTIFIED BY Secret_pass ; GRANT ALL PRIVILEGES ON keystone.* TO keystone @ localhost WITH GRANT OPTION; CREATE USER keystone @ % IDENTIFIED BY Secret_pass ; GRANT ALL PRIVILEGES ON keystone.* TO keystone @ % IDENTIFIED BY Secret_pass ; FLUSH PRIVILEGES; Copyright Canonical 2012 Page 4 of 11

Now we re ready to start the installation and configuration of Keystone. First we ll install via apt sources. $ sudo apt-get install -y keystone curl python-mysqldb python-dateutil Keystone s configuration resides in /etc/keystone/keystone.conf. We ll need to update the MySQL connection as well as configure the admin token, as shown below. Using your favourite editor, open /etc/keystone/keystone.conf. $ sudo vi /etc/keystone/keystone.conf Comment out the following default sql connection parameter. #connection = sqlite:////var/lib/keystone/keystone.db Insert a new connection parameter. Be sure to insert your password to match the MySQL permissions. connection = mysql://keystone:secret_pass@127.0.0.1/keystone Next we need to update the ADMIN_TOKEN variable. Note that the admin_token is essentially the keys to the kingdom. It should be kept secure and should be changed from the default. Add the following: admin_token = 999888777666 Change file permissions to make sure only the Keystone user/group can read the file $ sudo chown keystone:root /etc/keystone/keystone.conf $ sudo chmod 0640 /etc/keystone/keystone.conf In order to properly communicate with the Keystone service, we ll need to export the following variables. For KEYSTONE_IP be sure the IP address is the IP address of the host that is running the Keystone API, in our case, 10.230.7.2. $ export KEYSTONE_IP=10.230.7.2 # IP of your keystone API server $ export SERVICE_ENDPOINT=http://$KEYSTONE_IP:35357/v2.0/ $ export SERVICE_TOKEN=999888777666 Now we need to seed the database with the keystone-manage utility. $ sudo keystone-manage db_sync Restart the Keystone service and check to see that the API is functional. $ sudo service keystone restart Running Keystone user-list should return an empty set of users. This will verify that the API is functional. If any errors occur, ensure that you ve properly exported the Keystone variables listed above. $ keystone user-list Copyright Canonical 2012 Page 5 of 11

Next we need to tell Keystone which endpoints are available. Endpoints are a combination of URLs and ports where a service may be accessed. In this example we ll be defining services for the Compute (Nova-API), Identity (Keystone), Image (Glance-API), and Storage (Swift). First, let s make a few bash variables to simplify the configuration. Be sure to substitute the IP addresses below to match your environment. $ NOVA_IP=10.230.7.1 $ GLANCE_IP=10.230.7.2 $ SWIFT_IP=10.230.7.3 Each endpoint requires a Public, Admin, and Internal URL. Note that %(tenant_id)s is a template variable that will be used by Keystone to substitute a tenant s id and form a proper URL to gain access to specific tenants. Again we re going to make a few bash variables for each endpoint to make configuration a bit easier. NOVA_PUBLIC_URL= http://$nova_ip:8774/v1.1/%(tenant_id)s NOVA_ADMIN_URL=$NOVA_PUBLIC_URL NOVA_INTERNAL_URL=$NOVA_PUBLIC_URL GLANCE_PUBLIC_URL= http://$glance_ip:9292/v1 GLANCE_ADMIN_URL=$GLANCE_PUBLIC_URL GLANCE_INTERNAL_URL=$GLANCE_PUBLIC_URL KEYSTONE_PUBLIC_URL= http://$keystone_ip:5000/v2.0 KEYSTONE_ADMIN_URL= http://$keystone_ip:35357/v2.0 KEYSTONE_INTERNAL_URL=$KEYSTONE_PUBLIC_URL SWIFT_PUBLIC_URL= https://$swift_ip:443/v1/auth_%(tenant_id)s SWIFT_ADMIN_URL= https://$swift_ip:443/v1 SWIFT_INTERNAL_URL=$SWIFT_PUBLIC_URL Copyright Canonical 2012 Page 6 of 11

Use the service-create argument, which will add entries in the database for each service endpoint. $ keystone service-create --name nova --type compute --description OpenStack Compute Service $ keystone service-create --name swift --type object-store --description OpenStack Storage Service $ keystone service-create --name glance --type image --description OpenStack Image Service $ keystone service-create --name keystone --type identity --description OpenStack Identity Service Now for the tricky part. In order for Keystone to properly map each service endpoint to a URL we need to associate each service endpoint ID, which is a UUID created by Keystone, to a URL and a region. For this we ll again use bash variables to create each endpoint. Starting with the compute service, we ll need to use the service-list command to get the service ID. $ ID=$(keystone service-list grep -i compute awk {print $2} ) Then let s echo the ID to make sure we ve got what we re expecting. $ echo $ID e97d2e58d0d34054b34ce1994701a136 Using the endpoint-create argument, map the service ID to a region, let s call it RegionOne, and each Public, Admin and Internal URL variable we ve created above. $ keystone endpoint-create --region RegionOne --service_id $ID --publicurl $NOVA_PUBLIC_URL --adminurl $NOVA_ADMIN_URL --internalurl $NOVA_INTERNAL_URL We ve now got an endpoint created in the database. Let s verify that the endpoint looks as expected by using the endpoint-list argument. This will return an ASCII table of each of the endpoints available to Keystone. $ keystone endpoint-list Copyright Canonical 2012 Page 7 of 11

Next create the remaining three endpoints: $ ID=$(keystone service-list grep -i object-store awk {print $2} ) $ keystone endpoint-create --region RegionOne --service_id $ID --publicurl $SWIFT_PUBLIC_URL --adminurl $SWIFT_ADMIN_URL --internalurl $SWIFT_INTERNAL_URL $ ID=$(keystone service-list grep -i identity awk {print $2} ) $ keystone endpoint-create --region RegionOne --service_id $ID --publicurl $KEYSTONE_PUBLIC_URL --adminurl $KEYSTONE_ADMIN_URL --internalurl $KEYSTONE_INTERNAL_URL $ ID=$(keystone service-list grep -i image awk {print $2} ) $ keystone endpoint-create --region RegionOne --service_id $ID --publicurl $GLANCE_PUBLIC_URL --adminurl $GLANCE_ADMIN_URL --internalurl $GLANCE_INTERNAL_URL Tenants within Keystone represent a high level of grouping of users. A tenant can have zero or more users and users can also be in more than one tenant. Below, we re creating a tenant using the tenant-create argument with a name of ubuntu. We ll need to refer to the tenant ID in a moment so we ll create yet another bash variable. $ TENANT_ID=$(keystone tenant-create --name ubuntu grep id awk {print $4} ) A role in Keystone can be thought of as metadata that is assigned to user and tenant pairs. As you will again see, we ll need to capture the ID of each role. $ ADMIN_ROLE=$(keystone role-create --name Admin grep id awk {print $4} ) $ KEYSTONE_ADMIN_ROLE=$(keystone role-create --name KeystoneServiceAdmin grep id awk {print $4} ) $ MEMBER_ROLE=$(keystone role-create --name Member grep id awk {print $4} ) Users have account credentials and can be associated with one or more tenants. Let s create two users, admin and ubuntu, using the user-create argument. Note that we re associating both the admin user and the ubuntu user with the ubuntu tenant. $ keystone user-create --name admin --tenant_id $TENANT_ID --pass openstack \ --email root@localhost --enabled true $ keystone user-create --name ubuntu --tenant_id $TENANT_ID --pass openstack \ --email ubuntu@localhost --enabled true Copyright Canonical 2012 Page 8 of 11

We re almost there! Next, we need to associate a user with a role, using the user-role-add argument of the Keystone tool. This requires a user id, role id, and a tenant id. As you may have noticed above we created three different roles. An ADMIN_ROLE, KEYSTONE_ADMIN_ROLE and a MEMBER_ROLE, each with different id s. Since a user can belong to multiple roles, we re going to script a for loop to add the admin user to all available roles, and the ubuntu user to all roles except the KEYSTONE_ADMIN_ROLE. # Get the user id for the admin user $ ADMIN_USER=$(keystone user-list grep admin awk {print $2} ) # Add the Admin user to Admin, KeystoneServiceAdmin, and Member Roles $ for ROLE in Admin KeystoneServiceAdmin Member do ROLE_ID=$(keystone role-list grep \ $ROLE\ awk {print $2} ) keystone user-role-add --user $ADMIN_USER --role $ROLE_ID --tenant_id $TENANT_ID done # Get the user id for the ubuntu user $ UBUNTU_USER=$(keystone user-list grep ubuntu awk {print $2} ) # Add the ubuntu User to Admin and Member Roles $ for ROLE in Admin Member do ROLE_ID=$(keystone role-list grep \ $ROLE\ awk {print $2} ) keystone user-role-add --user $UBUNTU_USER --role $ROLE_ID --tenant_ id $TENANT_ID done Copyright Canonical 2012 Page 9 of 11

Now let s ask Keystone about our new configuration and verify that our tokens have access to the tenant! Log into the host that has the Keystone API and run the following command using curl. This will verify the API is up and listening. Hint: piping to python -mjson.tool makes the output much easier to read. curl http://localhost:5000/v2.0/ python -mjson.tool Next, let s ask Keystone for the token ID for the admin user. You should have received json output printed. Note the ID of the token. $ curl -d { auth :{ passwordcredentials :{ username : admin, password : openstack }}} -H Content-type: application/json http://localhost:35357/v2.0/tokens python -mjson.tool We can then ask Keystone what tenants a token has access to. Be sure to substitute the token ID you received from the last curl. $ curl -H X-Auth-Token:887665443383838 http://localhost:5000/v2.0/ tenants Thats it! You should now see the ubuntu tenant associated with a user s token! Copyright Canonical 2012 Page 10 of 11

Professional services from Canonical Canonical provides commercial support for Ubuntu in the form of Ubuntu Advantage, a range of professional service packages, delivered by Ubuntu experts. To learn more about how we could help you implement your cloud strategy, visit: ubuntu.com/business/services/overview Credit for the endpoint creation code goes to Kevin Jackson (kevin@linuxservices.co.uk). Canonical Limited 2012. Ubuntu, Kubuntu, Canonical and their associated logos are the registered trademarks of Canonical Limited. All other trademarks are the properties of their respective owners. Any information referred to in this document may change without notice and Canonical will not be held responsible for any such changes. Canonical Limited, Registered in England and Wales, Company number 110334C Registered Office: One Circular Road, Douglas, Isle of Man IM1 1SB VAT Registration: GB 003 2322 47 Page 11 of 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information