Chapter 7. Deploying Identity Services (Keystone)

This chapter covers the installation and configuration of Keystone, the Identity service.

7.1. Installation and Initial Configuration

Start by running the command that installs the openstack-keystone package:
$ sudo yum install -y openstack-keystone
Keystone uses a MySQL database. Use the openstack-db utility to create and initialize the tables for Keystone. If MySQL has not yet been installed on this server, the script will manage that as well. Ensure that you replace PASSWORD with a secure password to be sued by the service when connecting to the database:
$ sudo openstack-db --init --service keystone \
        --password PASSWORD
In order to administer Keystone, bootstrap the Keystone client with the SERVICE_TOKEN and SERVICE_ENDPOINT environment variables. Save the value of SERVICE_TOKEN in a file for later use:
$ export SERVICE_TOKEN=$(openssl rand -hex 10)
$ echo $SERVICE_TOKEN > ~/ks_admin_token
The SERVICE_TOKEN must match the value of the admin_token option in the Keystone configuration file, /etc/keystone/keystone.conf. Set the admin_token option using this command:
$ sudo openstack-config --set /etc/keystone/keystone.conf \
Now start the Keystone service:
$ sudo service openstack-keystone start
$ sudo chkconfig openstack-keystone on
Verify that the Keystone service is running and that no errors are present in the Keystone log file:
$ ps -ef | grep -i keystone-all
keystone  8254     1  6 14:26 ?        00:00:00 /usr/bin/python /usr/bin/keystone-all --config-file /etc/keystone/keystone.conf
osuser    8263  7795  0 14:26 pts/0    00:00:00 grep -i keystone-all
$ grep ERROR /var/log/keystone/keystone.log
Add Keystone as an API endpoint in the registry of endpoints in Keystone. Horizon (the web dashboard) requires this. Note that the id returned from the service-create command is then used as a part of the endpoint-create command:
$ keystone service-create --name=keystone --type=identity \
  --description="Keystone Identity Service"
|   Property  |              Value               |
| description |     Keystone Identity Service    |
| id          | a8bff1db381f4751bd8ac126464511ae |
| name        |             keystone             |
| type        |             identity             |
$ keystone endpoint-create \
  --service_id a8bff1db381f4751bd8ac126464511ae \
  --publicurl '' \
  --adminurl '' \
  --internalurl ''
|   Property  |              Value               |
| adminurl    |    |
| id          | 1295011fdc874a838f702518e95a0e13 |
| internalurl |     |
| publicurl   |     |
| region      |             regionOne            |
| service_id  | a8bff1db381f4751bd8ac126464511ae |


Ensure that the publicurl, adminurl, and internalurl parameters include the correct IP address for your Keystone identity server.
Allow incoming connections to Keystone by adding this firewall rule to the /etc/sysconfig/iptables configuration file:
-A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT


This rule allows communication from all remote hosts to the system running the Keystone services on ports 5000 and 35357. For information regarding the creation of more restrictive firewall rules refer to the Red Hat Enterprise Linux 6 Security Guide.
Use the service command to restart the iptables service for the new rule to take effect.
$ sudo service iptables restart
The following diagram gives an overview of what you have installed, configured, and running so far:
Keystone installed and configured

Figure 7.1. Keystone installed and configured