Install the Identity service:
sudo apt-get install keystone
Install curl, a command-line tool for running REST API requests:
sudo apt-get install curl
After installing, you need to delete the sqlite database it creates, then change the configuration to point to the mysql database.
Delete the keystone.db file created in the /var/lib/keystone/ directory.
sudo rm /var/lib/keystone/keystone.db
Configure the production-ready backend data store. For Compute you must use a SQLAlchemy-compatible database, such as MySQL or PostgreSQL. This example shows MySQL.
First, install MySQL with:
sudo apt-get install python-mysqldb mysql-server
During the install, you'll be prompted for the mysql root password. Enter a password of your choice and verify it.
Edit /etc/mysql/my.cnf to change "bind-address" from localhost (127.0.0.1) to any (0.0.0.0) and restart the mysql service:
sudo sed -i 's/127.0.0.1/0.0.0.0/g' /etc/mysql/my.cnf sudo service mysql restart
For MySQL, create a MySQL database named "keystone" and a MySQL user named "keystone". Grant the "keystone" user full access to the "keystone" MySQL database.
Start the mysql command line client by running:
mysql -u root -p
Enter the mysql root user's password when prompted.
To configure the MySQL database, create the keystone database.
mysql> CREATE DATABASE keystone;
Create a MySQL user for the newly-created keystone database that has full control of the database.
mysql> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'yourpassword';
Enter quit at the mysql> prompt to exit MySQL.
mysql> quit
Edit /etc/keystone/keystone.conf to include the --sql_connection to use the backend data store you just created. Ensure that it is owned by keystone and protect the MySQL password stored in it.
sudo nano /etc/keystone/keystone.conf sudo chown keystone /etc/keystone/keystone.conf sudo chmod 0640 /etc/keystone/keystone.conf
Here is an example section:
[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
sql_connection = mysql://keystone:yourpassword@192.168.206.130/keystone
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
'User', 'Credentials', 'EndpointTemplates', 'Token',
'Service']Edit /etc/keystone/keystone.conf to use the IP address and ports for your environment. Here is an example keystone.conf. Ensure that the ports for keystone are correct, since the default keystone auth port changed from 5001 to 35357 and the packages install a conf file with 5001 for the auth_port setting.
[DEFAULT]
# Show more verbose log output (sets INFO log level output)
verbose = False
# Show debugging output in logs (sets DEBUG log level output)
debug = False
# Which backend store should Keystone use by default.
# Default: 'sqlite'
# Available choices are 'sqlite' [future will include LDAP, PAM, etc]
default_store = sqlite
# Log to this file. Make sure you do not set the same log
# file for both the API and registry servers!
log_dir = /var/log/keystone
log_file = keystone.log
# List of backends to be configured
backends = keystone.backends.sqlalchemy
#For LDAP support, add: ,keystone.backends.ldap
# Dictionary Maps every service to a header.Missing services would get header
# X_(SERVICE_NAME) Key => Service Name, Value => Header Name
service-header-mappings = {
'nova' : 'X-Server-Management-Url',
'swift' : 'X-Storage-Url',
'cdn' : 'X-CDN-Management-Url'}
# Address to bind the API server
# TODO Properties defined within app not available via pipeline.
service_host = 0.0.0.0
# Port the bind the API server to
service_port = 5000
# Address to bind the Admin API server
admin_host = 0.0.0.0
# Port the bind the Admin API server to
admin_port = 35357
#Role that allows to perform admin operations.
keystone-admin-role = Admin
#Role that allows to perform service admin operations.
keystone-service-admin-role = KeystoneServiceAdmin
#Tells whether password user need to be hashed in the backend
hash-password = True
[keystone.backends.sqlalchemy]
# SQLAlchemy connection string for the reference implementation registry
# server. Any valid SQLAlchemy connection string is fine.
# See: http://bit.ly/ideIpI
sql_connection = mysql://keystone:yourpassword@192.168.206.130/keystone
backend_entities = ['UserRoleAssociation', 'Endpoints', 'Role', 'Tenant',
'User', 'Credentials', 'EndpointTemplates', 'Token',
'Service']
# Period in seconds after which SQLAlchemy should reestablish its connection
# to the database.
sql_idle_timeout = 30
[pipeline:admin]
pipeline =
urlrewritefilter
d5_compat
admin_api
[pipeline:keystone-legacy-auth]
pipeline =
urlrewritefilter
legacy_auth
d5_compat
service_api
[app:service_api]
paste.app_factory = keystone.server:service_app_factory
[app:admin_api]
paste.app_factory = keystone.server:admin_app_factory
[filter:urlrewritefilter]
paste.filter_factory = keystone.middleware.url:filter_factory
[filter:legacy_auth]
paste.filter_factory = keystone.frontends.legacy_token_auth:filter_factory
[filter:d5_compat]
paste.filter_factory = keystone.frontends.d5_compat:filter_factory
[filter:debug]
paste.filter_factory = keystone.common.wsgi:debug_filter_factory
Restart the Identity Service.
sudo service keystone restart
Next, you configure the Identity Service by defining roles and users.
