There are three steps to configuring Keystone with Quantum:
1.Running the Keystone Service
The Keystone identity service is a requirement. It must be installed, although not necessarily on the same machine where Quantum is running; both Keystone's admin API and service API should be running.
2.Enabling Authentication and Authorization within Quantum
Authentication and Authorization middleware should be enabled in the Quantum pipeline. To this aim, uncomment the following line in quantum.conf:
pipeline = authtoken extensions quantumapiapp_v1_0
3. Configuring Quantum to Connect to Keystone
The final step concerns configuring access to Keystone. The correct values of the following attributes must be specified in the [filter:authtoken] section of quantum.conf:
paste.filter_factory = keystone.middleware.auth_token:filter_factory auth_host = 127.0.0.1 auth_port = 35357 auth_protocol = http auth_uri = http://127.0.0.1:5000/
4. Setup Keystone Admin Credentials
In order to validate authentication tokens, Quantum uses Keystone's administrative API. It therefore requires credentials for an administrative user, which can be specified in Quantum's configuration file (quantum.conf) Either username and password, or an authentication token for an administrative user can be specified in the configuration file:
admin_token: Keystone token for administrative access
admin_user: Keystone user with administrative rights
admin_password: Password for the user specified with admin_user
admin_tenant_name: Tenant for admin_user
For example, using password:
admin_tenant_name = service admin_user = nova admin_password = sp
Or using a token:
admin_token = 9a82c95a-99e9-4c3a-b5ee-199f6ba7ff04
![[Note]](../common/images/admon/note.png) | Note |
|---|---|
admin_token and admin_user/password are exclusive. If both are specified, admin_token has priority. |
