Welcome!

Virtualization and Cloud

Jonathan Gershater

Subscribe to Jonathan Gershater: eMailAlertsEmail Alerts
Get Jonathan Gershater via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Related Topics: Cloud Computing, Open Source and Cloud Computing, Open Cloud Collaboration, OpenStack Journal

Blog Post

Installing OpenStack Keystone (Identity) Service | Part 1

Installing keystone with colour coded output - first of five posts

[DEFAULT]
log_file = /var/log/keystone/keystone.log
admin_token = fa2dd4a33771673bf266
# A "shared secret" between keystone and other openstack services
# admin_token = ADMIN

Create tenant

#keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 tenant-create --name demo --description "Default Tenant"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |          Default Tenant          |

|   enabled   |               True               |

|      id     | 00b659ba07f24850afd480827bc0cc78 |

|     name    |               demo               |

+-------------+----------------------------------+

Create tenant admin user

#keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-create --tenant-id 00b659ba07f24850afd480827bc0cc78 --name admin --pass password

+----------+--------------------------------------------------------------------+

| Property |                                                          Value                                                          |

+----------+----------------------------------------------------------------------+

|  email   |                                                                                                                         |

| enabled  |                                                           True                                                          |

|    id    |                                             5eecad2d999f4f9388b2c65da88cead3 |

|   name   |                                                          admin                                                          |

| password | $6$rounds=40000$fK/s74X.IJksdimv$9 bgbaAELA2.3wSM/fa1RxqNRXrtqwYiRWvuI/VMvp6oH5K4G8zEl8z/skbzWCpw 8cpn3xRZ52uWMLsneuECnU. |

| tenantId |                                             00b659ba07f24850afd480827bc0cc78                                            |

+----------+-------------------------------------------------------------------------------------+

Create admin role

# keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 role-create --name admin
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 174db9e563d54fb7be5b84f4e5a852ab |
|   name   |              admin               |
+----------+----------------------------------+
 

Assign admin role to admin user

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-role-add --user-id 5eecad2d999f4f9388b2c65da88cead3  --tenant-id 00b659ba07f24850afd480827bc0cc78 --role-id 174db9e563d54fb7be5b84f4e5a852ab

Create service tenant

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 tenant-create --name service --description "Service Tenant"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |          Service Tenant          |

|   enabled   |               True               |

|      id     | f15ddad6aacd42d8811e24039a3165a2 |

|     name    |             service              |

+-------------+----------------------------------+

Create glance user

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-create --tenant-id 00b659ba07f24850afd480827bc0cc78 --name glance --pass password

+----------+------------------------------------------------------------------------+

| Property |                                                          Value                                                          |

+----------+-------------------------------------------------------------------------+

|  email   |                                                                                                                         |

| enabled  |                                                           True                                                          |

|    id    |                                             3692086ca6664f6faced71d3acb1dc67 |

|   name   |                                                          glance                                                         |

| password | $6$rounds=40000$eFyZDTIqY73n4Ayu$YN045q4lCV6w. udpido8gAvM84rALI/8JMi.X3pj9menvdLavo18NRRo GHVQ4Dz7E.rFpOvQwv32/rr6olDV/. |

| tenantId |                                            00b659ba07f24850afd480827bc0cc78 |

+----------+----------------------------------------------------------------------------------------+

Assign admin role to glance user

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-role-add --user-id 3692086ca6664f6faced71d3acb1dc67 --tenant-id 00b659ba07f24850afd480827bc0cc78 --role-id 174db9e563d54fb7be5b84f4e5a852ab

Nova Service user

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-create --tenant-id 00b659ba07f24850afd480827bc0cc78 --name nova --pass password

+----------+-------------------------------------------------------------------------------------------------------------------------+

| Property |                                                          Value                                                          |

+----------+----------------------------------------------------------------------------------------+

|  email   |                                                                                                                         |

| enabled  |                                                           True                                                          |

|    id    |                                             51cd7aaa913c40d1aa4c7086766e7754                                            |

|   name   |                                                           nova                                                          |

| password | $6$rounds=40000$gJdm6xeIc/APZCHn$X2W3e/vOQGlCnk60gxw Tv1BV8sKfkDGDzlWYF8tKv93QaBvp7I2enF1EhpJlqVCYj/zjpZmur7j6sG5ZIDbuq0 |

| tenantId |                                             00b659ba07f24850afd480827bc0cc78 |

+----------+-------------------------------------------------------------------------------------------------------------------------+

Create an EC2 Service User in the Service Tenant.

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-create --tenant-id 00b659ba07f24850afd480827bc0cc78 --name ec2 --pass password

+----------+------------------------------------------------------------------------------------+

| Property |                                                          Value                                                          |

+----------+-----------------------------------------------------------------------------------+

|  email   |                                                                                                                         |

| enabled  |                                                           True                                                          |

|    id    |                                             454c1966b6f843da818999076fd995dd |

|   name   |                                                           ec2                                                           |

| password | $6$rounds=40000$bY/Be7PyrkUAZlc5$OMFvaNAugQO5X6u17 Yj03PREIM5eyaUrc1ZAH6ntdU4SVZbLrtphpBjalujYVRzsNk3qPQMXV9PbwXR8Ek.4k/ |

| tenantId |                                             00b659ba07f24850afd480827bc0cc78 |

+----------+-------------------------------------------------------------------------------------------------------------------------+

Grant the admin role to the ec2 user in the service tenant.

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-role-add --user-id 454c1966b6f843da818999076fd995dd --tenant-id 00b659ba07f24850afd480827bc0cc78  --role-id 174db9e563d54fb7be5b84f4e5a852ab

Create an Object Storage Service User in the Service Tenant.

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0 user-create --tenant-id 00b659ba07f24850afd480827bc0cc78 --name swift --pass password

+----------+-------------------------------------------------------------------------------------------------------------------------+

| Property |                                                          Value                                                          |

+----------+-------------------------------------------------------------------------------------------------------------------------+

|  email   |                                                                                                                         |

| enabled  |                                                           True                                                          |

|    id    |                                            f23d5676753141ceafd215d5fd194c95 |

|   name   |                                                          swift                                                          |

| password | $6$rounds=40000$tF3jhxZS3xR8W.53$dKC9Zo/EbBGNeWZiyMn U5esvrrtZ4y/AAptQi9f15BtFEH3RYBY8dsOHyu1AH6Xq2rCRBIVHOR47.diLNn.mg0 |

| tenantId |                                             00b659ba07f24850afd480827bc0cc78 |

+----------+------------------------------------------------------------------------------------+

Grant the admin role to the swift user in the service tenant

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0 user-role-add --user-id f23d5676753141ceafd215d5fd194c95 --tenant-id 00b659ba07f24850afd480827bc0cc78 --role-id 174db9e563d54fb7be5b84f4e5a852ab

Create keystone services and service endpoints

Define identity service

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183. 111:35357/v2.0/ service-create --name=keystone --type=identity  --description="Keystone Identity Service"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |    Keystone Identity Service     |

|      id     | 6ed04aa7ec2f47648c65aa68b4869049 |

|     name    |             keystone             |

|     type    |             identity             |

+-------------+----------------------------------+

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0/ endpoint-create --region RegionOne --service-id=6ed04aa7ec2f47648c65aa68b4869049 --publicurl=http://10.202.183.111:5000 /v2.0 --internalurl=http://10.202.183.111:5000/v2.0 --adminurl=http://10.202.183.111:35357/v2.0

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

|   adminurl  | http://10.202.183.111:35357/v2.0 |

|      id     | 401e7115c7744baea8bdbd5560252707 |

| internalurl | http://10.202.183.111:5000/v2.0  |

|  publicurl  | http://10.202.183.111:5000/v2.0  |

|    region   |            RegionOne             |

|  service_id | 6ed04aa7ec2f47648c65aa68b4869049 |

+-------------+----------------------------------+

Create nova compute node which points to service tenant previously created

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0/ service-create --name=nova --type=compute --description="Nova Compute Service"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |       Nova Compute Service       |

|      id     | 9baa57ddfefc4dacbb1aa98f85ac2c4c |

|     name    |               nova               |

|     type    |             compute              |

+-------------+----------------------------------+

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0/ endpoint-create --region RegionOne --service-id=9baa57ddfefc4dacbb1aa98f85ac2c4c --publicurl='http://10.202.183.111:8774/v2/%(tenant_id)s' --internalurl='http://10.202.183.111:8774/v2/%(tenant_id)s'--adminurl='http://10.202.183.111:8774/v2/%(tenant_id)s'

+-------------+-------------------------------------------------------------------+

|   Property  |                                               Value                                               |

+-------------+---------------------------------------------------------------------+

|   adminurl  |                                                                                                   |

|      id     |                                  85d4f12015d244acaa1156f59c118f35                                 |

| internalurl | http://10.202.183.111:8774/v2/%(tenant_id)s --adminurl=http://10.202.183.111:8774/v2/%(tenant_id)s |

|  publicurl  |                            http://10.202.183.111:8774/v2/%(tenant_id)s                            |

|    region   |                                             RegionOne                                             |

|  service_id |                                  9baa57ddfefc4dacbb1aa98f85ac2c4c                                 |

+-------------+-----------------------------------------------------------------------+

Define volume service

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0/ service-create --name=volume --type=volume --description="Nova Volume Service"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |       Nova Volume Service        |

|      id     | d5352eed37f54e1fb0513758b4d30318 |

|     name    |              volume              |

|     type    |              volume              |

+-------------+----------------------------------+

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0/ endpoint-create --region RegionOne --service-id=d5352eed37f54e1fb0513758b4d30318 --publicurl= 'http://10.202.183.111:8776/v1/%(tenant_id)s' --internalurl= 'http://10.202.183.111:8776/v1/%(tenant_id)s' --adminurl='http://10.202.183.111:8776/v1/%(tenant_id)s'

+-------------+---------------------------------------------+

|   Property  |                    Value                    |

+-------------+---------------------------------------------+

|   adminurl  | http://10.202.183.111:8776/v1/%(tenant_id)s |

|      id     |       37461be338984ee380a389625992d622      |

| internalurl | http://10.202.183.111:8776/v1/%(tenant_id)s |

|  publicurl  | http://10.202.183.111:8776/v1/%(tenant_id)s |

|    region   |                  RegionOne                  |

|  service_id |       d5352eed37f54e1fb0513758b4d30318      |

+-------------+---------------------------------------------+

define image service

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0/ service-create --name=glance --type=image --description="Glance Image Service"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |       Glance Image Service       |

|      id     | 9a3e242a74284e56928a2cb797a728ec |

|     name    |              glance              |

|     type    |              image               |

+-------------+----------------------------------+

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0/ endpoint-create --region RegionOne --service-id=9a3e242a74284e56928a2cb797a728ec --publicurl=http://10.202.183.111:9292 --internalurl=http://10.202.183.111:9292 --adminurl=http://10.202.183.111:9292

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

|   adminurl  |    http://10.202.183.111:9292    |

|      id     | eca4477d4705441294337424bbb7bf06 |

| internalurl |    http://10.202.183.111:9292    |

|  publicurl  |    http://10.202.183.111:9292    |

|    region   |            RegionOne             |

|  service_id | 9a3e242a74284e56928a2cb797a728ec |

+-------------+----------------------------------+

Define ec2 compatibility service

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0/ service-create --name=ec2 --type=ec2 --description="EC2 Compatibility Layer"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |     EC2 Compatibility Layer      |

|      id     | 01f1ae7d6554405fb5be9680e9c992bb |

|     name    |               ec2                |

|     type    |               ec2                |

+-------------+----------------------------------+

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ v2.0/ endpoint-create --region RegionOne --service-id=01f1ae7d6554405fb5be9680e9c992bb --publicurl =http://10.202.183.111:8773/services/Cloud --internalurl= http://10.202.183.111:8773/services/Cloud --adminurl=http://10.202.183.111:8773/services/Admin

+-------------+-------------------------------------------+

|   Property  |                   Value                   |

+-------------+-------------------------------------------+

|   adminurl  | http://10.202.183.111:8773/services/Admin |

|      id     |      abf973a6a42647779e425a553349e00e     |

| internalurl | http://10.202.183.111:8773/services/Cloud |

|  publicurl  | http://10.202.183.111:8773/services/Cloud |

|    region   |                 RegionOne                 |

|  service_id |      01f1ae7d6554405fb5be9680e9c992bb     |

+-------------+-------------------------------------------+

Define the Object Storage service:

keystone  --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/ 2.0/ service-create --name=swift --type=object-store --description= "Object Storage Service"

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |      Object Storage Service      |

|      id     | f6f5f15827184aecac096703dc3b472a |

|     name    |              swift               |

|     type    |           object-store           |

+-------------+----------------------------------+

keystone --token fa2dd4a33771673bf266 --endpoint http://10.202.183.111:35357/v2.0/ endpoint-create --region RegionOne --service-id= f6f5f15827184aecac096703dc3b472a --publicurl 'http://10.202.183.111:8888/v1/AUTH_%(tenant_id)s' --adminurl 'http://10.202.183.111:8888/v1' --internalurl 'http://10.202.183.111:8888/v1/AUTH_%(tenant_id)s'

+-------------+--------------------------------------------------+

|   Property  |                      Value                       |

+-------------+--------------------------------------------------+

|   adminurl  |          http://10.202.183.111:8888/v1           |

|      id     |         8e718ce9ad02400ab4e154a45c07a535         |

| internalurl | http://10.202.183.111:8888/v1/AUTH_%(tenant_id)s |

|  publicurl  | http://10.202.183.111:8888/v1/AUTH_%(tenant_id)s |

|    region   |                    RegionOne                     |

|  service_id |         f6f5f15827184aecac096703dc3b472a         |

+-------------+--------------------------------------------------+

Verify Identity service

Authentication

keystone --os-username=admin --os-password=password --os-auth-url=http://10.202.183.111:35357/v2.0 token-get

+----------+----------------------------------+

| Property |              Value               |

+----------+----------------------------------+

| expires  |       2013-03-16T06:02:11Z       |

|    id    | 2c353773e43b43a59566875f561863df |

| user_id  | 5eecad2d999f4f9388b2c65da88cead3 |

+----------+----------------------------------+

Authorization

# keystone --os-username=admin --os-password=password--os-tenant-name= demo --os-auth-url=http://10.202.183.111:35357/v2.0 token-get

+-----------+----------------------------------+

|  Property |              Value               |

+-----------+----------------------------------+

|  expires  |       2013-03-19T21:51:37Z       |

|     id    | 00ae191c5f264eb381e5e7193c689827 |

| tenant_id | 00b659ba07f24850afd480827bc0cc78 |

|  user_id  | 5eecad2d999f4f9388b2c65da88cead3 |

+-----------+----------------------------------+

#keystone user-list

+----------------------------------+--------+---------+-------+

|                id                |  name  | enabled | email |

+----------------------------------+--------+---------+-------+

| 3692086ca6664f6faced71d3acb1dc67 | glance |   True  |       |

| 454c1966b6f843da818999076fd995dd |  ec2   |   True  |       |

| 51cd7aaa913c40d1aa4c7086766e7754 |  nova  |   True  |       |

| 5eecad2d999f4f9388b2c65da88cead3 | admin  |   True  |       |

| f23d5676753141ceafd215d5fd194c95 | swift  |   True  |       |

+----------------------------------+--------+---------+-------+

More Stories By Jonathan Gershater

Jonathan Gershater has lived and worked in Silicon Valley since 1996, primarily doing system and sales engineering specializing in: Web Applications, Identity and Security. At Red Hat, he provides Technical Marketing for Virtualization and Cloud. Prior to joining Red Hat, Jonathan worked at 3Com, Entrust (by acquisition) two startups, Sun Microsystems and Trend Micro.

(The views expressed in this blog are entirely mine and do not represent my employer - Jonathan).