Manually setup all-in-one OpenStack Icehouse 2 - keystone

1.       install the keystone package/service

commands: apt-get install -y keystone

2.       create database and username/password

in mysql client tool:

mysql> CREATE DATABASE keystone;

mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone_dbpass';

3.       update keystone configuration file

in /etc/keystone/keystone.conf

hash out line

connection = sqlite:////var/lib/keystone/keystone.db

add line:

connection = mysql://keystone:keystone_dbpass@192.168.139.111/keystone

4.       restart keystone service and sync database

service keystone restart

keystone-manage db_sync

5.       export the environment variables

export OS_SERVICE_TOKEN=ADMIN

export OS_SERVICE_ENDPOINT=http://192.168.139.111:35357/v2.0

6.       data preparation(well explain later)

#tenant, user, role and user-role

keystone tenant-create --name=admin --description="Admin Tenant"

keystone tenant-create --name=service --description="Service Tenant"

keystone user-create --name=admin --pass=ADMIN --email=admin@example.com

keystone role-create --name=admin

keystone user-role-add --user=admin --tenant=admin --role=admin

#service

keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"

#end point

keystone endpoint-create --service=keystone --publicurl=http://192.168.139.111:5000/v2.0 --internalurl=http://192.168.139.111:5000/v2.0 --adminurl=http://192.168.139.111:35357/v2.0

7.       create confidential file and source it

export OS_USERNAME=admin

export OS_PASSWORD=ADMIN

export OS_TENANT_NAME=admin

export OS_AUTH_URL=http://192.168.139.111:35357/v2.0

8.       testing

keystone token-get

keystone user-list

Keystone authentication

Keystone is the key component for OpenStack Authentication.  Every requests via API must be checked and verified by Keystone. In general , when the clients provide a valid username/password combination, the OpenStack keystone will provide a token, the following comminucation will be based on the token. There are two ways of authentication for keystone due to the way how client provides their identification: UUID and PKI.

Universally Unique IDentifier (UUID)

1. Client send the username/password to keystone
2. Keystone service verify the username/password pair
3. Keystone generate a token (usually a random string), store it in the backend and then send the copy back to the client
4. Every request from client will attach the token and keystone will verify the token(matched? Expired?)
5. If valid, keystone will return the 200 and process the request, otherwise will be an 401 then reject.

See workflow here:

UUID is quite simple to implement but since every requirement will be via keystone and it could be the bottleneck in the large scale cloud.

PKI token

PKI token was introduced since Grizzly.

The workflow is similar but the token is based on X509 PKI while Keystone is the CA.

0. When keystone was installed , we need to generate the keys and certs including CA private key, CA certificates, Signing private key, Signing certificate.
1. When client provides valid username/password pair, Keystone will use Cryptographic Message Syntax (CMS) to produce CMS token out of the following data: Service catalog,User roles,Metadata
2. The token will be cached in keystone and send back to client.
3. When the requests come via API, they will attach the CMS token , the API has got keystone’s copy of Signing certificate, Revocation list, CA certificate so it can check the validity of token offline (without contacting keystone)
4. If valid, keystone will return the 200 and process the request, otherwise will be an 401 then reject.

See workflow there

Further reading blog:

http://www.mirantis.com/blog/understanding-openstack-authentication-keystone-pki/

http://docs.openstack.org/admin-guide-cloud/content/certificates-for-pki.html

keystone commands

There are a few important keystone related commands every OpenStack Operators must know.

Service related:

keystone service-list                     :  list the keystone service

keystone service-get                    : get the detailed service information

keystone service-create                : create keystone service

keystone service-delete                : delete the service

endpoint related:

keystone endpoint-list                    : list the keystone endpoint

keystone endpoint-get                    : get the detailed endpoint information

keystone endpoint-create               : create keystone endpoint

keystone endpoint-delete               : delete the endpoint

Tenant related:

keystone tenant-list                       : list the keystone tenant

keystone tenant-get                      : get the detailed tenant information

keystone tenant-create                  : create keystone tenant

keystone tenant-delete                  : delete the tenant

keystone tenant-update                 : update the tenant information

user related:

keystone user-list                            : list the keystone user

keystone user-get                           : get the detailed user information

keystone user-create                      : create keystone user

keystone user-delete                      : delete the user

keystone user-update                     : update the user information

keystone user-password-update     : update the user password information

keystone user-role-update              : update the user role    information

keystone user-role-add                   : add the user role information

keystone user-role-delete                : delete the user role information

keystone user-role-list                     : list the user role information

Role related

keystone role-list                             : list the keystone role

keystone role-get                            : get the detailed role information

keystone role-create                     : create keystone role

keystone role-delete                     : delete the role