Install and configure¶

Prerequisites¶

Before you install and configure the Identity service, you must create a database.

1. Use the database access client to connect to the database server as the root user:

   $ mysql -u root -p
   

2. Create the keystone database:

   MariaDB [(none)]> CREATE DATABASE keystone;
   

3. Grant proper access to the keystone database:

   MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
   IDENTIFIED BY 'KEYSTONE_DBPASS';
   MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
   IDENTIFIED BY 'KEYSTONE_DBPASS';
   

   Replace KEYSTONE_DBPASS with a suitable password.

4. Exit the database access client.

Install and configure components¶

1. Run the following command to install the packages:

   # zypper install openstack-keystone apache2 apache2-mod_wsgi
   

2. Edit the /etc/keystone/keystone.conf file and complete the following actions:

   • In the [database] section, configure database access:

     [database]
     # ...
     connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
     

     Replace KEYSTONE_DBPASS with the password you chose for the database.

     Note

     Comment out or remove any other connection options in the [database] section.

   • In the [token] section, configure the Fernet token provider:

     [token]
     # ...
     provider = fernet
     

3. Populate the Identity service database:

   # su -s /bin/sh -c "keystone-manage db_sync" keystone
   

4. Initialize Fernet key repositories:

   # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
   # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
   

5. Bootstrap the Identity service:

   Note

   Before the Queens release, keystone needed to be run on two separate ports to accommodate the Identity v2 API which ran a separate admin-only service commonly on port 35357. With the removal of the v2 API, keystone can be run on the same port for all interfaces.

   # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
     --bootstrap-admin-url http://controller:5000/v3/ \
     --bootstrap-internal-url http://controller:5000/v3/ \
     --bootstrap-public-url http://controller:5000/v3/ \
     --bootstrap-region-id RegionOne
   

   Replace ADMIN_PASS with a suitable password for an administrative user.

Configure the Apache HTTP server¶

1. Edit the /etc/sysconfig/apache2 file and configure the APACHE_SERVERNAME option to reference the controller node:

   APACHE_SERVERNAME="controller"
   

2. Create the /etc/apache2/conf.d/wsgi-keystone.conf file with the following content:

   Listen 5000
   
   <VirtualHost *:5000>
       WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
       WSGIProcessGroup keystone-public
       WSGIScriptAlias / /usr/bin/keystone-wsgi-public
       WSGIApplicationGroup %{GLOBAL}
       WSGIPassAuthorization On
       ErrorLogFormat "%{cu}t %M"
       ErrorLog /var/log/apache2/keystone.log
       CustomLog /var/log/apache2/keystone_access.log combined
   
       <Directory /usr/bin>
           Require all granted
       </Directory>
   </VirtualHost>
   

3. Recursively change the ownership of the /etc/keystone directory:

   # chown -R keystone:keystone /etc/keystone
   

Finalize the installation¶

1. Start the Apache HTTP service and configure it to start when the system boots:

   # systemctl enable apache2.service
   # systemctl start apache2.service
   

2. Configure the administrative account

   $ export OS_USERNAME=admin
   $ export OS_PASSWORD=ADMIN_PASS
   $ export OS_PROJECT_NAME=admin
   $ export OS_USER_DOMAIN_NAME=Default
   $ export OS_PROJECT_DOMAIN_NAME=Default
   $ export OS_AUTH_URL=http://controller:5000/v3
   $ export OS_IDENTITY_API_VERSION=3
   

   Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure-obs.