py-keystone
OpenStack Keystone / Identity service
Set up Keystone on FreeBSD
Prerequisites
On the system where Keystone will run:
a httpd service, e.g. www/apache24, in conjunction with www/mod_wsgi4 or mod_proxy_uswgi is required to make Keystone available.
On the system that will be used to manage the Keystone service:
- create an normal user
net/py-python-openstackclient is required for the setup and administration tasks
Configure the Keystone service
keystone.conf
[database] # ... # Please make sure, that you use an absolute path otherwise Keystone won't work properly. connection = sqlite:////var/lib/keystone/keystone.db [token] # ... provider = fernet
Populate the Identity service database
# su -m keystone -c "keystone-manage db_sync"
Initialize Fernet key repositories
The key repositories will be placed by default in:
- /usr/local/etc/keystone/credential-keys/
- /usr/local/etc/keystone/fernet-keys/
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Bootstrap the Identity service
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://HOSTNAME:35357/v3/ --bootstrap-internal-url http://HOSTNAME:5000/v3/ --bootstrap-public-url http://HOSTNAME:5000/v3/ --bootstrap-region-id RegionOne
Configure the web server
Apache with mod_wsgi
ServerName keystone Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/local/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/keystone.log CustomLog /var/log/keystone_access.log combined <Directory /usr/local/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/local/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/keystone.log CustomLog /var/log/keystone_access.log combined <Directory /usr/local/bin> Require all granted </Directory> </VirtualHost> Alias /identity /usr/local/bin/keystone-wsgi-public <Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location> Alias /identity_admin /usr/local/bin/keystone-wsgi-admin <Location /identity_admin> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location>
Configure the admin user
Login with the user that should be used for the administrative tasks and set the environment variables as listed below:
$ export OS_USERNAME=admin $ export OS_PASSWORD=ADMIN_PASS $ export OS_PROJECT_NAME=admin $ export OS_USER_DOMAIN_NAME=Default $ export OS_PROJECT_DOMAIN_NAME=Default $ export OS_AUTH_URL=http://HOSTNAME:35357/v3 $ export OS_IDENTITY_API_VERSION=3
Create a domain, projects, users and roles
$ openstack domain create --description "An Example Domain" example $ openstack project create --domain default --description "Service project" service $ openstack project create --domain default --description "Demo Project" demo $ openstack user create --domain default --password-prompt demo
Verify operation
$ unset OS_AUTH_URL OS_PASSWORD $ openstack --os-auth-url http://HOSTNAME:35357/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue $ openstack --os-auth-url http://HOSTNAME:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name demo --os-username demo token issue
References
https://docs.openstack.org/keystone/queens/install/index.html