(Tutorial) What is Keystone and how to install Keystone in Openstack?


    Keystone is an OpenStack identity service that manages user databases and OpenStack service catalogs and their API endpoints. It integrates with existing backend directory services like LDAP and supports multiple authentication mechanisms, such as username-and-password, token-based systems and AWS-style logins.

    Keystone’s Components

    ❖ User:

    Users are digital representations of a person, system, or service that uses OpenStack cloud services. Keystone ensures that incoming requests are coming from a valid login user that can be assigned resource-access tokens. Users are assigned to a particular tenant with specific role.

    ❖ Tenant

    A tenant is a group used to isolate resources and/or users. Groups can be mapped to customers, projects or organizations.

    ❖ Role

    A role includes a set of assigned user rights and privileges for performing a specific set of operations. A user token issued by Keystone includes a list of that user’s roles. Services then determine how to interpret those roles.

    ❖ Credentials

    Credentials are data known only by a specific user who proves his or her identity. Examples include username and password, username and API key, or an authentication token.

    ❖ Authentication

    Authentication is the act of confirming a user’s identity by validating a set of user-supplied credentials. Those credentials are initially a username and password or a username and API key. In response to the credentials, the identity service issues an authentication token that the user must provides for subsequent requests.

    ❖ Token

    A token is an arbitrary bit of text used to access resources. Each token has a scope describing accessible resources. A token may be revoked at any time and is valid for a finite duration.

    ❖ Service

    An OpenStack service, such as Compute (Nova), Object Storage (Swift), or Image Service (Glance), provides one or more endpoints through which users can access resources and perform operations.

    ❖ Endpoint

    An endpoint is a network-accessible address, usually described by URL, from which services are accessed.

    Keystone Identity Service flow

    Keystone Installation

    a. Install Keystone services and client packages.

    <i>#apt-get install keystone python-keystone python-keystoneclient</i>

    b. Create a MySQL database and a Keystone user for Keystone for storing information.

    <i># mysql</i>
     <i>&gt; create database keystone;</i>
    <i>&gt; grant all privileges on keystone.* to keystoneUser@localhost identified by ‘StrongPass’;</i>
     <i>&gt; grant all privileges on keystone.* to keystoneUser@'%' identified by ‘StrongPass’;</i>

    c. Edit the database section of the Keystone configuration file and change the database type to mysql, database user, password, database host and database name.

    Change the Keystone authentication admin token to a complex one.

          #vi /etc/keystone/keystone.conf
           admin_token = b565fbeb4e

    # The SQLAlchemy connection string used to connect to the database

    connection = mysql://keystoneUser:KEYSTONE_DBPASS@

    d. Now create a Keystone database schema using the following command:

    <i>#keystone-manage db_sync</i>

    e. Finally, restart Keystone service.

    <i>#service keystone restart</i>

    Keystone is now successfully installed.

    Watch out for the next post in this tutorial series on how to setup and install Glance - OpenStack Image Service

    March 13, 2014 / Openstack

    Share the Post

    About the Author

    Flux7 Labs

    Subscribe to Email Updates

    Connect With Us