Configuring OpenStack Object Storage with OpenStack Identity Service

The OpenStack Identity Service performs the following functions:

  • Tracking users and their permissions.
  • Providing a catalog of available services with their API endpoints.

While installing OpenStack Identity service, you must register each service in your OpenStack installation. Identity service can then track which OpenStack services are installed, and where they are located on the network.

In this particular section, the OpenStack Object Storage service configured in the previous tutorials used the built in TempAuth mechanism to manage accounts. This is analogous to the deprecated _auth mechanism we configure with the OpenStack Compute service. This section shows you, how to move from TempAuth to OpenStack Identity Service to manage accounts.

Getting started..

For this section, we will log in to our swift host for configuration of OpenStack Object Storage Service as well as to a client that has access to the keystone client, to manage OpenStack Identity Service.

How to accomplish it…

Configuring OpenStack Object Storage to use the OpenStack Identity Service is carried out as follows:

  • We first use the keystone client to configure the required endpoints and accounts under OpenStack Identity Service, as follows:
# Set up environment
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0
# Swift Proxy Address
# Configure the OpenStack Object Storage Endpoint
keystone –token $SERVICE_TOKEN –endpoint $SERVICE_ENDPOINT service-create –name swift –type object-store –description ‘OpenStack Storage Service’
# Service Endpoint URLs
ID=$(keystone service-list | awk ‘/\ swift\ / {print $2}’)
# Note we’re using SSL PUBLIC_URL=”http://$SWIFT_PROXY_SERVER:443/v1/AUTH_\$(tenant_id)s
keystone endpoint-create –region RegionOne –service_id $ID — publicurl $PUBLIC_URL –adminurl $ADMIN_URL –internalurl
  • With the endpoints configured to point to our OpenStack Storage server, we can now set up the swift user, so our proxy server can authenticate with the OpenStack Object Identity server.
# Get the service tenant ID
SERVICE_TENANT_ID=$(keystone tenant-list | awk ‘/\ service\ / {print $2}’)
# Create the swift user
keystone user-create –name swift –pass swift –tenant_id $SERVICE_TENANT_ID –email swift@localhost –enabled true
# Get the swift user id
USER_ID=$(keystone user-list | awk ‘/\ swift\ / {print $2}’)
# Get the admin role id
ROLE_ID=$(keystone role-list | awk ‘/\ admin\ / {print $2}’)
# Assign the swift user admin role in service tenant keystone user-role-add –user $USER_ID –role $ROLE_ID — tenant_id $SERVICE_TENANT_ID
  • On the OpenStack Storage server (swift), we now install the Keystone Python libraries, so that OpenStack Identity Service can be used. This is done as follows:
sudo apt-get update
sudo apt-get install python-keystone
  • We now need to verify our proxy server configuration. To do this, edit the following file:/etc/swift/proxy-server.conf, and ensure it resembles the below:
[DEFAULT] bind_port = 443
cert_file = /etc/swift/cert.crt key_file = /etc/swift/cert.key user = swift
log_facility = LOG_LOCAL1
pipeline = catch_errors healthcheck cache authtoken keystone proxy-server
[app:proxy-server] use = egg:swift#proxy
account_autocreate = true
use = egg:swift#healthcheck
use = egg:swift#memcache
[filter:keystone] paste.filter_factory =
keystone.middleware.swift_auth:filter_factory operator_roles = Member,admin
[filter:authtoken] paste.filter_factory =
keystone.middleware.auth_token:filter_factory service_port = 5000
service_host = auth_port = 35357
auth_host = auth_protocol = http auth_token = ADMIN admin_token = ADMIN admin_tenant_name = service admin_user = swift admin_password = swift cache = swift.cache
use = egg:swift#catch_errors
use = egg:swift#swift3
  • We pick up these changes by restarting the proxy server service, as follows:
sudo swift-init proxy-server restart

How it works…

Configuring OpenStack Object Storage to use OpenStack Identity Service involves altering the pipeline so that keystone is used as the authentication.

After setting the relevant endpoint within the OpenStack Identity Service to be an SSL endpoint, we can configure our OpenStack Object Storage proxy server.

To do this, we first define the pipeline to include keystone and authtoken, and then configure these further down the file in the [filter:keystone] and [filter:authtoken] sections. In the [filter:keystone] section, we set someone with admin and Member roles assigned to be an operator of our OpenStack Object Storage. This allows our users, who have one of those roles to write permissions in our OpenStack Object Storage environment.

In the [filter:authtoken] section, we tell our proxy server where to find the OpenStack Identity Service. Further, we also set the service username and password for this service that we have configured within OpenStack Identity Service.


0 Responses on Configuring OpenStack Object Storage with OpenStack Identity Service"

Leave a Message

Your email address will not be published. Required fields are marked *

Copy Rights Reserved © Mindmajix.com All rights reserved. Disclaimer.