OpenStack Identity (keystone) is the Identity service in OpenStack that is used by many services. With OpenStack Identity Service (Keystone) been installed and configured, we now need to tell our OpenStack Compute Service (Nova) that it can be used to authenticate users and services.
When installing OpenStack Identity service, you must register each service in your OpenStack installation. Identity service can then track which OpenStack services are installed, and where they are exactly located on the network.
The identity service performs the following function:
1. User management: Tracks users and their permissions.
2. Service catalog: It Provides a catalog of available services with their API endpoints.
The following steps are repeated on all Controller and Compute hosts in our environment.
To begin with, assure that you’re logged in to our OpenStack Compute and Controller hosts. If you did this through Vagrant, you can log in with the following commands in separate shells:
vagrant ssh controller
vagrant ssh compute
Configuring the authentication mechanism in our OpenStack Compute sandbox environment is simply achieved with the following steps:
1. We first assure that our OpenStack Compute host has the required python-keystone package installed, if this host is a stand alone Compute host, as shown:
sudo apt-get update
sudo apt-get -y install python-keystone
2. Configuration of the OpenStack Compute service to use the OpenStack Identity Service is then done by filling in the [filter:authtoken] section of the /etc/nova/api-paste.ini file with the details that we created for the Nova service user in the recipe Creating the service tenant and service users, Chapter 1, Keystone OpenStack Identity Service, as follows:
[filter:authtoken] paste.filter_factory =
keystone.middleware.auth_token:filter_factory service_protocol = http
service_host = 172.16.0.200 service_port = 5000 auth_host = 172.16.0.200 auth_port = 35357 auth_protocol = http
auth_uri = https://172.16.0.200:5000/ admin_tenant_name = service admin_user = nova
admin_password = nova
3. With the api-paste.ini file configured correctly, we edit /etc/nova/nova.conf to inform it to use the paste file and set keystone as the authentication mechanism by adding in the following lines under the [default] section:
api-paste_config=/etc/nova/api-paste.ini keystone_ec2_url=https://172.16.0.200:5000/v2.0/ec2tokens auth_strategy=keystone
4. With OpenStack Identity Service is running, we can restart our OpenStack Compute services to pick up this authentication change, as follows:
ls /etc/init/nova-* | cut -d ‘/’ -f4 | cut -d ‘.’ -f1 | while read S; do sudo stop $S; sudo start $S; done
Configuration of OpenStack Compute to use OpenStack Identity Service is done on all hosts in our environment running OpenStack Compute (Nova) services (for example, the Controller and Compute hosts). This first involves editing the /etc/nova/api-paste.ini file and filling in the [filter:authtoken] part of the file with details of the nova service user we created in the previous section.
We then configure the /etc/nova/nova.conf file, which is directed at this paste file, as well as specify that the auth_strategy option is set to keystone.
Openstack Interview Questions
Get Updates on Tech posts, Interview & Certification questions and training schedules