Setting up OpenStack (Grizzly) Keystone in ten easy steps on Ubuntu 12.04 LTS

Post to Twitter

I’m going to go through the steps required to setup OpenStack’s Identity Service Keystone on Ubuntu 12.04. I’ll assume you already have Ubuntu up and running.


Update: Nov. 4, 2013 If you want to run the Havana release of Keystone see my updated blog post.

WARNING: These steps are for a Keystone development server for testing and playing with. These are not the steps for a production ready hardened Keystone system. The security is wide open with passwords set to password. I’m not a Keystone expert so things might not be 100% correct but it works enough for my testing needs right now. Use at your own risk!

These steps have been gathered from around the Internet with modifications and in some cases corrections added.

Step 1: Make sure we fetch Grizzly, not an older version

$ sudo apt-get update
$ sudo apt-get install ubuntu-cloud-keyring
$ sudo nano /etc/apt/sources.list.d/cloud-archive.list

Add the following to the cloud-archive.list file:

deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/grizzly main

Step 2: Install Keystone and MySQL

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install keystone python-keystone python-keystoneclient
$ sudo apt-get install mysql-server python-mysqldb
$ sudo rm /var/lib/keystone/keystone.db
$ mysql -u root -p

Step 3: From the MySQL prompt create the Keystone database and user

mysql>CREATE DATABASE keystone;
mysql>CREATE USER 'keystone-user'@'localhost' IDENTIFIED BY 'password';
mysql>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone-user'@'localhost';
mysql>FLUSH PRIVILEGES;
mysql>exit;

Step 4: Edit the keystone.conf file

$ sudo nano /etc/keystone/keystone.conf

Make the following changes to the areas shown below (add the admin token and connection string to MySQL:

# A "shared secret" between keystone and other openstack services
admin_token = 012345SECRET99TOKEN012345

# The SQLAlchemy connection string used to connect to the database
#connection = sqlite:////var/lib/keystone/keystone.db
connection = mysql://keystone-user:password@0.0.0.0/keystone

Step 5: Set the permissions and run db_sync

$ sudo chown -R keystone:keystone /etc/keystone/
$ sudo service keystone restart
$ sudo keystone-manage db_sync

Step 6: Create a bash file to populate Keystone with some data

Create a file called populate-data.sh and fill it with the following:

#!/bin/bash
ADMIN_PASSWORD="password"
DEMO_PASSWORD="password"
export OS_SERVICE_TOKEN="012345SECRET99TOKEN012345"
export OS_SERVICE_ENDPOINT="http://localhost:35357/v2.0"

get_id () {
    echo `$@ | awk '/ id / { print $4 }'`
}

# Tenants
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)

# Users
ADMIN_USER=$(get_id keystone user-create --name=admin --pass="$ADMIN_PASSWORD" --email=admin@domain.com)
DEMO_USER=$(get_id keystone user-create --name=demo --pass="$DEMO_PASSWORD" --email=demo@domain.com)

# Roles
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
MEMBER_ROLE=$(get_id keystone role-create --name=member)

# Add Roles to Users in Tenants
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant-id $ADMIN_TENANT
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant-id $DEMO_TENANT

Note: I did not add service endpoints, feel free to do that if you wish

Step 7: Populate Keystone

$ chmod +x populate-data.sh
$ ./populate-data.sh

Optional: If you mess up the database you can run the following to reset it:

mysql -u root -p -e "drop database keystone"
mysql -u root -p -e "create database keystone"
mysql -u root -p -e "grant all privileges on keystone.* TO 'keystone-user'@'localhost' identified by 'password'"

Step 8: Examine the tenant-list

$ keystone --token 012345SECRET99TOKEN012345 --endpoint http://127.0.0.1:35357/v2.0/ tenant-list

Results should be similar to this:

+----------------------------------+-------+---------+
|                id                |  name | enabled |
+----------------------------------+-------+---------+
| 11d98ba1ea52435b9a802f62681b9adb | demo  | True    |
| b12c9cd565174af3bcb5f679add3bbcf | admin | True    |
+----------------------------------+-------+---------+

Step 9: Fetch an auth token

$ curl -d '{"auth": {"tenantName": "demo", "passwordCredentials": {"username": "demo", "password": "password"}}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens

Step 10: Validate

curl -H "X-Auth-Token:MIIDDAYJKoZIhvcNAQcCoII-REALLY_LONG-TOKEN-WILL-BE-HERE" http://localhost:5000/v2.0/tenants -H 'Content-type: application/json' | python -m json.tool

That’s all there is to it. I was able to get this working on both VMWare Player as well as Vagrant running on Windows 8.

Post to Twitter

This entry was posted in Open Source, OpenStack, Python, Ubuntu. Bookmark the permalink.

One Response to Setting up OpenStack (Grizzly) Keystone in ten easy steps on Ubuntu 12.04 LTS

  1. Pingback: Working with the Python Keystone Client with OpenStack Keystone | Giant Flying Saucer

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>