Setting up OpenStack (Havana) Keystone in ten easy steps on Ubuntu 12.04 LTS

Post to Twitter

I’m going to go through the steps required to setup OpenStack’s Identity Service Keystone on Ubuntu 12.04. I’ll assume you already have Ubuntu 12.04 LTS up and running.

WARNING: These steps are for a non-SSL Keystone development server for testing and experimenting with. These are not the steps for a production ready hardened Keystone system. The security is wide open with passwords set to password.

These steps have been gathered from around the Internet with modifications and in some cases corrections added.

Step 1: Make sure we fetch the OpenStack Havana release, not an older version

$ sudo apt-get install ubuntu-cloud-keyring
$ sudo nano /etc/apt/sources.list.d/cloud-archive.list

Add the following to the cloud-archive.list file:

deb precise-updates/havana main

Step 2: Install Keystone and MySQL

$ sudo apt-get update
$ sudo apt-get upgrade
$ sudo apt-get install keystone python-keystone python-keystoneclient
$ sudo apt-get install mysql-server python-mysqldb
$ sudo rm /var/lib/keystone/keystone.db
$ mysql -u root -p

Step 3: From the MySQL prompt create the Keystone database and user

mysql>CREATE DATABASE keystone;
mysql>CREATE USER 'keystone-user'@'localhost' IDENTIFIED BY 'password';
mysql>GRANT ALL PRIVILEGES ON keystone.* TO 'keystone-user'@'localhost';

Step 4: Edit the keystone.conf file

$ sudo nano /etc/keystone/keystone.conf

Make the following changes to the areas shown below (add the admin token and connection string to MySQL:

# A "shared secret" between keystone and other openstack services
admin_token = 012345SECRET99TOKEN012345

# The SQLAlchemy connection string used to connect to the database
#connection = sqlite:////var/lib/keystone/keystone.db
connection = mysql://keystone-user:password@

Step 5: Set the permissions and run db_sync

$ cd /etc/keystone/
$ sudo chown -R keystone:keystone *
$ sudo usermod -a -G keystone YOUR_USERNAME
$ sudo service keystone restart
$ sudo keystone-manage db_sync

Step 6: Create a bash file to populate Keystone with some data

Create a file called and fill it with the following:

export OS_SERVICE_TOKEN="012345SECRET99TOKEN012345"
export OS_SERVICE_ENDPOINT="http://localhost:35357/v2.0"

get_id () {
    echo `$@ | awk '/ id / { print $4 }'`

# Tenants
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)

# Users
ADMIN_USER=$(get_id keystone user-create --name=admin --pass="$ADMIN_PASSWORD"
DEMO_USER=$(get_id keystone user-create --name=demo --pass="$DEMO_PASSWORD"

# Roles
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
MEMBER_ROLE=$(get_id keystone role-create --name=member)

# Add Roles to Users in Tenants
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant-id $ADMIN_TENANT
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant-id $DEMO_TENANT

Note: I did not add service endpoints, feel free to do that if you wish

Step 7: Populate Keystone

$ chmod +x
$ ./

Optional: If you mess up the database you can run the following to reset it:

mysql -u root -p -e "drop database keystone"
mysql -u root -p -e "create database keystone"
mysql -u root -p -e "grant all privileges on keystone.* TO 'keystone-user'@'localhost' identified by 'password'"
$ sudo service keystone restart
$ sudo keystone-manage db_sync

Step 8: Examine the tenant-list

$ keystone --token 012345SECRET99TOKEN012345 --endpoint tenant-list

Results should be similar to this:

|                id                |  name | enabled |
| 11d98ba1ea52435b9a802f62681b9adb | demo  | True    |
| b12c9cd565174af3bcb5f679add3bbcf | admin | True    |

Step 9: Fetch an auth token

$ curl -d '{"auth": {"tenantName": "demo", "passwordCredentials": {"username": "demo", "password": "password"}}}' -H "Content-type: application/json" http://localhost:5000/v2.0/tokens

Step 10: Validate

curl -H "X-Auth-Token:MIIDDAYJKoZIhvcNAQcCoII-REALLY_LONG-TOKEN-WILL-BE-HERE" http://localhost:5000/v2.0/tenants -H 'Content-type: application/json' | python -m json.tool

That’s all there is to it.

Post to Twitter

This entry was posted in Open Source, OpenStack, Python. Bookmark the permalink.

One Response to Setting up OpenStack (Havana) Keystone in ten easy steps on Ubuntu 12.04 LTS

  1. iek says:

    Wow, that’s what I was looking for, what a data! existing Һеre at this web site,
    thanks admin of this web site.

Comments are closed.