Please be aware the following applies to 2011.3 ONLY! (Diablo Final) the configuration to come in Essex is far simpler, if when reading this post your packages are 2012.X you have just installed essex and this is not relevant, anyway here we go …
1
yum install openstack-keystone
Keystone itself has it’s own tirade of concepts to get to grips with … tenant, user, role, service, token etc … I’m not going to go into detail on those concetps, for that Please see the documentation.
Configuring mySQL
First thing I am going to do is change from sqlite to mySQL connection, this involves editing line 54 of /etc/keystone/keystone.conf
Ignoring the default_store configuration at the top of the file, as this states sqllite, from what I can tell this simply instructs keystone to use the sqlAlchemy driver, which we just updated to point to mySQL.
Now like glance we need to restart keystone for the database to be populated.
1
service openstack-keystone restart
Now run keystone-manage with no args if you see
123
File "/usr/lib/python2.6/site-packages/keystone/manage/__init__.py", line 283, in main
raise exc
sqlalchemy.exc.OperationalError: (OperationalError) (1044, "Access denied for user 'keystone'@'localhost' to database 'keystone'") None None
Review your keystone.conf file and ensure your mySQL credentials are correct, once done start keystone again.
Initial Credentials
Now we need to create an admin Tenant, and add an admin user to this tenancy.
12345678910
keystone-manage tenant add adminTenant
SUCCESS: Tenant adminTenant created.
keystone-manage user add adminUser <password>
SUCCESS: User adminUser created.
keystone-manage role add Admin
SUCCESS: Role Admin created successfully.
keystone-manage role grant Admin adminUser
SUCCESS: Granted Admin the adminUser role on None.
keystone-manage role grant Admin adminUser adminTenant
SUCCESS: Granted Admin the adminUser role on adminTenant.
Ok so we have just:
setup a tenant named adminTenant.
setup a user named adminUser and specified their password.
created an admin role.
assigned the adminUser to the Admin role.
granted adminUser the Admin role to the adminTenant
Note: the outputs are a little confusion on the role assignments…
“Granted Admin the adminUser role on adminTenant”,
it appears the string output has the arguments in the wrong order here it should read:
“Granted adminUser the Admin role on adminTenant”.
I have however verified the mySQL data and can see the roles being correctly assigned.
Also the output from
12
keystone-manage role grant help
Missing arguments: role grant 'role' 'user' 'tenant (optional)'
Confirms the arguments are being entered in the correct order.
Edit these to reflect your Admin role accordingly and then restart openstack-keystone
The above shows seperate roles for general and service admin, in my case I set these to the same role, it is of course entirely up to you and your delegation setup.
If you choose to retain the KeystoneServiceAdmin delegation you will need to setup the role as per the Admin role above and run through the grants accordingly.
Setting up the Service token and service definitions
ERROR: 'NoneType' object has no attribute 'id'
2012-04-23 12:27:29 ERROR [root] 'NoneType' object has no attribute 'id'
Traceback (most recent call last):
File "/usr/bin/keystone-manage", line 16, in <module>
keystone.manage.main()
File "/usr/lib/python2.6/site-packages/keystone/manage/__init__.py", line 283, in main
raise exc
AttributeError: 'NoneType' object has no attribute 'id'
check your have correctly entered adminUser adminTenant (or the details you have entered) including correct capitilization.
123456
keystone-manage service add nova compute "Openstack Compute Service"
SUCCESS: Service nova created successfully.
keystone-manage service add glance image "Openstack Image Service"
SUCCESS: Service glance created successfully.
keystone-manage service add keystone identity "Openstack Image Service"
SUCCESS: Service keystone created successfully.
Defining endPoints
Nova
Here I managed to confuse myself, so let me be clear, this needs the nova_api service ip, not each compute node, meaning you only need one endpoint.
12
keystone-manage endpointTemplates add regionOne nova https://<nova_api_ip>:8774/v1.1/%tenant_id% https://<nova_api_ip>:8774/v1.1/%tenant_id% https://<nova_api_ip>:8774/v1.1/%tenant_id% 1 1
SUCCESS: Created EndpointTemplates for nova pointing to https://<nova_api_ip>:8774/v1.1/%tenant_id%
The 3 URL arguments are for publicURL, internalURL, adminURL (No idea if that is the order).
Glance
12
keystone-manage endpointTemplates add regionOne nova https://<glance_ip>:9292/v1 https://<nova_api_ip>:9292/v1 https://<nova_api_ip>:9292/v1 1 1
SUCCESS: Created EndpointTemplates for glance pointing to https://<glance_ip>:9292/v1
Keystone
12
keystone-manage endpointTemplates add pi-whc keystone https://<keystone_ip>:5000/v2.0 https://<keystone_ip>:5000/v2.0 https://<keystone_ip>:5000/v2.0 1 1
SUCCESS: Created EndpointTemplates for keystone pointing to https://<keystone_ip>:5000/v2.0.
Configuring Nova
Now we have keystone setup we need to configure nova to use keystone for authentication, by editing /etc/nova/api-paste.ini.
Now there are seveal edits required, as such what follows are snippets of those changes.
EC2 Section modification
line 22 and 27 ([pipeline:ec2cloud] and [pipeline:ec2admin] sections).
Most of the other commands for myself are presently returning 404 / 500 errors, with the Essex Release Impending the current EPEL advice seems to be to use Essex, I will update as/when I can with futher information on these issues.
For instance on a: flavor-create a 500 error is encountered with the following logged in api.log
123
...
(nova.api.openstack): TRACE: AttributeError: 'ControllerV11' object has no attribute 'create'
...
Configuring Glance
Modify /etc/glance/glance-api.conf
Comment out line 138 and uncomment 140
1234
[pipeline:glance-api]
#pipeline = versionnegotiation context apiv1app
# NOTE: use the following pipeline for keystone
pipeline = versionnegotiation authtoken auth-context apiv1app
now edit /etc/glance/glance-registry.conf and again comment out the current pipline= line and uncomment the keystone line.
1234
[pipeline:glance-registry]
#pipeline = context registryapp
# NOTE: use the following pipeline for keystone
pipeline = authtoken auth-context registryapp
for i in api registry; do service openstack-glance-$i restart; done
Stopping openstack-glance-api: [ OK ]
Starting openstack-glance-api: [ OK ]
Stopping openstack-glance-registry: [ OK ]
Starting openstack-glance-registry: [ OK ]