WHAT IS KEYSTONE?Keystone is an OpenStack project that provides Identity, Token, Catalog andPolicy services for use specifically by projects in the OpenStack family. Itimplements OpenStack’s Identity API.The Identity services has two primary functions:- User management: keep track of users and what they are permitted to do- Service catalog: Provide a catalog of what services are available and wheretheir API endpoints are located
KEYSTONE ARCHITECTUREKeystone is organized as a group of internal services exposed on one or manyendpoints.1) Identity: The Identity service provides auth credential validation and data about Users, Tenants and Roles, as well as any associated metadata.2) Token: The Token service validates and manages Tokens used for authenticating requests once a user/tenant’s credentials have already been verified.3) Catalog: The Catalog service provides an endpoint registry used for endpoint discovery.4) Policy: The Policy service provides a rule-based authorization engine
KEYSTONE ARCHITECTUREEach of the services can configured to use a backend to allow Keystone to fit avariety of environments and needs. The backend for each service is defined inthe keystone.conf file1) KVS Backend: A simple backend interface meant to be further backended on anything that can support primary key lookups2) SQL Backend: A SQL based backend using SQLAlchemy to store data persistently.3) PAM Backend: Extra simple backend that uses the current system’s PAM service to authenticate, providing a one-to-one relationship between Users and Tenants.4) LDAP Backend: The LDAP backend stored Users and Tenents in separate Subtrees.5) Templated Backend: A simple Template used to configure Keystone
KEYSTONE USER MANAGEMENTThe three main concepts of Identity user management are:1) Users: A user represents a human user, and has associated information such as username, password and email.2) Tenants: A tenant can be thought of as a project, group, or organization. Whenever you make requests to OpenStack services, you must specify a tenant.3) Roles: A role captures what operations a user is permitted to perform in a given tenant.
KEYSTONE SERVICE MANAGEMENTKeystone also acts as a service catalog to let other OpenStack systems knowwhere relevant API endpoints exist for OpenStack Services. The two mainconcepts of Identity service management are:- Services- EndpointsThe Identity service also maintains a user that corresponds to each service (e.g.,a user named nova, for the Compute service) and a special service tenant, whichis called service.
INSTALLING AND SETTING UP KEYSTONEKeystone can be either be installed from the source or platform specific packagesavailable with various distributions. For the purposes of this presentation we will useUbuntu 12.04 with platform specific packages available in the repositories.- sudo apt-get install keystone- sudo apt-get install python-mysqldb mysql-server (install mysqldb to replace the default SQL lite DB)- mysql> CREATE DATABASE keystone; (Create mysql database for the keystone to use)- mysql> GRANT ALL ON keystone.* TO keystone@% IDENTIFIED BY [YOUR_KEYSTONE_PASSWORD]; (Create mysql user to access the keystone DB)- Change connection line in /etc/keystone.conf connection = mysql://keystone:[YOUR_KEYSTONE_PASSWORD]@[YOUR_KEYSTONE_SERVER]/key stone- admin_token = 012345SECRET99TOKEN012345 (Set service token in keystone.conf)- service keystone restart (Restart the keystone service to apply the changes- keystone-manage db_sync (Initialise the new keystone database)
KEYSTONE USER MANAGEMENT1) Create a user called Kavit keystone user-create --name=kavit --pass=test123 --firstname.lastname@example.org) Create a tenant called test keystone tenant-create --name=test3) Create a role to use on our system keystone role-create –name=admin4) Associate the role and the user with the tenant keystone user-role-add --user=USERID –role=ROLEID –tenant_id=TENANTID
KEYSTONE SERVICE MANAGEMENT1) Create service tenant. This tenant contains all the services that we make known to the service catalog. keystone tenant-create –name=service2) Create users for each Openstack service in the service catalog keystone user-create –name=nova –pass=test123 -- email@example.com) Give admin roles to the users nova, glance, etc to the tenant service.4) Now that we have tenants, users and roles for each of the users, we need to create the services we wish authenticate users for. keystone service-create --name nova --type compute --description ’OpenStack Compute Service’
KEYSTONE SERVICE MANAGEMENT5) Once the services are created, we will need to associate the endpoints ornetwork addresses where clients might connect to the services offered.keystone endpoint-create --region myregion --service_id1e93ee6c70f8468c88a5cb1b106753f3--publicurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’--adminurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’--internalurl ’http://192.168.125.111:8774/v2/$(tenant_id)s’