Difference between revisions of "Keystone"
(→User-Based Authentication) |
(→Initial Authentication) |
||
| Line 23: | Line 23: | ||
Once Keystone is running (which we'll cover below,) you'll need to connect to it using the keystone client, called <tt>keystone</tt>. Initially, you won't have any users, tenants, roles, or anything else set up, and this creates a chicken-and-egg authentication problem. How do you authenticate with Keystone before you have your own user account? | Once Keystone is running (which we'll cover below,) you'll need to connect to it using the keystone client, called <tt>keystone</tt>. Initially, you won't have any users, tenants, roles, or anything else set up, and this creates a chicken-and-egg authentication problem. How do you authenticate with Keystone before you have your own user account? | ||
| − | This problem is solved by using the <tt>admin_token = ADMIN</tt> setting in <tt>/etc/keystone/keystone.conf</tt> configuration file. This defines a special administration token that is the literal string '<tt>ADMIN</tt>', which can be used like a master password to get full remote control of Keystone so that you can configure it. As long as you know the <tt>admin_token</tt>, you will be able to administrate Keystone from any system that can connect to the service endpoint that Keystone is using. Let's see how this works in practice: | + | This problem is solved by using the <tt>admin_token = ADMIN</tt> setting in <tt>/etc/keystone/keystone.conf</tt> configuration file. This defines a special administration token that is the literal string '<tt>ADMIN</tt>', which can be used like a master password to get full remote control of Keystone so that you can configure it. As long as you know the <tt>admin_token</tt>, you will be able to administrate Keystone from any system that can connect to the service endpoint that Keystone is using. |
| + | |||
| + | Let's see how this works in practice. First, we will want to define these environment variables in our shell: | ||
<console> | <console> | ||
$ ##i##export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/ | $ ##i##export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/ | ||
$ ##i##export SERVICE_TOKEN=ADMIN | $ ##i##export SERVICE_TOKEN=ADMIN | ||
| + | </console> | ||
| + | |||
| + | Now, we can execute queries against our Keystone service: | ||
| + | |||
| + | <console> | ||
$ ##i##keystone tenant-list | $ ##i##keystone tenant-list | ||
+----+------+---------+ | +----+------+---------+ | ||
Revision as of 05:44, 17 April 2012
Keystone is the OpenStack identity service, and is the most foundational Python-based component of OpenStack (that is, ignoring RabbitMQ and any SQL databases you might need). There is a server and client part of Keystone. Typically, Keystone is installed on a server, and the client can be installed anywhere (including the server) and is used to interact with Keystone using the OpenStack Identity API, which uses Web-based protocols as a means of client-server communication. The various components of OpenStack can be configured to connect to Keystone using service users so that they in turn can authenticate and authorize requests.
Contents |
Keystone Concepts
This section describes the various concepts and definitions that are part of Keystone.
Definitions
- Tenants
- In Keystone, "tenants" represent groups of users. Virtual machines (Nova) and containers (Swift) are assigned to tenants, not to users directly. Keystone users can be part of more than one tenant, and can have different types of roles defined for each tenant that they're a part of. Think of tenants as a logical way to organize computing and storage resources without assigning them to user accounts directly. Keystone allows you to create and delete tenants, and also enable and disable them.
- Roles
- A role is a common security concept, where a user is assigned a certain set of privileges. This set of privileges is called a role, has a name, and can be managed independently of the specific user account(s) that are part of the role. Keystone allows you to create and delete roles, add a user to a role for a specific tenant, remove a user from a role for a specific tenant, and of course list all the roles that have been defined.
- Users
- Keystone is used to define users. Users are accounts for specific individuals, and typically have a password and email associated with them. Keystone allows you to list, create, delete, enable/disable, update email addresses, and change passwords of Users.
- Service Users
- A service User is a user account created specifically for a component of OpenStack. Service users are typically added to the services tenant with the Admin role. For example, for Nova, you would create a service User nova. Then you would configure Nova to use this Service User to connect to Keystone so that it can authenticate and authorize requests that it receives. See OpenStack Documentation on Configuring Services for more information.
- Services
- Keystone allows you to define services, also called service endpoints. These are URLs that define where particular parts of OpenStack can be accessed. Various parts of OpenStack will query Keystone for service endpoints that they require. Service endpoints can be created and deleted, and you can "get" a handle (URL) to a service that has been defined.
Initial Authentication
Once Keystone is running (which we'll cover below,) you'll need to connect to it using the keystone client, called keystone. Initially, you won't have any users, tenants, roles, or anything else set up, and this creates a chicken-and-egg authentication problem. How do you authenticate with Keystone before you have your own user account?
This problem is solved by using the admin_token = ADMIN setting in /etc/keystone/keystone.conf configuration file. This defines a special administration token that is the literal string 'ADMIN', which can be used like a master password to get full remote control of Keystone so that you can configure it. As long as you know the admin_token, you will be able to administrate Keystone from any system that can connect to the service endpoint that Keystone is using.
Let's see how this works in practice. First, we will want to define these environment variables in our shell:
$ export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/ $ export SERVICE_TOKEN=ADMIN
Now, we can execute queries against our Keystone service:
$ keystone tenant-list
+----+------+---------+
| id | name | enabled |
+----+------+---------+
+----+------+---------+
Above, we defined two handy environment variables that the keystone client will use if defined. The first, SERVICE_ENDPOINT, defines the URL to which the keystone client should try to connect. And SERVICE_TOKEN defines our master token, ADMIN, which will grant us full control of Keystone. Then we ran the keystone tenant-list command, at which point our client used both environment variables to connect to the Keystone service, query for all tenants, and successfully returned an empty list, because we haven't created any tenants yet.
Clearly, it is not a good idea to have an admin_token defined on a production Keystone installation. Use it for initial setup, and then disable it, and restart Keystone. Then use a user in the 'admin' role for administration.
User-Based Authentication
Once you have a user named admin created, here is how you will use keystone to connect to the Keystone service. First, we will want to define these environment variables, and again, it's a good idea to put these in ~/.bashrc or ~/.bash_profile:
$ export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/ $ export OS_AUTH_URL=http://127.0.0.1:35357/v2.0
Note that we no longer need to define SERVICE_TOKEN, because we're not using it anymore. Now, here's how we run a Keystone-related query:
$ keystone --os_username='admin' --os_password 'mySekr1t' user-list
+----------------------------------+---------+---------------------+-------+
| id | enabled | email | name |
+----------------------------------+---------+---------------------+-------+
| 0c4a78317f234333a9a1116be1c7b022 | True | drobbins@funtoo.org | admin |
+----------------------------------+---------+---------------------+-------+
If you get tired of specifying the two extra command-line arguments above, you can export the environment variables OS_USERNAME and OS_PASSWORD and Keystone will use them if defined.
Quick Start
Installation
In Funtoo Linux, Keystone can be merged by typing:
# emerge sys-auth/keystone
Emerging Keystone will also pull in sys-auth/keystone-client as a runtime dependency. keystone-client (which provides the keystone executable) is now maintained in a separate GitHub repository, and connects to Keystone using the OpenStack identity API, more info on which can be found here:
- http://docs.openstack.org/api/openstack-identity-service/2.0/content/
- https://github.com/openstack/identity-api
Configuration
- Copy /etc/keystone/keystone.conf.sample to /etc/keystone/keystone.conf.
- Change the config line connection = to read sqlite:////var/tmp/keystone.db (four slashes after the colon)
- /etc/init.d/keystone start
- export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0/
- export SERVICE_TOKEN=ADMIN
Now, initialize the Keystone database:
# keystone-manage db_sync
Now, test connecting to Keystone using the Keystone client:
# keystone tenant-list
+----+------+---------+
| id | name | enabled |
+----+------+---------+
+----+------+---------+
If you see this output, then keystone used SERVICE_ENDPOINT and SERVICE_TOKEN environmental variables to connect and successfully query Keystone for tenants.
