Install and Configure OpenStack Identity Service (Keystone) for Ubuntu 14.04

Based on Ubuntu 14.04 LTS x86_64

1. eth0 for management/public/floating (192.168.1.0/24), eth1 for internal/flat (192.168.20.0/24), it's recommended to use seperated nic for management network

2. vi /etc/hosts
# remove or comment the line beginning with 127.0.1.1
192.168.1.10    controller
192.168.1.11    node1

3. aptitude -y install ntp

vi /etc/ntp.conf
restrict 3.cn.pool.ntp.org
restrict 0.asia.pool.ntp.org
restrict 2.asia.pool.ntp.org
restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
server 3.cn.pool.ntp.org
server 0.asia.pool.ntp.org
server 2.asia.pool.ntp.org

service ntp restart

4. install mysql server
aptitude -y install mysql-server

vi /etc/mysql/my.cnf
[mysqld]
default-storage-engine = innodb
collation-server = utf8_general_ci
init-connect = 'SET NAMES utf8'
character-set-server = utf8

bind-address = 192.168.1.10

service mysql restart
mysql_secure_installation

5. aptitude -y install python-mysqldb


7. aptitude -y install rabbitmq-server
rabbitmqctl change_password guest GUEST_PASS

service rabbitmq-server restart

8. Install and Configure OpenStack Identity Service (Keystone)
aptitude -y install keystone

mysql -uroot -p
mysql> create database keystone;
mysql> grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'KEYSTONE-DBPASS';
mysql> grant all privileges on keystone.* to 'keystone'@'%' identified by 'KEYSTONE-DBPASS';
mysql> flush privileges;

vi /etc/keystone/keystone.conf
[database]

#connection = sqlite:////var/lib/keystone/keystone.db

connection = mysql://keystone:keystone@MYSQL-SERVER/keystone

rm -rf /var/lib/keystone/keystone.db

keystone-manage db_sync

vi /etc/keystone/keystone.conf
admin_token = admintoken
token_format = PKI
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
ca_key = /etc/keystone/ssl/private/cakey.pem
key_size = 2048
valid_days = 3650
cert_subject = /C=CN/ST=Shanghai/L=Shanghai/O=HKT/CN=controller

log_dir = /var/log/keystone

9. rm -rf /etc/keystone/ssl/*

keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
chown -R keystone:keystone /etc/keystone /var/log/keystone

chmod -R o-rwx /etc/keystone/ssl
service keystone restart

10. crontab -e
@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1

service cron restart

11. export OS_SERVICE_TOKEN=admintoken
export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

12.# add admin tenant

keystone tenant-create --name admin --description "Admin Tenant"

# add service tenant

keystone tenant-create --name service --description "Service Tenant"

# add admin role

keystone role-create --name admin

# add admin user (set in admin tenant)

keystone user-create --tenant admin --name admin --pass ADMIN-USER-PASSWORD

# add admin user in admin role

keystone user-role-add --user admin --tenant admin --role admin

# add demo1 tenant
keystone tenant-create --name=demo1 --description="Demo1 Tenant"

# add demo1 user
keystone user-create --tenant demo1 --name demo1 --pass DEMO1-USER-PASSWORD

# add service for keystone

keystone service-create --name=keystone --type=identity --description="Keystone Identity Service"

# add endpoint for keystone

keystone endpoint-create --region RegionOne --service keystone --publicurl=http://controller:5000/v2.0 --internalurl=http://controller:5000/v2.0 --adminurl=http://controller:35357/v2.0

13. Load environment variables

unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
vi ~/adminrc
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN-USER-PASSWORD
export OS_TENANT_NAME=admin
export OS_AUTH_URL=http://controller:35357/v2.0

chmod 600 ~/adminrc ; source ~/adminrc
echo "source ~/adminrc " >> ~/.profile

vi ~/demo1rc
export OS_USERNAME=demo1
export OS_PASSWORD=DEMO1-USER-PASSWORD
export OS_TENANT_NAME=demo1
export OS_AUTH_URL=http://controller:35357/v2.0

Get user-role-list script

vi get-user-role-list.py
#!/usr/bin/python
import os, prettytable, sys

from keystoneclient.v2_0 import client
from keystoneclient import utils

keystone = client.Client(username=os.environ['OS_USERNAME'], password=os.environ['OS_PASSWORD'],
                        tenant_name=os.environ['OS_TENANT_NAME'], auth_url=os.environ['OS_AUTH_URL'])

f_user = f_tenant = ""
if "-u" in sys.argv: f_user = sys.argv[sys.argv.index("-u")+1]
if "-t" in sys.argv: f_tenant = sys.argv[sys.argv.index("-t")+1]

tenants = [t for t in keystone.tenants.list() if f_tenant in t.name]
users =   [u for u in keystone.users.list() if f_user in u.name]

pt = prettytable.PrettyTable(["name"]+[t.name for t in tenants])
for user in users:
   row = [user.name]
   for tenant in tenants:
       row.append("\n".join([u.name for u in user.list_roles(tenant.id)]))
   pt.add_row(row)
print pt.get_string(sortby="name")

chmod +x get-user-role-list.py

./get-user-role-list.py