openstack-manuals

Document how to configure Keystone v3 api

Bug #1385025 reported by Anne Gentle on 2014-10-24

This bug affects 3 people

Affects		Status	Importance	Assigned to	Milestone
	openstack-manuals	Fix Released	Medium	Unassigned	openstack-manuals mitaka

Bug Description

Ask Priti Desai if we can use this blog post in the openstack docs. I couldn't find these configuration instructions in the Configuration Guide.

Running a small experiment on single node OpenStack Havana instance on Ubuntu 12.04.4 LTS Precise Pangolin. I have used DevStack for deploying and configuring OpenStack which by default comes with Keystone V2.0. We had a requirement to test Domains functionality which was introduced in Keystone V3.

Making sure that we have a working version of OpenStack instance with Keystone V2.0.

Setup environment:

export OS_USERNAME=<UserName>

export OS_TENANT_NAME=<ProjectName>

export OS_PASSWORD=<Password>

export OS_AUTH_URL=http://127.0.0.1:5000/v2.0

export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0

export SERVICE_TOKEN=<KeystoneServiceToken>

Run few CLIs and verify that they all succeed. Using CLI for initial testing, you can use REST APIs as well.

List Users:

keystone user-list

List Servers:

nova server-list

List VM Images:

glance image-list

Workflow:

Step 1: Keystone Policy File

Apply appropriate version of policy.json. Keystone V3 (domain feature) is not supported in default policy.json located at /etc/keystone/policy.json. The appropriate version of policy file is packaged with Keystone source code under /opt/stack/keystone/etc/policy.v3cloudsample.json.

mv /etc/keystone/policy.json /etc/keystone/policy.json.bak

cp /opt/stack/keystone/etc/policy.v3cloudsample.json /etc/keystone/policy.json

Step 2: Update Keystone Endpoints

Update Keystone endpoint in MySQL database. Keystone endpoints has three types of interfaces, "internal", "public", and "admin". They all must be set to V2.0. Internal and Public interface are set to the same URL.

$ mysql

mysql> use keystone;

mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type="identity";

+-----------+-----------------------------+

| interface | url |

+-----------+-----------------------------+

| internal | http://127.0.0.1:5000/v2.0 |

| public | http://127.0.0.1:5000/v2.0 |

| admin | http://127.0.0.1:35357/v2.0 |

+-----------+-----------------------------+

3 rows in set (0.00 sec)

Now, update all three URLs, change V2.0 API to V3 with:

mysql> select id from service where type="identity";

+----------------------------------+

| id |

+----------------------------------+

| b0bbb0370ee4402eb3770129fdc0c328 |

+----------------------------------+

1 row in set (0.00 sec)

mysql> update endpoint set url="http://127.0.0.1:5000/v3" where url="http://127.0.0.1:5000/v2.0" and service_id="b0bbb0370ee4402eb3770129fdc0c328";

mysql> update endpoint set url="http://127.0.0.1:35357/v3" where url="http://127.0.0.1:35357/v2.0" and service_id="b0bbb0370ee4402eb3770129fdc0c328";

Confirm that you have all three endpoints updated to V3:

mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type="identity";

+-----------+---------------------------+

| interface | url |

+-----------+---------------------------+

| internal | http://127.0.0.1:5000/v3 |

| public | http://127.0.0.1:5000/v3 |

| admin | http://127.0.0.1:35357/v3 |

+-----------+---------------------------+

3 rows in set (0.00 sec)

Step 3: Restart OpenStack Services

Restart Keystone, Nova, and Glance by re-joining DevStack screen session, locate screen for Keystone (named "key"). Hit "Ctrl + Z" followed by up arrow key + Enter.

$ cd devstack

$ ./rejoin-stack.sh

Step 4: Verification

Update Environment to update Keystone Endpoint:

export OS_AUTH_URL=http://127.0.0.1:5000/v3

export SERVICE_ENDPOINT=http://127.0.0.1:35357/v3

List Users:

You can either Keystone CLI or REST API.

keystone user-list

curl -s GET http://127.0.0.1:35357/v3/users -H X-Auth-Token:$SERVICE_TOKEN | jq .

List Servers:

Nova CLI is not supported with Keystone V3 so please use CLI reference to OpenStack APIs:

openstack --os-identity-api-version=3 image list

List Images:

Glance CLI is not supported with Keystone V3 so please use CLI reference to OpenStack APIs:

openstack --os-identity-api-version=3 server list

Tags:

Anne Gentle (annegentle) on 2014-10-24

Changed in openstack-manuals:
status:	New → Confirmed
importance:	Undecided → Medium
assignee:	nobody → Priti Desai (priti-desai)

Revision history for this message

Priti Desai (priti-desai) wrote on 2014-10-24:

Hi Anne,

please feel free to use these instructions and document them in openstack doc. I am more than happy to add them myself. Where should they go? Developer guide?

Cheers
Priti

Revision history for this message

Anne Gentle (annegentle) wrote on 2015-02-19:

Sorry it took me so long to see this! In the Configuration Guide please.

Tom Fifield (fifieldt) on 2015-03-09

Changed in openstack-manuals:
milestone:	none → kilo
tags:	added: keystone

Tom Fifield (fifieldt) on 2015-06-11

Changed in openstack-manuals:
milestone:	kilo → liberty

Revision history for this message

Thiago Martins (martinx) wrote on 2015-07-11:

Guys,

How to create Keystone v3 Service and Endpoints on Kilo?

This way:

---
openstack service create --name keystonev3 --description "OpenStack Identity v3" identityv3

openstack endpoint create --region RegionOne --publicurl http://controller-1:5000/v3 --internalurl http://controller-1:5000/v3 --adminurl http://controller-1:35357/v3 identityv3
---

Is that right?

Or should I not use so many "v3" suffix? Like for example:

---
openstack service create --name keystone --description "OpenStack Identity" identity

openstack endpoint create --region RegionOne --publicurl http://controller-1:5000/v3 --internalurl http://controller-1:5000/v3 --adminurl http://controller-1:35357/v3 identity
---

???

Thanks!

Revision history for this message

Darren Chan (dazzachan) wrote on 2015-09-04:

HI Priti,

Are you still working on this?

simon yang (yang-chenjun) on 2015-09-14

Changed in openstack-manuals:
status:	Confirmed → In Progress

Revision history for this message

Priti Desai (priti-desai) wrote on 2015-09-17:

Hi Darren,

Nope haven't got chance to work on it, please feel free to take it from me.

Cheers
Priti

Radek Skokan (radek-7) on 2015-10-17

Changed in openstack-manuals:
assignee:	Priti Desai (priti-desai) → nobody

KATO Tomoyuki (kato-tomoyuki) on 2016-01-04

Changed in openstack-manuals:
milestone:	liberty → mitaka

Revision history for this message

KATO Tomoyuki (kato-tomoyuki) wrote on 2016-02-06:

In Liberty, we have an instruction about keystone v3 API in installation guide.

Changed in openstack-manuals:
status:	In Progress → Fix Released

Report a bug

This report contains Public information

Everyone can see this information.

You are

Subscribing...

Edit bug mail

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.