Search

3.6. Create the Identity Service Endpoint

download PDF
Once the Identity service has been started, its API endpoint must be defined. Some OpenStack services, including the dashboard, will not work unless this record is present.
All steps in this procedure must be performed on the Identity server, while logged in as the root user.

Procedure 3.10. Creating the Identity Service Endpoint

  1. Set up the shell to access Keystone as the admin user:
    # source ~/keystonerc_admin
  2. Set the OS_SERVICE_TOKEN environment variable to the administration token. This is done by reading the token file created when setting the administration token:
    [(keystone_admin)]# export OS_SERVICE_TOKEN=`cat ~/ks_admin_token`
  3. Set the OS_SERVICE_ENDPOINT environment variable to point to the server hosting the Identity service:
    [(keystone_admin]# export OS_SERVICE_ENDPOINT='http://IP:35357/v2.0'
    Replace IP with the IP address or host name of the Identity server.
  4. Create a service entry for the Identity service:
    [(keystone_admin)]# keystone service-create --name=keystone --type=identity \
       --description="Keystone Identity service"
    +-------------+----------------------------------+
    |   Property  |              Value               |
    +-------------+----------------------------------+
    | description |     Keystone Identity service    |
    | enabled     |               True               |
    | id          | a8bff1db381f4751bd8ac126464511ae |
    | name        |             keystone             |
    | type        |             identity             |
    +-------------+----------------------------------+
  5. Create an endpoint entry for the v2.0 API Identity service:
    [(keystone_admin)]# keystone endpoint-create \
       --service keystone \
       --publicurl 'https://IP:443/v2.0' \
       --adminurl 'https://IP:443/v2.0' \
       --internalurl 'https://IP:5000/v2.0' \
       --region 'RegionOne'
    +-------------+----------------------------------+
    |   Property  |              Value               |
    +-------------+----------------------------------+
    | adminurl    |       https://IP:443/keystone/admin       |
    | id          | 1295011fdc874a838f702518e95a0e13 |
    | internalurl |       https://IP:5000/v2.0        |
    | publicurl   |       https://IP:443/keystone/main        |
    | region      |             RegionOne            |
    | service_id  |                 ID               |
    +-------------+----------------------------------+
    Replace IP with the IP address or host name of the Identity server.

    Note

    By default, the endpoint is created in the default region, RegionOne. If you need to specify a different region when creating an endpoint, use the --region argument.

3.6.1. Service Regions

Each service cataloged in the Identity service is identified by its region, which typically represents a geographical location, and its endpoint. In a Red Hat OpenStack Platform environment with multiple Compute deployments, regions allow for the discrete separation of services, and are a robust way to share some infrastructure between Compute installations, while allowing for a high degree of failure tolerance.
Administrators determine which services are shared between regions and which services are used only with a specific region. By default, when an endpoint is defined and no region is specified, it is created in the region named RegionOne.
To begin using separate regions, specify the --region argument when adding service endpoints:
[(keystone_admin)]# keystone endpoint-create --region 'RegionOne' \
   --service SERVICENAME\   
   --publicurl PUBLICURL
   --adminurl ADMINURL
   --internalurl INTERNALURL
Replace REGION with the name of the region to which the endpoint belongs. When sharing an endpoint between regions, create an endpoint entry containing the same URLs for each applicable region. For information on setting the URLs for each service, see the Identity service configuration information of the service in question.

Example 3.1. Endpoints Within Discrete Regions

In this example, the APAC and EMEA regions share an Identity server (identity.example.com) endpoint, while providing region specific compute API endpoints:
$ keystone endpoint-list
+---------+--------+------------------------------------------------------+
|   id    | region |                      publicurl                       |
+---------+--------+------------------------------------------------------+
| 0d8b... |  APAC  |         http://identity.example.com:5000/v3          |
| 769f... |  EMEA  |         http://identity.example.com:5000/v3          |
| 516c... |  APAC  |  http://nova-apac.example.com:8774/v2/%(tenant_id)s  |
| cf7e... |  EMEA  |  http://nova-emea.example.com:8774/v2/%(tenant_id)s  |
+---------+--------+------------------------------------------------------+
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.