Red Hat Summit Red Hat SummitSupportoConsoleSviluppatoriInizia una provaContatti

Questo contenuto non è disponibile nella lingua selezionata.

3.3. Configure the Identity Service

3.3.1. Configure the Identity Service Database Connection
Copia collegamento

The database connection string used by the Identity service is defined in the /etc/keystone/keystone.conf file. It must be updated to point to a valid database server before starting the service.
All steps in this procedure must be performed on the server hosting the Identity service, while logged in as the root user.

Procedure 3.2. Configuring the Identity Service SQL Database Connection

  • Set the value of the connection configuration key: 
    # openstack-config --set /etc/keystone/keystone.conf \
   sql connection mysql://USER:PASS@IP/DB
    Copy to Clipboard Toggle word wrap
    Replace the following values:
    • Replace USER with the Identity service database user name, usually keystone.
    • Replace PASS with the password of the database user.
    • Replace IP with the IP address or host name of the database server.
    • Replace DB with the name of the Identity service database, usually keystone.

Important

The IP address or host name specified in the connection configuration key must match the IP address or host name to which the keystone database user was granted access when creating the keystone database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the keystone database, you must enter 'localhost'.

3.3.2. Set the Identity Service Administration Token
Copia collegamento

Before the Identity service is started for the first time, you must define an administration token as an environment variable. This value is used to authenticate with the service before user and service accounts have been defined using the Identity service.
All steps in this procedure must be performed on the server hosting the Identity service, while logged in as the root user.

Procedure 3.3. Setting the Identity Service Administration Token

  1. Generate an initial service token and save it in the OS_SERVICE_TOKEN environment variable: 
    # export OS_SERVICE_TOKEN=$(openssl rand -hex 10)
    Copy to Clipboard Toggle word wrap
  2. Store the value of the administration token in a file for future use: 
    # echo $OS_SERVICE_TOKEN > ~/ks_admin_token
    Copy to Clipboard Toggle word wrap
  3. Set the value of the admin_token configuration key to that of the newly created token: 
    # openstack-config --set /etc/keystone/keystone.conf \
   DEFAULT admin_token $OS_SERVICE_TOKEN
    Copy to Clipboard Toggle word wrap

Note

The Identity server's token database table grows over time as new tokens are generated. To manage the size of the table, you must flush the tokens. Flushing tokens simply deletes expired tokens, eliminating any means of traceability. It is recommended that this command be run approximately once per minute: 
# keystone-manage token_flush
Copy to Clipboard Toggle word wrap

3.3.3. Configure the Public Key Infrastructure
Copia collegamento

3.3.3.1. Public Key Infrastructure Overview
Copia collegamento

The Identity service generates tokens, which are cryptographically signed documents that users and other services use for authentication. The tokens are signed using a private key, while the public key is made available in an X509 certificate.
The certificates and relevant configuration keys are automatically generated by the keystone-manage pki_setup command. It is, however, possible to manually create and sign the required certificates using a third party certificate authority. If using third party certificates the Identity service configuration must be manually updated to point to the certificates and supporting files.
The configuration keys relevant to PKI setup appear in the [signing] section of the /etc/keystone/keystone.conf configuration file. These keys are:
ca_certs
Specifies the location of the certificate for the authority that issued the certificate denoted by the certfile configuration key. The default value is /etc/keystone/ssl/certs/ca.pem.
ca_key
Specifies the key of the certificate authority that issued the certificate denoted by the certfile configuration key. The default value is /etc/keystone/ssl/certs/cakey.pem.
ca_password
Specifies the password, if applicable, required to open the certificate authority file. The default action if no value is specified is not to use a password.
certfile
Specifies the location of the certificate that must be used to verify tokens. The default value of /etc/keystone/ssl/certs/signing_cert.pem is used if no value is specified.
keyfile
Specifies the location of the private key that must be used when signing tokens. The default value of /etc/keystone/ssl/private/signing_key.pem is used if no value is specified.
token_format
Specifies the algorithm to use when generating tokens. Possible values are UUID and PKI. The default value is PKI.

3.3.3.2. Create the Public Key Infrastructure Files
Copia collegamento

Create and configure the PKI files to be used by the Identity service. All steps in this procedure must be performed on the server hosting the Identity service, while logged in as the root user.

Procedure 3.4. Creating the PKI Files to be Used by the Identity Service

  1. Run the keystone-manage pki_setup command: 
    # keystone-manage pki_setup \
   --keystone-user keystone \
   --keystone-group keystone
    Copy to Clipboard Toggle word wrap
  2. Ensure that the keystone user owns the /var/log/keystone/ and /etc/keystone/ssl/ directories: 
    # chown -R keystone:keystone /var/log/keystone \
   /etc/keystone/ssl/
    Copy to Clipboard Toggle word wrap

3.3.3.3. Configure the Identity Service to Use Public Key Infrastructure Files
Copia collegamento

After generating the PKI files for use by the Identity service, you must enable the Identity service to use them.
Set the values of the attributes in the /etc/keystone/keystone.conf file: 
# openstack-config --set /etc/keystone/keystone.conf \
 signing token_format PKI
# openstack-config --set /etc/keystone/keystone.conf \
 signing certfile /etc/keystone/ssl/certs/signing_cert.pem
# openstack-config --set /etc/keystone/keystone.conf \
 signing keyfile /etc/keystone/ssl/private/signing_key.pem
# openstack-config --set /etc/keystone/keystone.conf \
 signing ca_certs /etc/keystone/ssl/certs/ca.pem
# openstack-config --set /etc/keystone/keystone.conf \
 signing key_size 1024
# openstack-config --set /etc/keystone/keystone.conf \
 signing valid_days 3650
# openstack-config --set /etc/keystone/keystone.conf \
 signing ca_password None
Copy to Clipboard Toggle word wrap
You can also update these values directly by editing the /etc/keystone/keystone.conf file.

3.3.4. Configure the Firewall to Allow Identity Service Traffic
Copia collegamento

Each component in the OpenStack environment uses the Identity service for authentication and must be able to access the service.
The firewall on the system hosting the Identity service must be altered to allow network traffic on the required ports. All steps in this procedure must be run on the server hosting the Identity service, while logged in as the root user.

Procedure 3.5. Configuring the Firewall to Allow Identity Service Traffic

  1. Open the /etc/sysconfig/iptables file in a text editor.
  2. Add an INPUT rule allowing TCP traffic on ports 5000 and 35357 to the file. The new rule must appear before any INPUT rules that REJECT traffic: 
    -A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
    Copy to Clipboard Toggle word wrap
  3. Save the changes to the /etc/sysconfig/iptables file.
  4. Restart the iptables service to ensure that the change takes effect: 
    # systemctl restart iptables.service
    Copy to Clipboard Toggle word wrap

3.3.5. Populate the Identity Service Database
Copia collegamento

Populate the Identity service database after you have successfully configured the Identity service database connection string.

Procedure 3.6. Populating the Identity Service Database

  1. Log in to the system hosting the Identity service.
  2. Switch to the keystone user and initialize and populate the database identified in /etc/keystone/keystone.conf: 
    # su keystone -s /bin/sh -c "keystone-manage db_sync"
    Copy to Clipboard Toggle word wrap

3.3.6. Limit the Number of Entities in a Collection
Copia collegamento

Use this procedure to set a limit on the number of results returned by list commands. You can use a lower limit to avoid problems when the number of results is larger than available memory or to avoid a long list's response times.

Procedure 3.7. Limiting the Number of Entities in a Collection

  1. Open the /etc/keystone/keystone.conf in a text editor.
  2. Set a global value using list_limit in the [DEFAULT] section.
  3. Optionally override the global value with a specific limit in individual sections. For example: 
    [assignment]
list_limit = 100
    Copy to Clipboard Toggle word wrap
If a response to a list_{entity} call has been truncated, the response status code will still be 200 (OK), but the truncated attribute in the collection will be set to true.
Torna in cima
Red Hat logoGithubredditYoutubeTwitter

Formazione

Prova, acquista e vendi

Community

Informazioni sulla documentazione di Red Hat

Aiutiamo gli utenti Red Hat a innovarsi e raggiungere i propri obiettivi con i nostri prodotti e servizi grazie a contenuti di cui possono fidarsi. Esplora i nostri ultimi aggiornamenti.

Rendiamo l’open source più inclusivo

Red Hat si impegna a sostituire il linguaggio problematico nel codice, nella documentazione e nelle proprietà web. Per maggiori dettagli, visita il Blog di Red Hat.

Informazioni su Red Hat

Forniamo soluzioni consolidate che rendono più semplice per le aziende lavorare su piattaforme e ambienti diversi, dal datacenter centrale all'edge della rete.

Theme

© 2025 Red Hat