Red Hat SummitEste conteúdo não está disponível no idioma selecionado.
3.3. Configure the Identity Service
3.3.1. Configure the Identity Service Database Connection
Copiar o linkLink copiado para a área de transferência!
The database connection string used by the Identity service is defined in the
/etc/keystone/keystone.conf file. It must be updated to point to a valid database server before starting the service.
All steps in this procedure must be performed on the server hosting the Identity service, while logged in as the
root user.
Procedure 3.2. Configuring the Identity Service SQL Database Connection
- Set the value of the
connectionconfiguration key:openstack-config --set /etc/keystone/keystone.conf \ sql connection mysql://USER:PASS@IP/DB
# openstack-config --set /etc/keystone/keystone.conf \ sql connection mysql://USER:PASS@IP/DBCopy to Clipboard Copied! Toggle word wrap Toggle overflow Replace the following values:- Replace USER with the Identity service database user name, usually
keystone. - Replace PASS with the password of the database user.
- Replace IP with the IP address or host name of the database server.
- Replace DB with the name of the Identity service database, usually
keystone.
Important
The IP address or host name specified in the connection configuration key must match the IP address or host name to which the keystone database user was granted access when creating the keystone database. Moreover, if the database is hosted locally and you granted permissions to 'localhost' when creating the keystone database, you must enter 'localhost'.
3.3.2. Configure the Public Key Infrastructure
Copiar o linkLink copiado para a área de transferência!
3.3.2.1. Public Key Infrastructure Overview
Copiar o linkLink copiado para a área de transferência!
The Identity service generates tokens, which are cryptographically signed documents that users and other services use for authentication. The tokens are signed using a private key, while the public key is made available in an X509 certificate.
The certificates and relevant configuration keys are automatically generated by the
keystone-manage pki_setup command. It is, however, possible to manually create and sign the required certificates using a third party certificate authority. If using third party certificates the Identity service configuration must be manually updated to point to the certificates and supporting files.
The configuration keys relevant to PKI setup appear in the
[signing] section of the /etc/keystone/keystone.conf configuration file. These keys are:
- ca_certs
- Specifies the location of the certificate for the authority that issued the certificate denoted by the
certfileconfiguration key. The default value is/etc/keystone/ssl/certs/ca.pem. - ca_key
- Specifies the key of the certificate authority that issued the certificate denoted by the
certfileconfiguration key. The default value is/etc/keystone/ssl/certs/cakey.pem. - ca_password
- Specifies the password, if applicable, required to open the certificate authority file. The default action if no value is specified is not to use a password.
- certfile
- Specifies the location of the certificate that must be used to verify tokens. The default value of
/etc/keystone/ssl/certs/signing_cert.pemis used if no value is specified. - keyfile
- Specifies the location of the private key that must be used when signing tokens. The default value of
/etc/keystone/ssl/private/signing_key.pemis used if no value is specified. - token_format
- Specifies the algorithm to use when generating tokens. Possible values are
UUIDandPKI. The default value isPKI.
3.3.2.2. Create the Public Key Infrastructure Files
Copiar o linkLink copiado para a área de transferência!
Create and configure the PKI files to be used by the Identity service. All steps in this procedure must be performed on the server hosting the Identity service, while logged in as the
root user.
Procedure 3.3. Creating the PKI Files to be Used by the Identity Service
- Run the
keystone-manage pki_setupcommand:keystone-manage pki_setup \ --keystone-user keystone \ --keystone-group keystone
# keystone-manage pki_setup \ --keystone-user keystone \ --keystone-group keystoneCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Ensure that the
keystoneuser owns the/var/log/keystone/and/etc/keystone/ssl/directories:chown -R keystone:keystone /var/log/keystone \ /etc/keystone/ssl/
# chown -R keystone:keystone /var/log/keystone \ /etc/keystone/ssl/Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.2.3. Configure the Identity Service to Use Public Key Infrastructure Files
Copiar o linkLink copiado para a área de transferência!
After generating the PKI files for use by the Identity service, you must enable the Identity service to use them.
Set the values of the attributes in the
Copy to Clipboard
Copied!
Toggle word wrap
Toggle overflow
/etc/keystone/keystone.conf file:
You can also update these values directly by editing the
/etc/keystone/keystone.conf file.
3.3.3. Configure the Firewall to Allow Identity Service Traffic
Copiar o linkLink copiado para a área de transferência!
Each component in the OpenStack environment uses the Identity service for authentication and must be able to access the service.
The firewall on the system hosting the Identity service must be altered to allow network traffic on the required ports. All steps in this procedure must be run on the server hosting the Identity service, while logged in as the
root user.
Procedure 3.4. Configuring the Firewall to Allow Identity Service Traffic
- Open the
/etc/sysconfig/iptablesfile in a text editor. - Add an INPUT rule allowing TCP traffic on ports
5000and35357to the file. The new rule must appear before any INPUT rules that REJECT traffic:-A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPT
-A INPUT -p tcp -m multiport --dports 5000,35357 -j ACCEPTCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Save the changes to the
/etc/sysconfig/iptablesfile. - Restart the
iptablesservice to ensure that the change takes effect:systemctl restart iptables.service
# systemctl restart iptables.serviceCopy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.4. Populate the Identity Service Database
Copiar o linkLink copiado para a área de transferência!
Populate the Identity service database after you have successfully configured the Identity service database connection string.
Procedure 3.5. Populating the Identity Service Database
- Log in to the system hosting the Identity service.
- Switch to the
keystoneuser and initialize and populate the database identified in/etc/keystone/keystone.conf:su keystone -s /bin/sh -c "keystone-manage db_sync"
# su keystone -s /bin/sh -c "keystone-manage db_sync"Copy to Clipboard Copied! Toggle word wrap Toggle overflow
3.3.5. Limit the Number of Entities in a Collection
Copiar o linkLink copiado para a área de transferência!
Use this procedure to set a limit on the number of results returned by list commands. You can use a lower limit to avoid problems when the number of results is larger than available memory or to avoid a long list's response times.
Procedure 3.6. Limiting the Number of Entities in a Collection
- Open the
/etc/keystone/keystone.confin a text editor. - Set a global value using
list_limitin the[DEFAULT]section. - Optionally override the global value with a specific limit in individual sections. For example:
[assignment] list_limit = 100
[assignment] list_limit = 100Copy to Clipboard Copied! Toggle word wrap Toggle overflow
If a response to a
list_{entity} call has been truncated, the response status code will still be 200 (OK), but the truncated attribute in the collection will be set to true.
3.3.6. Configuring the Appache HTTP server
Copiar o linkLink copiado para a área de transferência!
In order to make the Identity service work properly, you have to configure the Apache server to use the appropriate configuration for the
keystone service and the wsgi module.
Procedure 3.7. Configuring the Appache HTTP server
- Edit the
/etc/httpd/conf/httpd.conffile in a text editor. Set theServerNameoption to reference the controller node:ServerName controller
ServerName controllerCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Create a link to the
/etc/httpd/conf/httpd.conffile:ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.dCopy to Clipboard Copied! Toggle word wrap Toggle overflow
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}