With OpenStack Identity Service (Keystone) installed and configured, we now need to tell our OpenStack Compute Service (Nova) that it can be used to authenticate users and services.
To begin with, ensure that you’re logged in to our OpenStack compute and Controller hosts. If you did this through Vagrant, you can log in with the following commands in separate shells:
vagrant ssh controller vagrant ssh compute-01
Configuring the authentication mechanism in our OpenStack Compute sandbox environment is achieved with the following steps:
python-keystone
package installed, if this host is a standalone compute host:sudo apt-get update sudo apt-get install python-keystone
[default]
and [keystone_authtoken]
sections of the /etc/nova/nova.conf
file with the details that we created for the Nova service user in the recipe Creating the service tenant and service users in Chapter 1, Keystone – OpenStack Identity Service. The code is as follows:[DEFAULT] api_paste_config=/etc/nova/api-paste.ini auth_strategy=keystone keystone_ec2_url=https://192.168.100.200:5000/v2.0/ec2tokens [keystone_authtoken] admin_tenant_name = service admin_user = nova admin_password = nova identity_uri = https://192.168.100.200:35357/ insecure = True
nova.conf
file configured correctly, we edit /etc/nova/api-paste.ini
and set keystone
as the authentication mechanism by adding in the following lines under the [filter:keystonecontext]
and [filter:authtoken]
sections:[filter:keystonecontext] paste.filter_factory = nova.api.auth:NovaKeystoneContext.factory [filter:authtoken] paste.filter_factory = keystonemiddleware.auth_token:filter_factory
ls /etc/init/nova-* | cut -d ‘/’ -f4 | cut -d ‘.’ -f1 | while read S; do sudo stop $S; sudo start $S; done
Configuration of OpenStack Compute to use OpenStack Identity Service is done on all hosts in our environment running OpenStack Compute (Nova) services (for example, the Controller and Compute hosts). This first involves editing /etc/nova/nova.conf
file, and adding the credentials and Keystone details.
We then configure the /etc/nova/api-paste.ini
file and fill the [filter:keystonecontext]
and [filter:authtoken]
parts of the file with details of the keystone factory
.