{{tag>Brouillon OpenStack}}

= Notes OpenStack Keystone

Voir :
* https://docs.openstack.org/newton/install-guide-ubuntu/keystone-install.html
* https://access.redhat.com/documentation/en-us/red_hat_openstack_platform/10/html/manual_installation_procedures/sect-prerequisite_message_broker
* https://books.google.fr/books?id=TMhsDwAAQBAJ&pg=PA43&lpg=PA43&dq=keystone+bootstrap-admin-url+5000+35357&source=bl&ots=PonObAz5-9&sig=ACfU3U1EZw0lO_-FottWlAHUd3-OWGoS7A&hl=fr&sa=X&ved=2ahUKEwjNxJDO0JXhAhX4AWMBHcoLBqUQ6AEwCHoECAkQAQ#v=onepage&q=keystone%20bootstrap-admin-url%205000%2035357&f=false


== Install

Prérequis :
* NTP


=== RedHat

<code bash>
yum install centos-release-openstack-rocky.noarch
yum install openstack-keystone-doc python-keystoneclient-doc
yum install openstack-keystone httpd mod_wsgi
yum install python-openstackclient

# yum install python-PROJETclient
# yum install python-keystoneclient

# MySQL / MariaDB
yum install MySQL-python

# Postgress
#yum install postgresql
#yum install postgresql-server
yum install @postgresql
yum install python-sqlalchemy python-psycopg2

# RabbitMQ
yum install rabbitmq-server
</code>

<code bash>
sudo postgresql-setup initdb
systemctl start postgresql.service
systemctl enable postgresql.service
</code>

Configurer

''/var/lib/pgsql/data/pg_hba.conf''
<code ->
#host    all             all             127.0.0.1/32            ident
host    all             all             127.0.0.1/32            md5
</code>

<code bash>
su - postgres
psql
</code>

<code sql>
CREATE ROLE keystoneUser WITH LOGIN PASSWORD 'toor';
CREATE DATABASE keystone OWNER keystoneuser ;
</code>

''/etc/keystone/keystone.conf''
<code ini>
[DEFAULT]
#verbose = True
debug = true

[database]
#connection = mysql://keystoneUser:toor@127.0.0.1/keystone
#connection = mysql+pymysql://keystoneUser:toor@127.0.0.1/keystone?charset=utf8
connection = postgresql://keystoneuser:toor@127.0.0.1/keystone

[token]
provider = fernet
</code>

<code bash>
systemctl restart httpd
su keystone -s /bin/sh -c "keystone-manage db_sync"
</code>

Les logs sont ici ''/var/log/keystone/keystone.log'' ou 
<code bash>
journalctl -f -u devstack@keystone.service
</code>


== Configuration

=== Renommer un endpoint 

Kestone a été initié avec les paramètres suivants

<code bash>
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
</code>

<code bash>
keystone-manage bootstrap --bootstrap-password toor \
  --bootstrap-admin-url http://srv-openstack-controller:35357/v3/ \
  --bootstrap-internal-url http://srv-openstack-controller:5000/v3/ \
  --bootstrap-public-url http://srv-openstack-controller:5000/v3/ \
  --bootstrap-region-id RegionOne
</code>

Solution : faire un update en base.
<code sql>
update endpoint set url='http://srv-openstack-controller:5000/v3/' where interface='admin';
</code>

Puis rédemarrer le service Apache ou le service SystemD
<code bash>
systemctl restart httpd
# ou
systemctl restart devstack@keystone.service
</code>

Test 

''openrc''
<code bash>
export OS_USERNAME=admin
export OS_PASSWORD=toor
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://srv-openstack-controller:5000/v3
export OS_IDENTITY_API_VERSION=3
</code>

<code bash>
source openrc
openstack token issue --debug
openstack service list
openstack user list
</code>



=== Configuration d'un domaine AD/LDAP

Exemple de conf
''/etc/keystone/domains/keystone.domain.conf''
<code ini>
[identity]
domain_configurations_from_database = False
driver = ldap

[ldap]
query_scope = sub
group_name_attribute = sAMAccountName
group_objectclass = group
user_mail_attribute = mail
user_enabled_attribute = userAccountControl
group_tree_dn = CN=Openstack,OU=Groupes,DC=acme,DC=local
chase_referrals = false
user_id_attribute = sAMAccountName
group_members_are_ids = true
group_member_attribute = memberUid
page_size = 500
use_tls = false
url = ldaps://ldap.acme.local:636
user_name_attribute = sAMAccountName
user = Admin
user_objectclass = organizationalPerson
group_id_attribute = cn
user_filter = (memberOf=CN=Openstack,OU=Groupes,DC=acme,DC=local)
group_desc_attribute = description
user_tree_dn = DC=acme,DC=local
user_pass_attribute = userPassword
password = UEBzc3cwcmQhISEK
</code>





== Pb 

=== Pb utilisateur manquant

L’utilisateur n'apparait pas 
<code bash>
openstack user list |grep jean
</code>

Mais il apparait bien avec
<code bash>
openstack user show jean
</code>

==== Solution

Augmenter le ''page_size''
''/etc/keystone/domains/keystone.acme.conf''
<code ini>
[ldap]
page_size = 500
</code>

Puis restart d'Apache ou du service keystone.

== Autres


Note : ** iptables est remplacé maintenant par [[nftables_un_remplacant_d_iptables|nftables]] **

<code bash>
iptables -I INPUT -p tcp --dport 5000 -j ACCEPT
</code>