Skip to main content
Outside service Partner
Hitachi Vantara Knowledge

Configuring Keystone


Keystone is an OpenStack identity service that supports token-based authorization for the HSwift access protocol. Keystone generates authentication tokens with a predetermined expiration timer that are used to identify users attempting to store and manage containers and objects.

An HCP system can be configured to use Keystone to authenticate and authorize users and their incoming storage management requests. To configure HCP to integrate with Keystone, you need a user account with the administrator role.

For information on alternative methods of HSwift authentication, see Alternate authentication methods.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Finding the Identity Service URL


The Identity Service URL is the Keystone endpoint with which HCP communicates. There are two different types of Identity Service URLs available on Keystone, the Public Identity Service URL and the Admin Identity Service URL. It's recommended to use the Admin Identity Service URL since the Public Service URL does not support user ACLs in this configuration.

Once you have chosen which identity service endpoint you want to use, follow these steps to retrieve the url:

1.Using the Python Keystone client, enter one of the following depending on whether you are looking for the public or admin URL:

oIf you want the public url, enter keystone endpoint-get --service identity --endpoint-type publicURL

oIf you want the admin url, enter keystone endpoint-get --service identity --endpoint-type adminURL

2.Record the URL for later use

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Creating the Service User's Name and Password


The Service User's Name and Password are a set of credentials that HCP uses to authenticate itself with Keystone. The Service User's Name and Password should be set on the Keystone services tenant. It is recommended to make a new service user for HCP.

To create a Service User's name on Keystone:

1.On your Keystone Python client, enter Keystone tenant-list

2.Copy the Services Tenant Id

3.Enter keystone user-create --name New-Service-User's-username --pass New-Service-User's-password --tenant-id services-tenant-id

A Property/Value table appears confirming the creation of a new service user.

4.Record your new Service User's Name and Password for future use.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Granting the Keystone Service User the admin role


Once you create a Keystone services tenant user, you want to grant the user the Keystone admin role. The service tenant user must have the admin role in order to validate tokens and grant access to tenant and namespaces on HCP.

In order to grant the admin role to the service user:

1.In your Keystone Python client, enter keystone user-role-add --user service-tenant-username -- role admin --tenant services

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Configuring Keystone on the System Management Console


To configure HCP to use Keystone, you need to supply it with an Identity Service URL, the Service User's Name and Password, and the Service User's Tenant. To do this you need the system administrator role and access to the HCP System Management Console.

In order to connect HCP to Keystone:

1.In the top-level menu of the HCP System Management Console, select Security OpenStack.

2.On the OpenStack Identity Service page, select Enable OpenStack Identity Service.

The Configuration Settings section appears.

3.Enter the following information:

oIdentity Service URL — For more information on the Identity Service URL, see Finding the Identity Service URL.

oService User's Name — For more information on the Service User's Name, see Creating the Service User's Name and Password.

oService User's API Key/Password — For more information on the Service User's API Key/Password, see Creating the Service User's Name and Password.

oService User's Tenant — The Service User's Tenant is the tenant on which you made your Keystone Tenant User. The tenant is called services.

oTenant ID Prefix — The default Keystone Tenant ID Prefix is AUTH_. When HCP sees the Keystone Tenant ID Prefix in the HSwift account portion of a URL, HCP knows that the value that follows the prefix is a Keystone Tenant ID. For more information, see Resource path.

4.Click on Test.

oIf the connection is unsuccessful, you receive a warning message stating that the operation cannot be completed. Reenter the information and continue.

oIf the connection is successful, you receive a successful connection message.

5.Once the connection is established, click on Update Settings.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Setting up a Keystone HSwift service


You need to have an object store service registered with Keystone in order to integrate HCP with Keystone. To register HSwift as an endpoint, you need to identify the Keystone service ID of the object-store service. Here is the command that lists the Keystone ID of the Swift service:

keystone service-get swift

To add a new HSwift service or create an HSwift and keep your current Swift service, follow these steps:

1.To register HCP as an endpoint with Keystone use the Keystone service create command where the service-id is the object-store service id identified in the previous step. The actual values for public, internal, and admin URL may be found in the System Management Console on the Openstack page. The command is:

keystone endpoint-create \
--region=
region \
--service-id=
id_from_previous \
--publicurl=
https://api.hcp.example.com/swift/v1/AUTH_%(tenant_id)s'\
--internalurl= https://
api.hcp.example.com/swift/v1/AUTH_%(tenant_id)s' \
--adminurl=https://api.hcp.example.com:8000/

If you are setting up HCP as a secondary object-store endpoint, you need to specify a unique region for the endpoint. Setting a different region allows you to have two swift endpoints configured for your Keystone Swift service.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Creating an HCP tenant


You only need to create an HCP tenant if one doesn't already exist. In order for the HCP tenant to work with HSwift, the Management API needs to be enabled for the HCP tenant. MAPI is enabled through the Tenant Management Console. For more information, see Managing a Tenant and its Namespace.

NoteWebHelp.png

Note: The tenant you create on HCP needs to have a name that is identical to its Keystone counterpart.

NoteWebHelp.png

Note: If you rename the HCP tenant you must also rename its Keystone Tenant counterpart. Keystone authentication only works for HCP tenants that have a matching Keystone tenant.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Creating a Keystone HCP tenant and user


Once you have an HCP tenant, a Keystone HCP tenant with a name identical to the HCP tenant needs to be created. In order to create a Keystone HCP tenant:

1.In the Keystone client, enter keystone tenant-create --name hcp-tenant-name

NoteWebHelp.png

Note: The tenant you create on Keystone needs to have a name that is identical to its HCP counterpart.

2.Add a user to the tenant by entering keystone user-create --name tenant_username --pass tenant-password

3.Once the user is created, grant the user the data access role by entering keystone user-role-add --user tenant_user --tenant hcp-tenant-name --role data-access-role

HCP supports the admin, Member, and _member Keystone roles for data access.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Clearing the OpenStack Identity Service cache


Keystone validated tokens are cached so that all successive commands sent with the same token do not need to be revalidated. Caching also saves the Keystone Tenant Id and name mapping, making it so that HCP doesn't have to search for Keystone Tenant Ids with each request. Changes made to Keystone User roles or Keystone Tenant names are not reflected on HCP unless the cache is cleared or the token expires.

To clear the Identity Service cache so that tokens are revalidated:

1.In the top-level menu of the HCP System Management Console, select Security OpenStack.

2.On the OpenStack Identity Service page, click on Clear Cache.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Keystone certificates


When connecting to Keystone through HTTPS, Keystone provides an SSL certificate which, if not signed by a trusted authority, must be manually accepted. Once you agree to trust the certificate it's cached for each future connection attempt to the Keystone server. Alternatively, you can manually upload the Keystone SSL certificate from your local machine.

When connecting to Keystone through HTTPS and configuring the Keystone identity service URL on HCP, you must enter the domain name (not the IP address) of the of the Keystone host. This domain name must match the Subject Common Name in the Keystone SSL certificate. Using the IP for an SSL connection to Keystone fails because the IP doesn't match the certificate Common Name. Additionally, the identity service endpoint URLs registered in the Keystone service must be registered with the domain name matching the Common Name in the SSL certificate.

Any Keystone SSL certificates can be deleted from the OpenStack page of the System Management Console.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.

Getting a Keystone Authentication Token


To get a Keystone Authentication Token, enter the following command in your Keystone client:

curl -X POST http://keystone.example.com:5000/v2.0/tokens \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"auth": {"tenantName": "tenant-name", "passwordCredentials": {"username": "tenant-username", "password": "password"}}}'

In this particular example the credentials are requested in json format. The Keystone response looks like this:

{

"access": {

"serviceCatalog": [

{

"endpoints": [

{

"adminURL": "https://admin.hcp1.example.com:8000/",

"id": "76ce30ce374a43d2812f6a78796fe6fa",

"internalURL": "http://api.hcp1.example.com/swift/v1...0985163f25b14b",

"publicURL": "http://api.hcp1.example.com/swift/v1...0985163f25b14b",

"region": "New York"

},

{

"adminURL": "HTTP://swift.example.com:8080",

"id": "230f1ea7676d48079bea0a9edabcd88f",

"internalURL": "HTTP://swift.example.com:8080/v1/AUT...0985163f25b14b",

"publicURL": "HTTP://swift.example.com:8080/v1/AUT...0985163f25b14b",

"region": "Los Angeles"

}

],

"name": "hswift",

"type": "object-store"

},

{

"endpoints": [

{

"adminURL": "https://keystone.example.com:35357/v2.0",

"id": "48aa3755d8a549f6bda22b00fa9cde94",

"internalURL": "https:// keystone.example.com:5000/v2.0",

"publicURL": "https:// keystone.example.com:5000/v2.0",

"region": "New York"

}

],

"name": "keystone",

"type": "identity"

}

],

"token": {

"expires": "2014-11-19T22:26:57Z",

"id": "05c20875e3f2430ea10f45623c78cadd",

"tenant": {

"id": "50c989a5206a46748d0985163f25b14b",

"name": "tenant-name"

}

},

"user": {

"id": "0d47cc2ba7744c4d97220983ae31f3b9",

"name": "tenant-user",

"roles": [

{

"name": "admin"

}

],

"username": " tenant-user"

}

 }

 }

 

The json response contains named elements and named lists. The keystone token, that is passed to HCP in the X-Auth-Token header, can be found in the id element inside the token element inside the access element.

The authentication response from keystone also contains a ServiceCatalog list which lists the endpoints for all services integrated with Keystone.

© 2015, 2019 Hitachi Vantara Corporation. All rights reserved.