Skip to main content
Hitachi Vantara Knowledge

Configuring Keystone

Keystone is an OpenStack identity service that supports token-based authorization for the HSwift access protocol. Keystone generates authentication tokens with a predetermined expiration timer that are used to identify users attempting to store and manage containers and objects.

An HCP system can be configured to use Keystone to authenticate and authorize users and their incoming storage management requests. To configure HCP to integrate with Keystone, you need a user account with the administrator role.

Finding the Identity Service URL

The Identity Service URL is the Keystone endpoint with which HCP communicates. There are two different types of Identity Service URLs available on Keystone, the Public Identity Service URL and the Admin Identity Service URL. It's recommended to use the Admin Identity Service URL since the Public Service URL does not support user ACLs in this configuratio

After you have chosen which identity service endpoint you want to use, follow these steps to retrieve the URL:

  1. Using the Python Keystone client, enter one of the following depending on whether you are looking for the public or admin URL:
    • If you want the public URL, enter keystone endpoint-get --service identity --endpoint-type publicURL
    • If you want the admin URL, enter keystone endpoint-get --service identity --endpoint-type adminURL
  2. Record the URL for later use.

Creating the Service User's Name and Password

The Service User's Name and Password are a set of credentials that HCP uses to authenticate itself with Keystone. The Service User's Name and Password should be set on the Keystone services tenant. It is recommended to make a new service user for HCP.

Before you begin

To configure HCP to integrate with Keystone, you need a user account with the administrator role.

Procedure

  1. On your Keystone Python client, enter Keystone tenant-list.

  2. Copy the Services Tenant Id

  3. Enter keystone user-create --name <New-Service-User's-username> --pass <New-Service-User's-password> --tenant-id services-tenant-id

    A Property/Value table appears confirming the creation of a new service user.
  4. Record your new Service User's Name and Password for future use.

Granting the Keystone Service User the admin role

After you create a Keystone services tenant user, you want to grant the user the Keystone admin role. The service tenant user must have the admin role in order to validate tokens and grant access to tenant and namespaces on HCP.

In order to grant the admin role to the service user, in your Keystone Python client, enter keystone user-role-add --user <service-tenant-username> -- role admin --tenant services

Configuring Keystone on the System Management Console

To configure HCP to use Keystone, you need to supply it with an Identity Service URL, the Service User's Name and Password, and the Service User's Tenant. To do this you need the system administrator role and access to the HCP System Management Console.

Before you begin

To configure HCP to integrate with Keystone, you need a user account with the administrator role.

Procedure

  1. In the top-level menu of the HCP System Management Console, select Security OpenStack.

  2. On the OpenStack Identity Service page, select Enable OpenStack Identity Service.

    The Configuration Settings section appears.
  3. Enter the following information:

    • Identity Service URL
    • Service User's Name
    • Service User's API Key/Password
    • Service User's Tenant - The Service User's Tenant is the tenant on which you made your Keystone Tenant User. The tenant is called services.
    • Tenant ID Prefix - The default Keystone Tenant ID Prefix is AUTH_. When HCP sees the Keystone Tenant ID Prefix in the HSwift account portion of a URL, HCP knows that the value that follows the prefix is a Keystone Tenant ID.
  4. Click Test.

    If the connection is unsuccessful, you receive a warning message stating that the operation cannot be completed. Reenter the information and continue. If the connection is successful, you receive a successful connection message.
  5. After the connection is established, click Update Settings.

Setting up a Keystone HSwift service

You need to have an object store service registered with Keystone in order to integrate HCP with Keystone. To register HSwift as an endpoint, you need to identify the Keystone service ID of the object-store service. Here is the command that lists the Keystone ID of the Swift service:

keystone service-get swift

You can add a new HSwift service or create an HSwift and keep your current Swift service.

To register HCP as an endpoint with Keystone, use the Keystone service create command where the service-id is the object-store service ID identified in the previous step. The actual values for public, internal, and admin URL may be found in the System Management Console on the Openstack page. The command is:

keystone endpoint-create \
--region=region \
--service-id=id_from_previous \
--publicurl=https://api.hcp.example.com/swift/v1/AUTH_%(tenant_id)s'\
--internalurl= https://api.hcp.example.com/swift/v1/AUTH_%(tenant_id)s'\
--adminurl=https://api.hcp.example.com:8000/

If you are setting up HCP as a secondary object-store endpoint, you need to specify a unique region for the endpoint. Setting a different region allows you to have two swift endpoints configured for your Keystone Swift service.

Creating an HCP tenant

You only need to create an HCP tenant if one doesn't already exist. In order for the HCP tenant to work with HSwift, the Management API needs to be enabled for the HCP tenant. MAPI is enabled through the Tenant Management Console.

NoteThe tenant you create on HCP needs to have a name that is identical to its Keystone counterpart. If you rename the HCP tenant, you must also rename its Keystone Tenant counterpart. Keystone authentication only works for HCP tenants that have a matching Keystone tenant.

Creating a Keystone HCP tenant and user

After you have an HCP tenant, a Keystone HCP tenant with a name identical to the HCP tenant needs to be created.

Before you begin

To configure HCP to integrate with Keystone, you need a user account with the administrator role.

Procedure

  1. In the Keystone client, enter keystone tenant-create --name <hcp-tenant-name>

    NoteThe tenant you create on Keystone needs to have a name that is identical to its HCP counterpart.
  2. Add a user to the tenant by entering keystone user-create --name <tenant_username> --pass tenant-password

  3. After the user is created, grant the user the data access role by entering keystone user-role-add --user <tenant_user> --tenant <hcp-tenant-name> --role <data-access-role>

    HCP supports the admin, Member, and _member Keystone roles for data access.

Clearing the OpenStack Identity Service cache

Keystone validated tokens are cached so that all successive commands sent with the same token do not need to be revalidated. Caching also saves the Keystone Tenant Id and name mapping, making it so that HCP doesn't have to search for Keystone Tenant Ids with each request. Changes made to Keystone User roles or Keystone Tenant names are not reflected on HCP unless the cache is cleared or the token expires.

Before you begin

To configure HCP to integrate with Keystone, you need a user account with the administrator role.

Procedure

  1. In the top-level menu of the HCP System Management Console, select Security OpenStack.

  2. On the OpenStack Identity Service page, click Clear Cache.

Keystone certificates - SysHelp

When connecting to Keystone through HTTPS, Keystone provides an SSL certificate which, if not signed by a trusted authority, must be manually accepted. After you agree to trust the certificate, it's cached for each future connection attempt to the Keystone server. Alternatively, you can manually upload the Keystone SSL certificate from your local machine.

When connecting to Keystone through HTTPS and configuring the Keystone identity service URL on HCP, you must enter the domain name (not the IP address) of the of the Keystone host. This domain name must match the Subject Common Name in the Keystone SSL certificate. Using the IP for an SSL connection to Keystone fails because the IP doesn't match the certificate Common Name. Additionally, the identity service endpoint URLs registered in the Keystone service must be registered with the domain name matching the Common Name in the SSL certificate.

Any Keystone SSL certificates can be deleted from the OpenStack page of the System Management Console.

Getting a Keystone Authentication Token

To get a Keystone Authentication Token, enter the following command in your Keystone client:

curl -X POST http://keystone.example.com:5000/v2.0/tokens \
-H "Content-Type: application/json" \
-H "Accept: application/json" \
-d '{"auth": {"tenantName": "tenant-name", "passwordCredentials": {"username": "tenant-username", "password": "password"}}}'

In this particular example the credentials are requested in json format. The Keystone response looks like this:

{
  "access": {
    "serviceCatalog": [
    {
      "endpoints": [
      {
        "adminURL": "https://admin.hcp1.example.com:8000/",
        "id": "76ce30ce374a43d2812f6a78796fe6fa",
        "internalURL": "http://api.hcp1.example.com/swift/v1/AUTH_50c989a5206a46748d0985163f25b14b",
        "publicURL": "http://api.hcp1.example.com/swift/v1/AUTH_50c989a5206a46748d0985163f25b14b",
        "region": "New York"
      },
      {
        "adminURL": "HTTP://swift.example.com:8080",
        "id": "230f1ea7676d48079bea0a9edabcd88f",
        "internalURL": "HTTP://swift.example.com:8080/v1/AUTH_50c989a5206a46748d0985163f25b14b",
        "publicURL": "HTTP://swift.example.com:8080/v1/AUTH_50c989a5206a46748d0985163f25b14b",
        "region": "Los Angeles"
      }
    ],
    "name": "hswift",
    "type": "object-store"
   },
   {
   "endpoints": [
  {
    "adminURL": "https://keystone.example.com:35357/v2.0",
    "id": "48aa3755d8a549f6bda22b00fa9cde94",
    "internalURL": "https:// keystone.example.com:5000/v2.0",
    "publicURL": "https:// keystone.example.com:5000/v2.0",
    "region": "New York"
  }
  ],
  "name": "keystone",
  "type": "identity"
  }
  ],
  "token": {
    "expires": "2014-11-19T22:26:57Z",
    "id": "05c20875e3f2430ea10f45623c78cadd",
    "tenant": {
    "id": "50c989a5206a46748d0985163f25b14b",
    "name": "tenant-name"
  }
  },
  "user": {
  "id": "0d47cc2ba7744c4d97220983ae31f3b9",
  "name": "tenant-user",
  "roles": [
  {
    "name": "admin"
  }
  ],
  "username": " tenant-user"
  }
 }
}

The JSON response contains named elements and named lists. The keystone token, that is passed to HCP in the X-Auth-Token header, can be found in the id element inside the token element inside the access element.

The authentication response from keystone also contains a ServiceCatalog list which lists the endpoints for all services integrated with Keystone.

 

  • Was this article helpful?