Posted by: John Bresnahan | December 27, 2012

OpenStack from scratch on Fedora 17 (part 2 keystone)

In the previous post I showed how to setup a base VM for an OpenStack development environment form scratch. Here I will talk about how to install, configure, and use keystone.

The first OpenStack component to install (to date) is keystone. The first thing to do is get the source code from github and install it (make sure the virtualenv discussed in the previous blog entry is activated).

git clone git://
cd keystone
pip install -r tools/pip-requires
pip install -r tools/test-requires
python install

Now you need to make a configuration file. I am not going to discuss the details of it, and I am sure I will leave off more options than I discuss. The first this to do is create the user space directory which is in the keystone search path:

mkdir ~/.keystone

Next create the base configuration file in that directory called keystone.conf. Here is the contents of the file that worked for me (my home directory is /home/jbresnah).

admin_token = ADMIN
debug = True
log_file = /home/jbresnah/.keystone/keystone.log
log_dir = /home/jbresnah/.keystone

connection = sqlite:////home/jbresnah/.keystone/keystone.db


driver = keystone.catalog.backends.sql.Catalog



driver = keystone.contrib.ec2.backends.sql.Ec2


token_format = PKI
certfile = /home/jbresnah/.keystone/ssl/certs/signing_cert.pem
keyfile = /home/jbresnah/.keystone/ssl/private/signing_key.pem
ca_certs = /home/jbresnah/.keystone/ssl/certs/ca.pem
key_size = 1024
valid_days = 3650
ca_password = None


paste.filter_factory = keystone.common.wsgi:Debug.factory

paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

paste.filter_factory = keystone.contrib.s3:S3Extension.factory

paste.filter_factory = keystone.middleware:NormalizingFilter.factory

paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory

paste.filter_factory = keystone.contrib.stats:StatsExtension.factory

paste.app_factory = keystone.service:public_app_factory

paste.app_factory = keystone.service:v3_app_factory

paste.app_factory = keystone.service:admin_app_factory

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3

paste.app_factory = keystone.service:public_version_app_factory

paste.app_factory = keystone.service:admin_version_app_factory

pipeline = stats_monitoring url_normalize xml_body public_version_service

pipeline = stats_monitoring url_normalize xml_body admin_version_service

use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api

use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api

Now that the file is in place we need to use the keystone-manage program to setup the sqlite database and pki setup. Before running the next two commands verify that the sqlite database file referenced in the above configuration file does not already exist.

keystone-manage db_sync
keystone-manage pki_setup

At this point keystone should be all set. Check out the keystone configuration directory:

ls ~/.keystone

and then start the keystone service.


Check the log file at ~/.keystone/keystone.log for any possible errors. If everything looks good we can issue some client commands. The keystone client will be installed at this point but it is important to not that it came from the tools/pip-requires file in the keystone repository. The source code for it is at git://

Run some initial client commands to setup the admin client and an initial user.

keystone user-list
echo $?
$ keystone user-create --name admin --pass secret
Failed to load keyring modules.
| Property |              Value               |
|  email   |                                  |
| enabled  |               True               |
|    id    | 278de854faad4d5fa7b8ddb2dd502d5f |
|   name   |              admin               |
| tenantId |                                  |
$  keystone role-create --name admin
Failed to load keyring modules.
| Property |              Value               |
|    id    | 34342fd4d8dd44c495b210d1e4fe13ac |
|   name   |              admin               |
$ keystone tenant-create --name admin
Failed to load keyring modules.
|   Property  |              Value               |
| description |                                  |
|   enabled   |               True               |
|      id     | a0322831d204428aa90f3df509abdf88 |
|     name    |              admin               |
$  keystone user-role-add --user-id 278de854faad4d5fa7b8ddb2dd502d5f --role-id 34342fd4d8dd44c495b210d1e4fe13ac --tenant-id a0322831d204428aa90f3df509abdf88

Now the admin user is created. At this point we no longer need to use the SERVICE_TOKEN environment variable. This is a sort of backdoor (for lack of a better term) that allows you to control the service when you do not have an admin user created. To set up the admin user environment for use with the keystone client run the following commands:

export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=secret
export OS_AUTH_URL=
export PS1="[\u@\h \W(keystone_admin)]\$ "

You should now be able to run keystone client commands like, keystone user-list. Now that some users exist and some keystone is setup it may be interesting to check out the data that has been stored in the sqlite db. Here is an example session:

$ sqlite3 ~/.keystone/keystone.db
SQLite version 3.7.11 2012-03-20 11:35:50
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
credential              migrate_version         token
domain                  policy                  user
ec2_credential          role                    user_domain_metadata
endpoint                service                 user_tenant_membership
metadata                tenant
sqlite> select * from user;
278de854faad4d5fa7b8ddb2dd502d5f|admin|{"email": null, "tenantId": null}|$6$rounds=40000$YhIBBZLJxmZF/yBa$bSY/OTmHlhQYrJG6O7rX4tVmrXfCaORh4Q62JEVMNChcoaLuPdbVIsnISPVW65T4qrRl5MQE6YLen4K0MTGkp1|1


  1. […] two earlier posts I explained how to manually setup Glance and Keystone development environments.  Have that setup (or whatever works for you) and make sure that you have […]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s


%d bloggers like this: