Keystone service

https://docs.openstack.org/keystone/2025.1/install/index-ubuntu.html

Keystone is the identity service for Openstack. It handles authentication and authorization for the Openstack services.

Prepare database

sudo mysql

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';

Install packages

sudo apt install keystone

Configure keystone

/etc/keystone/keystone.conf

[DEFAULT]
log_dir = /var/log/keystone

[database]
connection = mysql+pymysql://keystone:Passw0rd@controller/keystone

[extra_headers]
Distribution = Ubuntu

[token]
provider = fernet

Run db_sync for keystone

sudo keystone-manage db_sync

Initialize Fernet key repositories

sudo keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
sudo keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Run bootstrap

sudo keystone-manage bootstrap --bootstrap-password <PASSWORD> \
  --bootstrap-admin-url http://<FQDN>:5000/v3/ \
  --bootstrap-internal-url http://<FQDN>:5000/v3/ \
  --bootstrap-public-url http://<FQDN>:5000/v3/ \
  --bootstrap-region-id <REGION>

Configure apache service

Add or update servername in Apache config

/etc/apache2/apache2.conf

ServerName <NAME>

Restart apache service

sudo service apache2 restart

Create admin connection file

https://docs.openstack.org/keystone/2025.1/install/keystone-openrc-ubuntu.html

Create a admin-openrc file which can be sourced when using the Openstack client

export OS_USERNAME=admin
export OS_PASSWORD=<PASSWORD>
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://<FQDN>:5000/v3
export OS_IDENTITY_API_VERSION=3

. admin-openrc

At this point we should be able to list the default domain

openstack domain list

List domains

Create domain, projects, users and roles

https://docs.openstack.org/keystone/2025.1/install/keystone-users-ubuntu.html

Create projects

Create service project

openstack project create --domain default --description "Service Project" service

Create demo project

openstack project create --domain default --description "Demo Project" myproject

Create user and role

Create user

openstack user create --domain default --password-prompt myuser

Create role

openstack role create myrole

Add the myrole role to the myproject project and myuser user

openstack role add --project myproject --user myuser myrole

Verify operation

unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://<FQDN>:5000/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name admin --os-username admin token issue

Verify token issue for admin user