Testing out PKI Signed tokens in Openstack Keystone

I’ve put a fair amount of time into the Signed Tokens implementation. Now that they have been merged into the master branch of Keystone, I’d like to get some more people playing around with the feature, and see how it impacts things.Lets start with devstack on Fedora 17 and running on some sort of Dell machine, I have a localrc file that looks like this:

 

FORCE=yes
HOST_IP_IFACE=em1
MYSQL_PASSWORD=freeipa4all
RABBIT_PASSWORD=freeipa4all
SERVICE_TOKEN=freeipa4all
SERVICE_PASSWORD=freeipa4all
ADMIN_PASSWORD=freeipa4all
MESSAGING_SYSTEM=qpid
#RECLONE=yes

ENABLED_SERVICES=key,g-api,g-reg,n-api,n-crt,n-obj,n-cpu,n-net,n-vol,n-sch,n-novnc,n-xvnc,n-cauth,horizon,mysql,qpid

That RECLONE option is there so I can sync up the Git repos. Uncomment it periodically to fetch master on all projects.

Disable SELinux, as that will prevent the HTTPD process from reading a SQLite Database stored in /opt/horizon…

 sudo setenforce permissive

Make sure that Yum update is run, specifically to get a late enough version of SQLite, SQLAlchemy, httplib2 etc. This means that you want the Yum repo for Fedora-updates enabled.

Get node.js:

 sudo yum localinstall --nogpgcheck http://nodejs.tchol.org/repocfg/fedora/nodejs-stable-release.noarch.rpm
 sudo yum install nodejs-compat-symlinks npm

I had to grab a specific glance patch, but that should be a short term issue.
https://review.openstack.org/#/c/9582/

Which has since been merged.

And python-glanceclient

https://review.openstack.org/#/c/10341/1

cd /opt/stack/devstack
./stack.sh
. openrc

Turns out there was also python-glanceclient code in /usr/lib/python27/site-packages that I had to delete. Must have installed that at some point in the past. With those changes, devstack runs in the normal setting.

TO join the screens session for devstack

screen -x

Hit CTRL A 3 to go to the third window, where Keystone is running. Ctrl C to kill it and then edit the file /etc/keystone/keystone.conf. I’ve been uncommenting the whole [signing] block so my file now has this in it:

[signing]
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
key_size = 2048
valid_days = 3650
ca_password = None
disable_pki = False

Note the last line. Right now, disabling pki is the norm. The goal is to flip the switch on this so that PKI is the default in the near future.

Restart keystone: look through your buffer history for the command:

 cd /opt/stack/keystone && /opt/stack/keystone/bin/keystone-all --config-file /etc/keystone/keystone.conf --log-config /etc/keystone/logging.conf -d --debug

Switch to a different bash prompt (Ctrl A 0 gives you one in devstack that is not used) And now test the token code:

. openrc
keystone token-get

The size of the token should be huge.

Jumping ahead: I found a bug: https://bugs.launchpad.net/keystone/+bug/1030912 and made a fix:
https://review.openstack.org/#/c/10536/ and now I can do glance image-list.

But with that patch applied

. openrc
glance image-list

And see the output

+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| ID                                   | Name                            | Disk Format | Container Format | Size     | Status |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+
| 24183da1-a891-45c7-b95b-ab586ae3bada | cirros-0.3.0-x86_64-uec-kernel  | aki         | aki              | 4731440  | active |
| 2d23e0e5-15a8-4086-9f32-5a227a298674 | cirros-0.3.0-x86_64-uec         | ami         | ami              | 25165824 | active |
| f1269acf-95e3-4512-a8f3-d13e63ab36ca | cirros-0.3.0-x86_64-uec-ramdisk | ari         | ari              | 2254249  | active |
+--------------------------------------+---------------------------------+-------------+------------------+----------+--------+

Testing the Web UI I see that everything works there now, too, once I use the IP address to access the host:

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.