Keystone Development Bootstrap with Service Catalog

My Last post showed how to get a working Keystone server. Or did it.

$ openstack service list
The service catalog is empty.

Turns out, to do most things with Keystone, you need a service catalog, and I didn’t have one defined. To fix it, rerun bootstrap with a few more options.

Rerun the bootstrap command with the additional parameters to create the identity service and the endpoints that implement it.

Note: I used 127.0.0.1 Explicitly elsewhere, so I did that here, too, for consistency. You can use localhost if you prefer, or an explicit hostname, so long as it works for you.

keystone-manage bootstrap --bootstrap-password keystone  --bootstrap-service-name keystone --bootstrap-admin-url http://127.0.0.1:35357  --bootstrap-public-url http://127.0.0.1:5000  --bootstrap-internal-url http://127.0.0.1:5000  --bootstrap-region-id RegionOne

Restart Keystone and now:

$ openstack service list
You are not authorized to perform the requested action: identity:list_services (HTTP 403) (Request-ID: req-3dfd0b6e-c4c9-443b-b374-243acdeda75e)

Hmmm. Seems I need a role on a project: add in the following params:

 --bootstrap-project-name admin      --bootstrap-role-name admin

So now my whole command line looks like this:

keystone-manage bootstrap \
--bootstrap-password keystone \
--bootstrap-service-name keystone \
--bootstrap-admin-url http://127.0.0.1:35357 \
--bootstrap-public-url http://127.0.0.1:5000 \
--bootstrap-internal-url http://127.0.0.1:5000 \
--bootstrap-project-name admin      \
--bootstrap-role-name admin
--bootstrap-region-id RegionOne

Let’s try again:

$ openstack service list
You are not authorized to perform the requested action: identity:list_services (HTTP 403) (Request-ID: req-b225c12a-8769-4322-955f-fb921d0f6834)

What?

OK, let’s see what is in the token. Running:

openstack token issue --debug

Will get me a token like this (formatted for legibility):


{
  "token": {
    "is_domain": false,
    "methods": [
      "password"
    ],
    "roles": [
      {
        "id": "0073eb4ee8b044409448168f8ca7fe80",
        "name": "admin"
      }
    ],
    "expires_at": "2016-12-07T00:02:13.000000Z",
    "project": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "id": "f84f16ef1f2f45cd80580329ab2c00b0",
      "name": "admin"
    },
    "catalog": [
      {
        "endpoints": [
          {
            "url": "http://127.0.0.1:5000",
            "interface": "internal",
            "region": "RegionOne",
            "region_id": "RegionOne",
            "id": "78b654d00f3845f8a73d23793a2485ed"
          },
          {
            "url": "http://127.0.0.1:35357",
            "interface": "admin",
            "region": "RegionOne",
            "region_id": "RegionOne",
            "id": "81956b9544da41a5873ecddd287fb13b"
          },
          {
            "url": "http://127.0.0.1:5000",
            "interface": "public",
            "region": "RegionOne",
            "region_id": "RegionOne",
            "id": "c3ed6ca53a8b4dcfadf9fb6835905b1e"
          }
        ],
        "type": "identity",
        "id": "b5d4af37070041db969b64bf3a57dcb3",
        "name": "keystone"
      }
    ],
    "user": {
      "domain": {
        "id": "default",
        "name": "Default"
      },
      "password_expires_at": null,
      "name": "admin",
      "id": "bc72530345094d0e9ba53a275d2df9e8"
    },
    "audit_ids": [
      "UQc953wpQvGHa3YokNeNgQ"
    ],
    "issued_at": "2016-12-06T23:02:13.000000Z"
  }
}

So the roles are set correctly. But…maybe the policy is not. There is currently no policy.json in /etc/keystone. And maybe my wsgi App is not finding it.

sudo cp /opt/stack/keystone/etc/policy.json /etc/keystone/

Restart the wsgi applications and …

$ openstack service list
+----------------------------------+----------+----------+
| ID                               | Name     | Type     |
+----------------------------------+----------+----------+
| b5d4af37070041db969b64bf3a57dcb3 | keystone | identity |
+----------------------------------+----------+----------+

Leave a Reply

Your email address will not be published. Required fields are marked *