My Last post showed how to get a working Keystone server. Or did it.
$ openstack service list The service catalog is empty.
Turns out, to do most things with Keystone, you need a service catalog, and I didn’t have one defined. To fix it, rerun bootstrap with a few more options.
Rerun the bootstrap command with the additional parameters to create the identity service and the endpoints that implement it.
Note: I used 127.0.0.1 Explicitly elsewhere, so I did that here, too, for consistency. You can use localhost if you prefer, or an explicit hostname, so long as it works for you.
keystone-manage bootstrap --bootstrap-password keystone --bootstrap-service-name keystone --bootstrap-admin-url http://127.0.0.1:35357 --bootstrap-public-url http://127.0.0.1:5000 --bootstrap-internal-url http://127.0.0.1:5000 --bootstrap-region-id RegionOne
Restart Keystone and now:
$ openstack service list You are not authorized to perform the requested action: identity:list_services (HTTP 403) (Request-ID: req-3dfd0b6e-c4c9-443b-b374-243acdeda75e)
Hmmm. Seems I need a role on a project: add in the following params:
--bootstrap-project-name admin --bootstrap-role-name admin
So now my whole command line looks like this:
keystone-manage bootstrap \ --bootstrap-password keystone \ --bootstrap-service-name keystone \ --bootstrap-admin-url http://127.0.0.1:35357 \ --bootstrap-public-url http://127.0.0.1:5000 \ --bootstrap-internal-url http://127.0.0.1:5000 \ --bootstrap-project-name admin \ --bootstrap-role-name admin --bootstrap-region-id RegionOne
Let’s try again:
$ openstack service list You are not authorized to perform the requested action: identity:list_services (HTTP 403) (Request-ID: req-b225c12a-8769-4322-955f-fb921d0f6834)
What?
OK, let’s see what is in the token. Running:
openstack token issue --debug
Will get me a token like this (formatted for legibility):
{
"token": {
"is_domain": false,
"methods": [
"password"
],
"roles": [
{
"id": "0073eb4ee8b044409448168f8ca7fe80",
"name": "admin"
}
],
"expires_at": "2016-12-07T00:02:13.000000Z",
"project": {
"domain": {
"id": "default",
"name": "Default"
},
"id": "f84f16ef1f2f45cd80580329ab2c00b0",
"name": "admin"
},
"catalog": [
{
"endpoints": [
{
"url": "http://127.0.0.1:5000",
"interface": "internal",
"region": "RegionOne",
"region_id": "RegionOne",
"id": "78b654d00f3845f8a73d23793a2485ed"
},
{
"url": "http://127.0.0.1:35357",
"interface": "admin",
"region": "RegionOne",
"region_id": "RegionOne",
"id": "81956b9544da41a5873ecddd287fb13b"
},
{
"url": "http://127.0.0.1:5000",
"interface": "public",
"region": "RegionOne",
"region_id": "RegionOne",
"id": "c3ed6ca53a8b4dcfadf9fb6835905b1e"
}
],
"type": "identity",
"id": "b5d4af37070041db969b64bf3a57dcb3",
"name": "keystone"
}
],
"user": {
"domain": {
"id": "default",
"name": "Default"
},
"password_expires_at": null,
"name": "admin",
"id": "bc72530345094d0e9ba53a275d2df9e8"
},
"audit_ids": [
"UQc953wpQvGHa3YokNeNgQ"
],
"issued_at": "2016-12-06T23:02:13.000000Z"
}
}
So the roles are set correctly. But…maybe the policy is not. There is currently no policy.json in /etc/keystone. And maybe my wsgi App is not finding it.
sudo cp /opt/stack/keystone/etc/policy.json /etc/keystone/
Restart the wsgi applications and …
$ openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | b5d4af37070041db969b64bf3a57dcb3 | keystone | identity | +----------------------------------+----------+----------+