Keystone in OpenStack

MohammadReza saberi
5 min readNov 22, 2020


we have some OpenStack Deployment tools that are awesome for your project.

  • Chef
  • Ansible OpenStack
  • Puppet and OpenStack
  • SALTSTACK OpenStack
  • etc

But in this story, lets step by step to setup keystone

keystone : Keystone is an OpenStack service that provides API client authentication, service discovery, and distributed multi-tenant authorization.lets see “Keystone, the OpenStack Identity Service

  • keystone is the heart of the openstack
  • keystone is the first and most basic module in openstack
  • keystone doesn’t run anything(just authentication)


  • fresh and update centos as Controller server with static ip
  • train repo for openstack

1: ntp

First of all, setup ntp on your server. you can use Chrony as a default NTP client.

2 : selinux and firewalld

I suggest you stop,disable and mask selinux and firewalld in stage.NOT IN PRODUCTION.

4 : prerequisites of keystone

  • mariadb
  • memcache
  • rabbitmq

It’s better to setup database , caching and queuing system on controller.

A : mariadb

Before you install and configure the Identity service, you must have a database.Use openstack repository for install mariadb.

Add the repository of openstack train.

# yum -y install centos-release-openstack-train

# yum repolist

# yum — enablerepo=centos-openstack-train -y install mariadb-server

# systemctl start mariadb

# systemctl enable mariadb

Secure mariadb

# mysql_secure_installation

# vim /etc/my.cnf.d/mariadb-server.conf


database open a connection, when the modules are connected to it, for authentication.

default of max_connections is 200. you can increase it to 500.This number may vary depending on conditions.

default of character-set-server is utf8mb4.

B : memcache

OpenStack Identity supports a caching layer that is above the configurable subsystems (for example, token).

# yum — enablerepo=centos-openstack-train -y install memcached

# vim /etc/sysconfig/memcached

change some value:



# systemctl restart memcached

# systemctl enable memcached

if you want clear memcached :

# telnet localhost 11211


C : Rabbitmq

AMQP is the messaging technology chosen by the OpenStack cloud. The AMQP broker, default to Rabbitmq, sits between any two Nova components and allows them to communicate in a loosely coupled fashion.

# yum — enablerepo=centos-openstack-train -y install rabbitmq-server

# systemctl restart rabbitmq-server
# systemctl enable rabbitmq-server

create admin user for login to openstack panel and set full permission to it.

# rabbitmqlctl add_user openstack PASSWORD
# rabbitmqlctl set_permissions openstack “.*” “.*” “.*”

you can list users and all permission.

# rabbitmqlctl list_users
# rabbitmqlctl list_permissions

use man rabbitmqctl to show all options !!

Now set administrator tags to user.

# rabbitmqctl set_user_tags openstack administrator

Now we can say “our controller is ready to install and configure keystone service”

5 : Install and configure keystone service

login to mysql then , create database and user.

# mysql -u root -p
# create database keystone;
# grant all privileges on keystone.* to keystone@’localhost’ identified by ‘PASSWORD’;

grant privileges on user to compute server

# grant all privileges on keystone.* to keystone@’%’ identified by ‘PASSWORD’;
# flush privileges;
# exit;

install openstack-keystone , openstack-utils , python-openstackclient , httpd and mod_wsgi

# yum — enable-repo=centos-openstack-stein -y install openstack-keystone
openstack-utils python-openstackclient httpd mod_wsgi

open keystone.conf and edit some parameters. its better to use “” instead of “localhost” , if you want to use localhost .

memcache_servers = IP :11211

In the [database] section, configure database access.Replace KEYSTONE_DBPASS with the password you chose for the database.

connection = mysql+pymysql://keystone:PASSWORD@IP/keystone

In the [token] section, configure the Fernet token provider:

provider = fernet

Sync keystone with service database by keystone user.

# su -s /bin/bash keystone -c “keystone-manage db_sync"

You have to create keystone user , if its not exist!

check man keystone-manage.

Initialize Fernet keys:

# keystone-manage fernet_setup — keystone-user keystone — keystone-group

you can see fernet-keys in /etc/keystone/fernet-keys

0 is stage key

1 is primary key

Initialize credential keys is optional.but credential is cleartext if you don’t set it.

# keystone-manage credential_setup — keystone-user keystone — keystone-group keystone

Configure the Apache HTTP server

Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:

serverName controller

keystone bootstarp

keystone can be bootstrapped with:

# keystone-manage bootstrap \
- bootstrap-password PASSWORD\
- bootstrap-project-name YOUR_PROJECT_NAME\
- bootstrap-admin-url http://IP:5000/v3/ \
- bootstrap-internal-url http://IP:5000/v3/ \
- bootstrap-public-url http://IP:5000/v3/ \
- bootstrap-region-id REGIONAME

This will create an admin user with the admin role on the admin project. The user will have the password specified in the command. Note that both the user and the project will be created in the default domain. By not creating an endpoint in the catalog users will need to provide endpoint overrides to perform additional identity operations.

By creating an admin user and an identity endpoint you may authenticate to keystone and perform identity operations like creating additional services and endpoints using the admin user. This will preclude the need to ever use or configure the admin_token.

keystone doesn’t have service. it runs with httpd service.

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

# systemctl start httpd

# systemctl enable httpd

# ps -aux | grep keystone

# netstat -tulpen | grep 5000

# vim keystone_admin

export OS_USER_DOMAIN_NAME=default
export OS_USERNAME=admin
export OS_PASSWORD=123
export OS_AUTH_URL=http://IP:5000
export PS1=’[\u@\h \w(keystone)]\$ ‘

to commit your change:

# source keystone_admin

to check openstack user:

# openstack user list

# openstack project list

# openstack domain list

# openstack region list

# openstack domain list

# openstack service list

# openstack endpoint list

you can modify endpoint by:

# openstack endpoint set

combine service and endpoint = catalog

# openstack catalog list

congratulation ! keystone is ready.

next :

  • we will learn about glance

If you have any questions/comments please comment below so everyone can benefit from the discussion.

If you enjoyed this article, please click the 👏 button and share to help others find it! Feel free to leave a comment below.



MohammadReza saberi

Skilled DevOps Engineer and learning cloud