Keystone Integration

This guide provides and overview of the steps necessary to properly prepare your Keystone setup for integration with your SwiftStack environment.

Setup a Keystone environment

Setting up a Keystone environment from scratch is beyond the scope of this guide, but we have a script available to help get a sample setup running quickly.

https://github.com/swiftstack/keystone_install

Add SwiftStack specific data to a Keystone installation

The most complex part of Keystone is generating the proper data set for services. Please make sure you understand each table and its role within the Keystone database.

Create a Keystone swift service

On the Keystone server, create a service named swift. This service will be used for Swift users to authenticate against.

keystone service-create --name=swift --type="object-store" --description="Swift Service"

Create the admin account for the Keystone swift service

  1. Know the admin ROLE

    • The admin role should exist in Keystone server already. It will be the admin role based on Keystone's default policy.json file.
    • If there is no admin role, one will need to be created.
  2. Create the service TENANT

    keystone tenant-create --name=service --description "Service Tenant"
  3. Create the admin USER account

    keystone user-create --name=swift --pass=swiftpass --tenant-id $SERVICE_TENANT
  4. Assign admin ROLE to admin USER

    keystone user-role-add --user-id $SWIFT_USER --role-id $ADMIN_ROLE --tenant-id $SERVICE_TENANT

Adding the service endpoint for the swift service

Keystone’s service endpoint creates several URLs (public, admin, internal etc) for access to a service. The SwiftStack auth process uses the public URL (publicurl), which should be pointing to Swift’s storage URL. Please review Keystone Auth for more information.

  • $REGION - Use the region defined in your Keystone server

  • $SWIFT_SERVICE - Use the name you called the swift service

  • $SWIFT_IP - Use the Cluster API IP address of your SwiftStack cluster

  • $(tenant_id) - use the user_id in the response body.

    keystone endpoint-create --region $REGION --service-id $SWIFT_SERVICE --publicurl "http://$SWIFT_IP/v1/KEY_\$(tenant_id)s" --adminurl "http://$SWIFT_IP/v1" --internalurl "http://$SWIFT_IP/v1/KEY_\$(tenant_id)s"

In the above command we used KEY_ as the prefix for the Swift Keystone accounts. This should match the reseller_prefix set in the Keystone Auth middleware configuration.

Add users to the swift service

Each user will have their own tenant.

keystone tenant-create --name=$USER_NAME

keystone user-create --name=$USER_NAME --pass=$USER_PASS --tenant-id=$USER_NAME --email email@example.com --enabled true

Example:

keystone tenant-create –name=jdoe

keystone user-create --name=jdoe --pass=jdpassword --tenant-id=jdoe --email jdoe@example.com --enabled true

Test the Authentication from Keystone

$ curl -d '{"auth":{"passwordCredentials":{"username": \
"$swiftstack", "password": "$password"},"tenantName":"$SS_TENANT"}}' \
-H "Content-type: application/json" http://localhost:5000/v2.0/tokens | python -mjson.tool
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
{
  "access":{
    "metadata":{
      "is_admin":0,
      "roles":[
        "9fe2ff9ee4384b1894a90878d3e92bab"
      ]
    },
    "serviceCatalog":[
      {
        "endpoints":[
          {
            "adminURL":"http://localhost/v1",
            "id":"498507b170e34d4c8a5a7cc933da00db",
            "internalURL":"http://localhost/v1/SWIFTSTACK_5c5791c3dca54885a862bbd214587759",
            "publicURL":"http://$SWIFT_API_ENTRY/v1/SWIFTSTACK_5c5791c3dca54885a862bbd214587759",
            "region":"RegionOne"
          }
        ],
        "endpoints_links":[],
        "name":"swift",
        "type":"object-store"
      }
    ],
    "token":{
      "expires":"2013-09-23T09:44:19Z",
      "id":"6a16f3e46d3348dd998ed9a0bebf0a63",
      "issued_at":"2013-09-22T09:44:19.335178",
      "tenant":{
        "description":"SwiftStack-DEV Tenant",
        "enabled":true,
        "id":"5c5791c3dca54885a862bbd214587759",
        "name":"SS"
      }
    },
    "user":{
      "id":"3857a98d704e4ff8bece78f85dadb8a0",
      "name":"swiftstack",
      "roles":[
        {
          "name":"_member_"
        }
      ],
      "roles_links":[],
      "username":"swiftstack"
    }
  }
}

If you got the response with SwiftStack cluster publicURL and role from Keystone, Keystone is properly configured. Otherwise, please recheck your Keystone configuration.

Configure the Keystone middleware in SwiftStack

To enable Keystone auth for SwiftStack cluster there are two middleware sections that need to be setup: Keystone Auth and Keystone Auth Token

Verify the Keystone user access to the SwiftStack cluster

Because a user is authenticated by Keystone, the auth_url does not point to the Swift Proxy. Instead the user retrieves the token and storage URL directly from Keystone.

  1. Issue an authentication request to the Keystone service entry point via API call.

    curl -d '{"auth":{"passwordCredentials":{"username": "USER", "password": "PASSWORD"},"tenantName":"TENANT"}}' -H "Content-type: application/json" http://$KEYSTONE_IP:5000/v2.0/tokens | python -mjson.tool

    The curl command will return JSON data in the following format:

    1
    2
    3
    4
    5
    6
    7
    {
        "publicURL": "http://$SWIFT_API_ENTRY/v1/KEY_5c5791c3dca5462bbd214587759",
        "token": {
            "expires": "2013-09-23T09:44:19Z"
        },
        "id": "6a16f3e46d3348dd998ed9a0c9f0a63"
    }
    
  2. With the publicURL and token, you are now ready to access your Swift account.

    curl -v -H “x-auth-token: 6a16f3e46d3348dd998ed9a0bebf0a63” http:// $SWIFT_API_ENTRY /v1/KEY_5c5791c3dca54885a862bbd214587759

The response to this command should be a container list of the account.