How to change keystone API V2 to V3

The Keystone Identity Service allows clients to obtain tokens that can be used to access OpenStack cloud services. This document is intended for software developers interested in developing applications that utilize the Keystone Identity Service API for authentication. The OpenStack Identity API is implemented using a RESTful web service interface. All requests to authenticate and operate against the OpenStack Identity API should be performed using SSL over HTTP (HTTPS) on TCP port 443.

keystone V3 Advantages

1) Authentication is totally pluggable. You can write our own custom auth method. Beause of this extensible auth method, now keystone supports oauth1, federation ( federation is not fully done)

2) Authorization : V2 is either “admin” or none. In v3 you can control who can call each method. ( Provided you define your own policy file )

3) Separate drivers for assignments and identity

4) Rich set of APIs. There are lot more API available than v2.0. Also there are no vendor specic extension. If you check v2.0, most of the role apis are Rackspace extensions
Before proceed to migrate keystone v2 to v3, you must check previous services are working fine. Use the following commands to verify the list of services works.

How to change keystone API V2 to V3?

[root@localhost ~(keystone_admin)]# keystone user-list
WARNING: Bypassing authentication using a token & endpoint (authentication credentials are being ignored).
+———————————-+————+———+———————-+
| id | name | enabled | email |
+———————————-+————+———+———————-+
| ed03407c56054729bee58be7f7710786 | admin | True | root@localhost |
| 3b52f88a70f149a791e295b1859ae8f4 | ceilometer | True | ceilometer@localhost |

 

[root@localhost ~(keystone_admin)]# nova service-list
+——————+———–+———-+———+——-+—————————-+—————–+
| Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
+——————+———–+———-+———+——-+—————————-+—————–+
| nova-consoleauth | packstack | internal | enabled | up | 2014-12-13T10:45:52.000000 | – |
| nova-scheduler | packstack | internal | enabled | up | 2014-12-13T10:45:50.000000 | – |
| nova-conductor | packstack | internal | enabled | up | 2014-12-13T10:45:54.000000 | – |
| nova-compute | packstack | nova | enabled | up | 2014-12-13T10:45:51.000000 | – |
| nova-cert | packstack | internal | enabled | up | 2014-12-13T10:45:52.000000 | – |
| nova-console | packstack | internal | enabled | up | 2014-12-13T10:45:51.000000 | – |
+——————+———–+———-+———+——-+—————————-+—————–+
[root@localhost ~(keystone_admin)]# glance image-list
+————————————–+——–+————-+——————+———-+——–+
| ID | Name | Disk Format | Container Format | Size | Status |
+————————————–+——–+————-+——————+———-+——–+
| f4c137ca-8dd8-47f3-be70-106eac2f241f | cirros | qcow2 | bare | 13147648 | active |
+————————————–+——–+————-+——————+———-+——–+

If all the services are working fine then proceed to migrate endpoint urls to V3 in your keystone databases.  Login your mysql server and change endpoint URLs.
mysql> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type=”identity”;
+———–+———————————-+
| interface | url |
+———–+———————————-+
| admin | http://192.168.1.133:35357/v2.0 |
| internal | http://192.168.1.133:5000/v2.0 |
| public | http://192.168.1.133:5000/v2.0 |
+———–+———————————-+
3 rows in set (0.01 sec)

Get the identity service ID

mysql> select id from service where type=”identity”;
+———————————-+
| id |
+———————————-+
| e32101fdfe4145d1a6a22351b41d88e5 |
+———————————-+
1 row in set (0.00 sec)
Use this query to replace URLs as per service id where 5000 ports
mysql> update endpoint set url=”http://192.168.1.196:5000/v3″ where url=”http://192.168.1.196:5000/v2.0″ and service_id=”76e23f322c2a48d18293db89dbca9e70″;
Query OK, 2 rows affected (0.00 sec)
Rows matched: 2 Changed: 2 Warnings: 0

Use this query to replace 35357 ports

mysql> update endpoint set url=”http://192.168.1.196:35357/v3″ where url=”http://192.168.1.196:35357/v2.0″ and service_id=”76e23f322c2a48d18293db89dbca9e70″;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0

Thats all, you can verify the changed URLs.

mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type=”identity”;
+———–+——————————–+
| interface | url |
+———–+——————————–+
| admin | http://192.168.1.133:35357/v3 |
| internal | http://192.168.1.133:5000/v3 |
| public | http://192.168.1.133:5000/v3 |
+———–+——————————–+
3 rows in set (0.00 sec)

mysql>

 

upgrade Keystone Policy File

Policy is just a set of rules combined by or/and logic. It should become more readable in future releases, The Openstack Identity v3 API, provided by Keystone, offers features that were lacking in the previous version. Among these features, it introduces the concept of domains, allowing isolation of projects and users. For instance, an administrator allowed to create projects and users in a given domain, may not have any right in another one. While these features look very exciting, some configuration needs to be done to have a working identity v3 service with domains properly set.

 

Download policy.v3cloudsample.json file

wget https://github.com/openstack/keystone/blob/master/etc/policy.v3cloudsample.json
mv /etc/keystone/policy.json /etc/keystone/policy.json.V2

mv policy.v3cloudsample.json /etc/keystone/policy.json

chown keystone.keystone policy.json

Update Keystone Endpoint Environment.

export OS_USERNAME=admin
export OS_TENANT_NAME=admin
export OS_PASSWORD=<password>
export OS_AUTH_URL=http://192.168.1.133:5000/v3
export SERVICE_ENDPOINT=http://192.168.1.133:35357/v3

export SERVICE_TOKEN=c50f58a02dde43f286517af102786be0

Restart OpenStack Services

/etc/init.d/openstack-keystone restart

Troubleshooting

If you received “horizon unauthorized (http 401)” errors, you can revert back policy.json v2 file and try to restart services.

 

How to Enable Multi Domains on openstack horizon

Horizon supports multi domains as well. You need to add only a few changes to local_setting. Apply the correct policy.json file for keystone.
vi /etc/openstack-dashboard/local_settings

uncommand the following settings.

OPENSTACK_API_VERSIONS = {
“identity”: 3
}
OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True
OPENSTACK_KEYSTONE_URL = “http://192.168.1.133:5000/v3”
Save local_settings and restart openstack-dashboard.

/etc/init.d/httpd restart