This blog describes end-to-end process for switching from Keystone V2.0 to V3.
Running a small experiment on single node OpenStack Havana instance on Ubuntu 12.04.4 LTS Precise Pangolin. I have used DevStack for deploying and configuring OpenStack which by default comes with Keystone V2.0. We had a requirement to test Domains functionality which was introduced in Keystone V3.
Making sure that we have a working version of OpenStack instance with Keystone V2.0.
Setup environment:
export OS_USERNAME=<UserName>
export OS_TENANT_NAME=<ProjectName>
export OS_PASSWORD=<Password>
export OS_AUTH_URL=http://127.0.0.1:5000/v2.0
export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0
export SERVICE_TOKEN=<KeystoneServiceToken>
Run few CLIs and verify that they all succeed. Using CLI for initial testing, you can use REST APIs as well.
List Users:
keystone user-list
List Servers:
nova server-list
List VM Images:
glance image-list
Workflow:
Step 1: Keystone Policy File
Apply appropriate version of policy.json. Keystone V3 (domain feature) is not supported in default policy.json located at /etc/keystone/policy.json. The appropriate version of policy file is packaged with Keystone source code under /opt/stack/keystone/etc/policy.v3cloudsample.json.
mv /etc/keystone/policy.json /etc/keystone/policy.json.bak
cp /opt/stack/keystone/etc/policy.v3cloudsample.json /etc/keystone/policy.json
Step 2: Update Keystone Endpoints
Update Keystone endpoint in MySQL database. Keystone endpoints has three types of interfaces, "internal", "public", and "admin". They all must be set to V2.0. Internal and Public interface are set to the same URL.
$ mysql
mysql> use keystone;
mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type="identity";
+-----------+-----------------------------+
| interface | url |
+-----------+-----------------------------+
| internal | http://127.0.0.1:5000/v2.0 |
| public | http://127.0.0.1:5000/v2.0 |
| admin | http://127.0.0.1:35357/v2.0 |
+-----------+-----------------------------+
3 rows in set (0.00 sec)
Now, update all three URLs, change V2.0 API to V3 with:
mysql> select id from service where type="identity";
+----------------------------------+
| id |
+----------------------------------+
| b0bbb0370ee4402eb3770129fdc0c328 |
+----------------------------------+
1 row in set (0.00 sec)
mysql> update endpoint set url="http://127.0.0.1:5000/v3" where url="http://127.0.0.1:5000/v2.0" and service_id="b0bbb0370ee4402eb3770129fdc0c328";
mysql> update endpoint set url="http://127.0.0.1:35357/v3" where url="http://127.0.0.1:35357/v2.0" and service_id="b0bbb0370ee4402eb3770129fdc0c328";
Confirm that you have all three endpoints updated to V3:
mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type="identity";
+-----------+---------------------------+
| interface | url |
+-----------+---------------------------+
| internal | http://127.0.0.1:5000/v3 |
| public | http://127.0.0.1:5000/v3 |
| admin | http://127.0.0.1:35357/v3 |
+-----------+---------------------------+
3 rows in set (0.00 sec)
Step 3: Restart OpenStack Services
Restart Keystone, Nova, and Glance by re-joining DevStack screen session, locate screen for Keystone (named "key"). Hit "Ctrl + Z" followed by up arrow key + Enter.
$ cd devstack
$ ./rejoin-stack.sh
Step 4: Verification
Update Environment to update Keystone Endpoint:
export OS_AUTH_URL=http://127.0.0.1:5000/v3
export SERVICE_ENDPOINT=http://127.0.0.1:35357/v3
List Users:
You can either Keystone CLI or REST API.
keystone user-list
curl -s GET http://127.0.0.1:35357/v3/users -H X-Auth-Token:$SERVICE_TOKEN | jq .
List Servers:
Nova CLI is not supported with Keystone V3 so please use CLI reference to OpenStack APIs:
openstack --os-identity-api-version=3 image list
List Images:
Glance CLI is not supported with Keystone V3 so please use CLI reference to OpenStack APIs:
openstack --os-identity-api-version=3 server list