IBM Cloud Orchestrator, Version 2.5

Configuring the OpenStack services to use the Keystone V3 API

After the endpoints are configured to Keystone V3, you must configure the other OpenStack services to use the Keystone V3 API and to use the new Keystone V3 endpoints. You must configure the services on all the OpenStack servers in your installation.

Before you begin

Ensure that the Keystone endpoints are configured for Keystone V3, as described in Configuring V3 API endpoints for Keystone.

About this task

The OpenStack services must be configured to use the new V3 Keystone endpoints. See your OpenStack documentation for information about all the installed OpenStack services and where their configuration files are stored.

When you run the script in the following procedure, the following changes are made. Depending on your OpenStack distribution, you might need to adapt the script or to do the changes manually:

The configuration files of the OpenStack services contains a section like, for example:

[keystone_authtoken]
auth_uri = http://192.0.2.67:5000/v2.0
identity_uri = http://192.0.2.67:35357/
auth_version = v2.0
admin_tenant_name = service
admin_user = nova
admin_password = W0lCTTp2MV1iY3JhZmducHgtcGJ6Y2hncg==
signing_dir = /var/cache/nova/api
hash_algorithms = md5
insecure = false

The following parameters must be changed to use the new V3 endpoints:

auth_uri = http://192.0.2.67:5000/v3

auth_version = v3

In the keystone.conf file, the following parameter must be set:
```
[auth]
external = keystone.auth.plugins.external.Domain
```
In the Cinder api-paste.ini file, the following section must be added:

[keystone_authtoken]
auth_uri = http://192.0.2.67:5000/v3
identity_uri = http://192.0.2.67:35357/
auth_version = v3
admin_tenant_name = service
admin_user = cinder
admin_password = W0lCTTp2MV1iY3JhZmducHgtcGJ6Y2hncg==
signing_dir = /var/cache/nova/api
hash_algorithms = md5

The following changes (in bold) must be done to the Horizon local settings:

"identity": 3

OPENSTACK_KEYSTONE_MULTIDOMAIN_SUPPORT = True

OPENSTACK_KEYSTONE_URL = "http://192.0.2.67:5000/v3"
OPENSTACK_KEYSTONE_ADMIN_URL = "http://192.0.2.67:35357/v3"

OPENSTACK_KEYSTONE_DEFAULT_ROLE = "member"

If the following line is not in the configuration file, it must be added:

OPENSTACK_KEYSTONE_DEFAULT_DOMAIN = "Default"

Additional changes might be needed.

After the changes, the Keystone policy.json file must be replaced with the version delivered by IBM Cloud Orchestrator. To do this manually, copy the keystone_policy.json file into the Keystone configuration directory, for example /etc/keystone, as policy.json. See your OpenStack distribution documentation for the correct path and file name to replace. Then, change the owner of this file to the original values.

Procedure

Log on to the OpenStack server as a root user.
Change directory to the directory where you store the IBM Cloud Orchestrator scripts:
```
cd /opt/ico_scripts
```
Set the environment to the correct OpenStack values. Use the new RC file that you created by following the procedure in Creating a new RC file for Keystone V3. Run the following command:
```
source <name_of_your_RC_file>
```
Alternatively, you can provide the OS_AUTH_URL value as command parameter in the following step.

Run the script:

./BYOOS_configure_files.sh [OS_AUTH_URL]

Copy the Keystone policy.json file to the Keystone configuration directory:
```
cp keystone_policy.json <path_to_keystone_config>/policy.json
```

Results

All the OpenStack services are configured to use the new Keystone V3 endpoints.