Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Cloud Platform Engineering

How to switch from Keystone V2.0 to V3?

Created: 07 Jul 2014 • Updated: 07 Jul 2014
Priti_Desai's picture
+1 1 Vote
Login to vote

This blog describes end-to-end process for switching from Keystone V2.0 to V3.

Running a small experiment on single node OpenStack Havana instance on Ubuntu 12.04.4 LTS Precise Pangolin. I have used DevStack for deploying and configuring OpenStack which by default comes with Keystone V2.0. We had a requirement to test Domains functionality which was introduced in Keystone V3.

Making sure that we have a working version of OpenStack instance with Keystone V2.0.

Setup environment:

export OS_USERNAME=<UserName> 

export OS_TENANT_NAME=<ProjectName>

export OS_PASSWORD=<Password>

export OS_AUTH_URL=http://127.0.0.1:5000/v2.0

export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0

export SERVICE_TOKEN=<KeystoneServiceToken>

Run few CLIs and verify that they all succeed. Using CLI for initial testing, you can use REST APIs as well.

List Users:

keystone user-list

List Servers:

nova server-list

List VM Images:

glance image-list

Workflow:

Step 1: Keystone Policy File

Apply appropriate version of policy.json. Keystone V3 (domain feature) is not supported in default policy.json located at /etc/keystone/policy.json. The appropriate version of policy file is packaged with Keystone source code under /opt/stack/keystone/etc/policy.v3cloudsample.json.

mv /etc/keystone/policy.json /etc/keystone/policy.json.bak

cp /opt/stack/keystone/etc/policy.v3cloudsample.json /etc/keystone/policy.json

Step 2: Update Keystone Endpoints

Update Keystone endpoint in MySQL database. Keystone endpoints has three types of interfaces, "internal", "public", and "admin". They all must be set to V2.0. Internal and Public interface are set to the same URL.

$ mysql

mysql> use keystone;

mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type="identity";

+-----------+-----------------------------+

| interface | url                         |

+-----------+-----------------------------+

| internal  | http://127.0.0.1:5000/v2.0  |

| public    | http://127.0.0.1:5000/v2.0  |

| admin     | http://127.0.0.1:35357/v2.0 |

+-----------+-----------------------------+

3 rows in set (0.00 sec)

Now, update all three URLs, change V2.0 API to V3 with:

mysql> select id from service where type="identity";

+----------------------------------+

| id                               |

+----------------------------------+

| b0bbb0370ee4402eb3770129fdc0c328 |

+----------------------------------+

1 row in set (0.00 sec)

mysql> update endpoint set url="http://127.0.0.1:5000/v3" where url="http://127.0.0.1:5000/v2.0" and service_id="b0bbb0370ee4402eb3770129fdc0c328";

mysql> update endpoint set url="http://127.0.0.1:35357/v3" where url="http://127.0.0.1:35357/v2.0" and service_id="b0bbb0370ee4402eb3770129fdc0c328";

Confirm that you have all three endpoints updated to V3:

mysql> select interface, url from endpoint e, service s where s.id=e.service_id and s.type="identity";

+-----------+---------------------------+

| interface | url                       |

+-----------+---------------------------+

| internal  | http://127.0.0.1:5000/v3  |

| public    | http://127.0.0.1:5000/v3  |

| admin     | http://127.0.0.1:35357/v3 |

+-----------+---------------------------+

3 rows in set (0.00 sec)

 

 

Step 3: Restart OpenStack Services

 

Restart Keystone, Nova, and Glance by re-joining DevStack screen session, locate screen for Keystone (named "key"). Hit "Ctrl + Z" followed by up arrow key + Enter.

 

$ cd devstack

$ ./rejoin-stack.sh

 

 

Step 4: Verification

 

Update Environment to update Keystone Endpoint:

 

export OS_AUTH_URL=http://127.0.0.1:5000/v3

export SERVICE_ENDPOINT=http://127.0.0.1:35357/v3

 

 

List Users:

You can either Keystone CLI or REST API.

 

keystone user-list 

curl -s GET http://127.0.0.1:35357/v3/users -H X-Auth-Token:$SERVICE_TOKEN  | jq .

 

List Servers:

Nova CLI is not supported with Keystone V3 so please use CLI reference to OpenStack APIs:

openstack --os-identity-api-version=3 image list

 

List Images:

Glance CLI is not supported with Keystone V3 so please use CLI reference to OpenStack APIs:

openstack --os-identity-api-version=3 server list