1.安装keystone服务所需的软件包
| [root@controller ~]# yum install openstack-keystone httpd mod_wsgi openstack-utils -y |
2.创建keystone的数据库(每个服务都需要操作的)
| 2.1登录数据库 [root@controller ~]# mysql -u root -p000000 2.2创建keystone数据库 MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) 2.3授予keystone用户对keystone数据库的访问权限(000000为密码) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \ -> IDENTIFIED BY '000000'; Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000'; Query OK, 0 rows affected (0.00 sec) 2.4退出数据库 MariaDB [(none)]> exit Bye |
3.配置keystone认证服务
| 3.1生成一个随机值用在初始配置时作管理令牌 [root@controller ~]# ADMIN_TOKEN=`openssl rand -hex 10` 3.2配置/etc/keystone/keystone.conf [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:000000@controller/keystone [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet 3.3同步数据库 [root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone 3.4初始化fernet [root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 3.5编辑/etc/httpd/conf/httpd.conf文件(95为行数) [root@controller ~]# vim /etc/httpd/conf/httpd.conf 95 ServerName controller [root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> 3.7启动http,并设置开机自动启动 [root@controller ~]# systemctl enable httpd.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@controller ~]# systemctl start httpd.service |
4.创建服务实体和API端点
| 4.2创建服务实体和API端点 [root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 248daef05e624334b115fd8f6fdaca20 | | name | keystone | | type | identity | +-------------+----------------------------------+ 4.3创建Identity Service API端点: [root@controller ~]# openstack endpoint create --region RegionOne \ identity public http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 36878f0a8a984f5b91a4c565027c7d4c | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 248daef05e624334b115fd8f6fdaca20 | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne \ identity internal http://controller:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 54ef532d9d7d4380b5bca3e8ce586b1b | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 248daef05e624334b115fd8f6fdaca20 | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v3 | +--------------+----------------------------------+ [root@controller ~]# openstack endpoint create --region RegionOne \ identity admin http://controller:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 663a7078970c474b8889144f9502c251 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 248daef05e624334b115fd8f6fdaca20 | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v3 | +--------------+----------------------------------+ 4.4创建域(default 为域的名称) [root@controller ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 11c1d63da1784b51bc6d13335f635778 | | name | default | +-------------+----------------------------------+ 4.5在域中创建管理项目,用户和角色。 |
5.验证操作
| 5.1取消设置临时OS_TOKEN和OS_URL环境变量 [root@controller ~]# unset OS_TOKEN OS_URL [root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name admin --os-username admin token issue Password: +------------+---------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-29T04:09:59.388878Z | | id | gAAAAABbNaMHpYCGIwUvsjiBK69PrpM2kpTp5VvhrWwDU2I0g3FYuxSBZo4Lf2vYtkyIsOLoR9Eu_Nw84AyOn2pBNgdghcRYDolZsvQjZe9O7lHB0iH5YA88C8t985X | | | xrW0sY8Rgf6y0Ux6WPj_BGMy8Eechm9trdyajJA1hQqRsOT-BNoZGzWc | | project_id | 84f00df4afd847248adfebd326a81a42 | | user_id | 4d615ed7e32f48c78ed6037c93f0b2d2 | +------------+--------------------------------------------------------------------------------------------------------------------------------- 5.2使用demo用户,请求身份验证令牌(输入demo用户的密码) [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name demo --os-username demo token issue Password: +------------+---------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-29T04:11:03.829120Z | | id | gAAAAABbNaNHOat7pZ5JupOmmpR3Lng_8cx16iTDvR1_8udNG0KPCTvMKEXm4FWhnUXS-sR4Zz-1L8XD72waLlm8WL2b0fzq5VpwnDo4DxEiQIEEc4wb5AC7rH- | | | q2o9zyi_CXmSAEuUBBx-biYzNqTI3u9SJ0FACzL-Fqouzj5VUoddFgvlI6JM | | project_id | 18d606f4d475401da1afd6369cb6c154 | | user_id | b39301a69ae84a31b7bbeea4b9186687 | +------------+---------------------------------------------------------------------------------------------------------------------------------+ 5.3编辑/etc/keystone/admin-openrc文件并添加以下内容: [root@controller ~]# vim /etc/keystone/admin-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=000000 export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 5.4编辑/etc/keystone/demo-openrc文件并添加以下内容: [root@controller ~]# vim /etc/keystone/demo-openrc export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=000000 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 5.5通过/etc/keystone/admin-openrc 文件,请求令牌 [root@controller ~]# source /etc/keystone/admin-openrc [root@controller ~]# openstack token issue +------------+---------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-06-29T04:13:10.302658Z | | id | gAAAAABbNaPGeJiJPQcSYdZN1nTbZjDeZIT3gCr6Cd-e2LOWZ7cFJ-R6HUMWA8Vnho- | | | dfQYElFCrhtwDVsFlByj4E1MjtRucWq8tcon8saHKxCseD3q2skjqvf1ryYdr41CuydDZPKm4yU6_8qknoqNhbwlj0mHqAfN1_9wDn52R6UjqH-pDn94 | | project_id | 84f00df4afd847248adfebd326a81a42 | | user_id | 4d615ed7e32f48c78ed6037c93f0b2d2 | +------------+--------------------------------------------------------------------------------------------------------------------------------- |