keystone 是OpenStack的组件之一,用于为OpenStack家族中的其它组件成员提供统一的认证服务,包括身份验证、令牌的发放和校验、服务列表、用户权限的定义等等。云环境中所有的服务之间的授权和认证都需要经过 keystone. 因此 keystone 是云平台中第一个即需要安装的服务。
作为 OpenStack 的基础支持服务,Keystone 做下面这几件事情:
-管理用户及其权限
-维护 OpenStack Services 的 Endpoint
-Authentication(认证)和 Authorization(鉴权)
配置
pikachu1:
(控制节点:openstack的组件和共享服务都是部署到这个节点上的)
#yum install python-openstackclient
#yum install openstack-selinux
部署数据库
#yum install mariadb mariadb-server python2-PyMySQL
#vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.146.51
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
# systemctl enable mariadb.service
# systemctl start mariadb.service
# mysql_secure_installation
配置rabbitmq(消息队列)
创建一个用户
#rabbitmqctl add_user openstack admin
openstack-用户
admin-密码
设置用户权限
#rabbitmqctl set_permissions openstack ".*" ".*" ".*"
设置用户为管理员
(为了让openstack用户能登录图形化界面)
#rabbitmqctl set_user_tags openstack administrator
Memcached
#yum install memcached python-memcached
修改配置文件
#vim /etc/sysconfig/memcached
添加本地节点(要先添加域名解析)
# systemctl enable memcached.service
# systemctl start memcached.service
Identity service认证服务
设置数据库
#mysql -uroot -p123
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
# yum install openstack-keystone httpd mod_wsgi
修改配置文件
#cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak(设置备份)
#vim /etc/keystone/keystone.conf(将下面内容复制到配置文件里,注意配置文件里的节点)
[DEFAULT]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@pikachu1/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]
[token]
provider = fernet
[tokenless_auth]
[trust]
同步数据库
#su -s /bin/sh -c "keystone-manage db_sync" keystone
创建用户组密码
#keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
#keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
设置keystone管理员服务端点
#keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://pikachu1:35357/v3/ \
--bootstrap-internal-url http://pikachu1:5000/v3/ \
--bootstrap-public-url http://pikachu1:5000/v3/ \
--bootstrap-region-id RegionOne
admin-url-管理网的服务端点
internal-url-内部网的服务端点
public-url公网的服务端点
设置http服务
#vim /etc/httpd/conf/httpd.conf
创建链接
#ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#systemctl restart httpd
#systemctl enable httpd
创建环境变量
#vim openrc
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://pikachu1:35357/v3
export OS_IDENTITY_API_VERSION=3
#source openrc
#openstack user list
#openstack endpoint list
创建项目
#openstack project create --domain default \
--description "Service Project" service
#openstack project create --domain default \
--description "Demo Project" demo
创建用户
#openstack user create --domain default \
--password=demo demo
删除用户
#openstack user delete demo
创建角色
#openstack role create user
将demo设置为user角色
#openstack role add --project demo --user demo user