Keystone role:
- User and authentication: user permissions and user behavior tracking;
- Service Catalog: Provides a service catalog, including all service items and breakpoints for related APIs
- SOA related knowledge
Keystone's two main functions are user authentication and service directory (equivalent to a registration center)
- User Authentication Terms Introduction
User: User
It is a number that represents a person, system, or service that uses openstack cloud services. The authentication service will validate incoming requests that will be invoked by the user assertion.
A tenant can have multiple users and
a user can belong to one or more tenants
. User permissions to the tenant and operations are determined by the user's role within the tenant.
Project: Project
It is a collection of resources or resource groups that can be accessed in each service. It is a container for organizing and isolating resources, or identifying objects.
Token: token
Role: A role
represents a set of resource permissions that a user can access, such as a virtual machine in Nova and an image in Glance.
- Introduction to the two terms of service catalog
Service: Service
Service is a service, such as Nova, Glance, Swift. Based on the first three concepts (User, Project and Role) a service can confirm whether the current user has permission to access its resources. But when a user tries to access a service in his tenant, he must know if the service exists and how to access the service.
Endpoint: Endpoint
Endpoint is translated as "endpoint". We can understand that it is an access point exposed by a service. If you need to access a service, you must know its endpoint. Each URL of Endpoint corresponds to the access address of a service instance, and has three permissions: public, orivate, and admin. The public url can be fully accessed globally, the private url can only be accessed by the LAN, and the admin url is separated from regular access.
a) Install memcached cache
1.1 Install the package
yum install memcached python-memcached -y
1.2 Modify memcached configuration
vim /etc/sysconfig/memcached OPTIONS="10.0.0.101"
1.3. Start the service
# systemctl enable memcached.service
# systemctl start memcached.service
1.4 netstat -ntlp to check whether the service port exists
2) Install keystone
2.1 Install keystone package
yum install openstack-keystone httpd mod_wsgi -y
2.2 Modify the configuration file
vim /etc/keystone/keystone.conf In the [database] section, configure database access: [database] connection = mysql+pymysql://keystone:redhat@controller/keystone In the [token] section, configure the provider of the Fernet UUID token There are four ways to provide a token [fernet |pkiz|pki| uuid] The default is uuid.
[token] provider = fernet driver = memcache In the [memcache] section, configure the memcache connection address and port [memcache] servers = 10.0.100.101:11211
3.3 Initialize the database
su -s /bin/sh -c "keystone-manage db_sync" keystone
Automatically find the mysql connection in the keystone configuration file to help us create tables in the database.
Why do we use the keystone user to synchronize the database?
Because the synchronization database will write logs in the /var/log/keystone directory, if you use root privileges to synchronize, when the keystone user starts the service to read the log file, it will not be able to read (permission problem), and a startup error will occur. Case.
Check if the table was created successfully
mysql -uroot -predhat -e " use keystone;show tables; "
Tip: If you find that there is no table when viewing the table, check the error message through the log /var/log/keystone/keystone.log.
3.4 Initialize Fernet keys
Create relevant certificates
# keystone-manage fernet_setup --keystone-user keystone --keystone- group keystone
# keystone -manage credential_setup --keystone-user keystone --keystone-group keystone
will generate the fernet-keys directory under /etc/keystone after executing the command. Its authority is to store these related certificates in keystone.
3.5 Boot Service Identification
keystone-manage bootstrap --bootstrap-password redhat \ --bootstrap-admin-url http://controller:35357/v3/ \ --bootstrap-internal-url http://controller:35357/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne
3). apache configuration
3.1 Configure the /etc/httpd/conf/httpd.conf file and configure the ServerName option as the control node
vim /etc/httpd/conf/httpd.conf
ServerName controller
3.2 Configure the link file
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3.3 apache starts and sets up to start automatically
# systemctl enable httpd.service # systemctl start httpd.service
3.4 Keytone troubleshooting ideas
Check the log /var/log/keystone/keystone.log to see if there is any error message.
Enable debug mode
vim /etc/keystone/keystone.conf
[DEFAULT]
debug = true