Deployed in the controller node
Configuration database
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'127.0.0.1' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 se
MariaDB [(none)]> flush privileges ;
Query OK, 0 rows affected (0.00 sec)
Installation keystone
KeyStone service is listening on port 5000 and 35357, configure the Apache HTTP Server to listen two ports, in order to avoid port conflicts, prohibit KeyStone boot from the start:
root@controller:~# echo "manual" > /etc/init/keystone.override
Installation keystone and related packages:
root@controller:~# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
Generated admin token:
root@controller:~# openssl rand -hex 10
38b35fc6a494b91f56cc
Configuration keystone
Profile: /etc/keystone/keystone.conf
root@controller:~# vi /etc/keystone/keystone.conf
#[default]部分,配置初始admin_token
[DEFAULT]
verbose = True
admin_token = 38b35fc6a494b91f56cc
#[database]部分,配置数据库连接
[database]
connection = mysql://keystone:keystone@controller/keystone
#[memcache]部分,配置memcache服务
[memcache]
servers = 127.0.0.1:11211
#[revoke] 部分,配置SQL的撤回驱动
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke
#[token]部分,配置UUID令牌的提供者和memcached的持久化驱动
[token]
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token
Initialization keystone database:
root@controller:~# su -s /bin/sh -c "keystone-manage db_sync" keystone
Interface configuration keystone of apache2
apache2.conf added:
root@controller:~# vi /etc/apache2/apache2.conf
ServerName controller
Creating /etc/apache2/sites-available/wsgi-keystone.conf file, add the following:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog /var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
Enabling Authentication Service Web Hosting:
root@controller:~# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
Create a directory structure for WSGI components:
root@controller:~# mkdir -p /var/www/cgi-bin/keystone
WSGI components:
root@controller:~# vi /var/www/cgi-bin/keystone/admin
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)
root@controller:~# vi /var/www/cgi-bin/keystone/main
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)
Set directory permissions, and restart apache2:
root@controller:~# chown -R keystone:keystone /var/www/cgi-bin/keystone
root@controller:~# chmod 755 /var/www/cgi-bin/keystone/*
root@controller:~# service apache2 restart
* Restarting web server apache2 [ OK ]
Delete ubuntu default SQLite database created:
root@controller:~# rm -f /var/lib/keystone/keystone.db
Configuration services API endpoint entities
Set up a temporary environment variables, check token endpoint URL:
root@controller:~# export OS_TOKEN=ADMIN_TOKEN
root@controller:~# export OS_URL=http://controller:35357/v2.0
Create a service entity authentication service:
root@controller:~# openstack service create --name keystone --description "OpenStack Identity" identity
Configuring certification services API endpoint:
root@controller:~# openstack endpoint create --publicurl http://controller:5000/v2.0 --internalurl http://controller:5000/v2.0 --adminurl http://controller:35357/v2.0 --region RegionOne identity
Create a Project (tenant), users and roles
Creating admin tenants:
root@controller:~# openstack project create --description "Admin Project" admin
Create admin user:
root@controller:~# openstack user create --password-prompt admin
User Password:admin
Repeat User Password:admin
Create admin role:
root@controller:~# openstack role create admin
Admin added admin role to tenants and users:
root@controller:~# openstack role add --project admin --user admin admin
Create a service project
Create a service project to other OpenStack services:
root@controller:~# openstack project create --description "Service Project" service
Create a common project and user
Create a demo project:
root@controller:~# openstack project create --description "Demo Project" demo
Create demo users:
root@controller:~# openstack user create --password-prompt demo
User Password:demo
Repeat User Password:demo
Create a demo role:
root@controller:~# openstack role create user
Add user roles to demo tenants and users:
root@controller:~# openstack role add --project demo --user demo user
other
Mechanisms for security reasons, prohibit verification token
- Editor vi /etc/keystone/keystone-paste.ini:
Admin_token_auth removed from the [pipeline: public_api], [pipeline: admin_api], and [pipeline: api_v3] section
- Cancel the operating system environment variable settings:
root@controller:~# unset OS_TOKEN OS_URL
- admin script, / root / admin-openrc.sh:
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://$(hostname):35357/v3
export OS_IMAGE_API_VERSION=2
export OS_VOLUME_API_VERSION=2
export OS_REGION_NAME=RegionOne
export OS_COMPUTE_API_VERSION=3
export OS_IDENTITY_API_VERSION=2