OpenStack kilo version keystone deployment

Deployed in the controller node

Configuration database

MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'127.0.0.1' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 se

MariaDB [(none)]> flush privileges ;
Query OK, 0 rows affected (0.00 sec)

Installation keystone

KeyStone service is listening on port 5000 and 35357, configure the Apache HTTP Server to listen two ports, in order to avoid port conflicts, prohibit KeyStone boot from the start:

root@controller:~# echo "manual" > /etc/init/keystone.override

Installation keystone and related packages:

root@controller:~# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache

Generated admin token:

root@controller:~# openssl rand -hex 10
38b35fc6a494b91f56cc

Configuration keystone

Profile: /etc/keystone/keystone.conf

root@controller:~# vi /etc/keystone/keystone.conf
#[default]部分，配置初始admin_token
[DEFAULT]
verbose = True
admin_token = 38b35fc6a494b91f56cc 

#[database]部分，配置数据库连接
[database]
connection = mysql://keystone:keystone@controller/keystone

#[memcache]部分，配置memcache服务
[memcache]
servers = 127.0.0.1:11211

#[revoke] 部分，配置SQL的撤回驱动
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke

#[token]部分，配置UUID令牌的提供者和memcached的持久化驱动
[token]
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token

Initialization keystone database:

root@controller:~# su -s /bin/sh -c "keystone-manage db_sync" keystone

Interface configuration keystone of apache2

apache2.conf added:

root@controller:~# vi /etc/apache2/apache2.conf
ServerName controller

Creating /etc/apache2/sites-available/wsgi-keystone.conf file, add the following:

Listen 5000
Listen 35357
<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    LogLevel info
    ErrorLog /var/log/apache2/keystone-error.log
    CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    LogLevel info
    ErrorLog /var/log/apache2/keystone-error.log
    CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>

Enabling Authentication Service Web Hosting:

root@controller:~# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled

Create a directory structure for WSGI components:

root@controller:~# mkdir -p /var/www/cgi-bin/keystone

WSGI components:

root@controller:~# vi /var/www/cgi-bin/keystone/admin
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)

root@controller:~# vi /var/www/cgi-bin/keystone/main
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)

Set directory permissions, and restart apache2:

root@controller:~# chown -R keystone:keystone /var/www/cgi-bin/keystone
root@controller:~# chmod 755 /var/www/cgi-bin/keystone/*
root@controller:~# service apache2 restart
 * Restarting web server apache2                                                                                                 [ OK ] 

Delete ubuntu default SQLite database created:

root@controller:~# rm -f /var/lib/keystone/keystone.db

Configuration services API endpoint entities

Set up a temporary environment variables, check token endpoint URL:

root@controller:~#  export OS_TOKEN=ADMIN_TOKEN
root@controller:~#  export OS_URL=http://controller:35357/v2.0

Create a service entity authentication service:

root@controller:~# openstack service create --name keystone --description "OpenStack Identity" identity

Configuring certification services API endpoint:

root@controller:~# openstack endpoint create --publicurl http://controller:5000/v2.0 --internalurl http://controller:5000/v2.0 --adminurl http://controller:35357/v2.0 --region RegionOne identity

Create a Project (tenant), users and roles

Creating admin tenants:

root@controller:~# openstack project create --description "Admin Project" admin

Create admin user:

root@controller:~# openstack user create --password-prompt admin
User Password:admin
Repeat User Password:admin

Create admin role:

root@controller:~# openstack role create admin

Admin added admin role to tenants and users:

root@controller:~# openstack role add --project admin --user admin admin

Create a service project

Create a service project to other OpenStack services:

root@controller:~# openstack project create --description "Service Project" service

Create a common project and user

Create a demo project:

root@controller:~# openstack project create --description "Demo Project" demo

Create demo users:

root@controller:~# openstack user create --password-prompt demo
User Password:demo
Repeat User Password:demo

Create a demo role:

root@controller:~# openstack role create user

Add user roles to demo tenants and users:

root@controller:~# openstack role add --project demo --user demo user

other

Mechanisms for security reasons, prohibit verification token

1. Editor vi /etc/keystone/keystone-paste.ini:

Admin_token_auth removed from the [pipeline: public_api], [pipeline: admin_api], and [pipeline: api_v3] section

1. Cancel the operating system environment variable settings:

root@controller:~# unset OS_TOKEN OS_URL

1. admin script, / root / admin-openrc.sh:

export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://$(hostname):35357/v3
export OS_IMAGE_API_VERSION=2
export OS_VOLUME_API_VERSION=2
export OS_REGION_NAME=RegionOne
export OS_COMPUTE_API_VERSION=3
export OS_IDENTITY_API_VERSION=2