目录
[隐藏]
- 1——先决条件
- 2——keystone服务搭建配置
- 2.11.)安装keystone服务
- 2.22.)初始化keys
- 2.33.)配置keystone服务
- 2.44.)同步数据库
- 2.55.)配置 Apache serivce
- 2.66.)设置临时admin token
- 2.77.)Create the service entity and API endpoints
- 2.88.)创建domain projects users 和 roles
- 2.99.)验证操作
- 2.1010.)创建admin环境变量
——先决条件
1.)创建数据库
1
2
3
4
5
6
|
MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected ( 0.00 sec) MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone' @ '%' IDENTIFIED BY 'keystone' ; Query OK, 0 rows affected ( 0.01 sec) MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone' @ 'localhost' IDENTIFIED BY 'keystone' ; Query OK, 0 rows affected ( 0.00 sec) |
——keystone服务搭建配置
1.)安装keystone服务
1
2
|
[root@openstack ~]# yum -y install openstack-keystone python-keystoneclient httpd mod_wsgi |
2.)初始化keys
1
2
|
[root@openstack ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone |
3.)配置keystone服务
1
2
3
4
5
6
7
8
9
|
[root@openstack ~]# openssl rand -hex 10 3f554e582cefe3462106 [root@openstack ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak [root@openstack ~]# vim /etc/keystone/keystone.conf 1 : [DEFAULT] 13 : admin_token = 3f554e582cefe3462106 526 : [database] 549 : connection = mysql: //keystone:keystone@localhost:3306/keystone 2005 : provider = fernet |
4.)同步数据库
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
|
[root@openstack ~]# keystone-manage db_sync [root@openstack ~]# mysql -ukeystone -pkeystone -e 'use keystone;show tables;' +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | mapping | | migrate_version | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+ |
5.)配置 Apache serivce
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
[root@openstack ~]# vim /etc/httpd/conf/httpd.conf 95 : ServerName openstack [root@openstack ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf 1 :Listen 5000 2 :Listen 35357 3 : 4 :<VirtualHost *: 5000 > 5 : WSGIDaemonProcess keystone- public processes= 5 threads= 1 user=keystone group=keystone display-name=%{GROUP} 6 : WSGIProcessGroup keystone- public 7 : WSGIScriptAlias / /usr/bin/keystone-wsgi- public 8 : WSGIApplicationGroup %{GLOBAL} 9 : WSGIPassAuthorization On 10 : ErrorLogFormat "%{cu}t %M" 11 : ErrorLog / var /log/httpd/keystone-error.log 12 : CustomLog / var /log/httpd/keystone-access.log combined 13 : 14 : <Directory /usr/bin> 15 : Require all granted 16 : </Directory> 17 :</VirtualHost> 18 : 19 :<VirtualHost *: 35357 > 20 : WSGIDaemonProcess keystone-admin processes= 5 threads= 1 user=keystone group=keystone display-name=%{GROUP} 21 : WSGIProcessGroup keystone-admin 22 : WSGIScriptAlias / /usr/bin/keystone-wsgi-admin 23 : WSGIApplicationGroup %{GLOBAL} 24 : WSGIPassAuthorization On 25 : ErrorLogFormat "%{cu}t %M" 26 : ErrorLog / var /log/httpd/keystone-error.log 27 : CustomLog / var /log/httpd/keystone-access.log combined 28 : 29 : <Directory /usr/bin> 30 : Require all granted 31 : </Directory> 32 :</VirtualHost> [root@openstack ~]# chown -R keystone:keystone / var /log/keystone [root@openstack ~]# systemctl enable httpd.service [root@openstack ~]# systemctl start httpd.service [root@openstack ~]# systemctl status httpd.service [root@openstack keystone]# netstat -antup|grep httpd|grep LISTEN tcp6 0 0 ::: 5000 :::* LISTEN 4612 /httpd tcp6 0 0 ::: 80 :::* LISTEN 4612 /httpd tcp6 0 0 ::: 35357 :::* LISTEN 4612 /httpd |
6.)设置临时admin token
1
2
3
|
[root@openstack ~]# export OS_TOKEN=3f554e582cefe3462106 [root@openstack ~]# export OS_URL=http: //192.168.100.120:35357/v3 [root@openstack ~]# export OS_IDENTITY_API_VERSION= 3 |
7.)Create the service entity and API endpoints
7.1)Create the service entity for the Identity service
1
2
3
4
5
6
7
8
9
10
|
[root@openstack ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | de06d252af684090b3568cac0f65cbb8 | | name | keystone | | type | identity | +-------------+----------------------------------+ |
7.2)Create the Identity service API endpoints
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
|
[root@openstack ~]# openstack endpoint create --region RegionOne identity public http: //192.168.100.120:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 9455f80c88cb4a188febacde56aaaff0 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | de06d252af684090b3568cac0f65cbb8 | | service_name | keystone | | service_type | identity | | url | http: //192.168.100.120:5000/v3 | +--------------+----------------------------------+ [root@openstack ~]# openstack endpoint create --region RegionOne identity internal http: //192.168.100.120:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 24c58182056a493a801d3717ed287d07 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | de06d252af684090b3568cac0f65cbb8 | | service_name | keystone | | service_type | identity | | url | http: //192.168.100.120:5000/v3 | +--------------+----------------------------------+ [root@openstack ~]# openstack endpoint create --region RegionOne identity admin http: //192.168.100.120:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 7e71ee55d7614341837c07d4552b29f7 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | de06d252af684090b3568cac0f65cbb8 | | service_name | keystone | | service_type | identity | | url | http: //192.168.100.120:35357/v3 | +--------------+----------------------------------+ |
8.)创建domain projects users 和 roles
8.1)Create the default domain
1
2
3
4
5
6
7
8
9
|
[root@openstack ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | d68aa40d66034dc89a3b2d896e86477d | | name | default | +-------------+----------------------------------+ |
8.2)创建一个管理项目(project),用户(user)和角色(role)来管理操作当前环境
8.2.1)Create the admin project
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@openstack ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 505647f0f06e408e9d176da82a6684f1 | | enabled | True | | id | e4f62edc6ed547109768b515be56044a | | is_domain | False | | name | admin | | parent_id | 505647f0f06e408e9d176da82a6684f1 | +-------------+----------------------------------+ |
8.2.2)Create the admin user
1
2
3
4
5
6
7
8
9
|
[root@openstack ~]# openstack user create --domain default --password admin_passwd admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 505647f0f06e408e9d176da82a6684f1 | | enabled | True | | id | 6f4087ac3ed341b0855e7dec830cf65d | | name | admin | +-----------+----------------------------------+ |
8.2.3)Create the admin role
1
2
3
4
5
6
7
8
|
[root@openstack ~]# openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | b3b1f608b109465bb9b96a4b0320dfdb | | name | admin | +-----------+----------------------------------+ |
8.2.4)Add the admin role to the admin project and user
1
|
[root@openstack ~]# openstack role add --project admin --user admin admin |
8.3)Create the service project
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@openstack ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | 505647f0f06e408e9d176da82a6684f1 | | enabled | True | | id | 51600729375b45b480ad7d0d7b0e8a3c | | is_domain | False | | name | service | | parent_id | 505647f0f06e408e9d176da82a6684f1 | +-------------+----------------------------------+ |
8.4) Create the demo project
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@openstack ~]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | 505647f0f06e408e9d176da82a6684f1 | | enabled | True | | id | a66c04b887774bca86161003fdb4a33a | | is_domain | False | | name | demo | | parent_id | 505647f0f06e408e9d176da82a6684f1 | +-------------+----------------------------------+ |
8.4.1) Create the demo user
1
2
3
4
5
6
7
8
9
|
[root@openstack ~]# openstack user create --domain default --password demo_passwd demo +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 505647f0f06e408e9d176da82a6684f1 | | enabled | True | | id | d5b1553154e942d6b513f8c706bf374f | | name | demo | +-----------+----------------------------------+ |
8.4.2)Create the demo role
1
2
3
4
5
6
7
8
|
[root@openstack ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 242935dcb84840fb9f127f27ffd5e765 | | name | user | +-----------+----------------------------------+ |
8.4.3)Add the user role to the demo project and user
1
|
[root@openstack ~]# openstack role add --project demo --user demo user |
9.)验证操作
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
[root@openstack ~]# unset OS_TOKEN OS_URL [root@openstack ~]# openstack \ --os-auth-url http: //192.168.100.120:35357/v3 \ --os-project-domain-name default \ --os-user-domain-name default \ --os-project-name admin \ --os-username admin \ --os-password admin_passwd \ token issue +------------+----------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+----------------------------------------------------------------------------------------------------------------------------+ | expires | 2016 - 05 -26T04: 51 : 35 .701908Z | | id | gAAAAABXRnLH0FzjXcBrcDEj_GGVMyFCjxH1t4SdAEJyI06vFJAV699czB03nQ-B | | | -wn3tzXHjYuJ1Mp5BoYNbj9B0EUsFYlZ1IyYM0EQ6coa7pHsKEVeXVhVTROVOPMmaYZspcnKMhnWwaiWq7OIOAv5YMmUDlYSqSi1ZjqDThqHAq-Z1dhUb6w | | project_id | e4f62edc6ed547109768b515be56044a | | user_id | 6f4087ac3ed341b0855e7dec830cf65d | +------------+----------------------------------------------------------------------------------------------------------------------------+ [root@openstack ~]# openstack \ --os-auth-url http: //192.168.100.120:5000/v3 \ --os-project-domain-name default \ --os-user-domain-name default \ --os-project-name admin \ --os-username admin \ --os-password admin_passwd \ token issue +------------+----------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+----------------------------------------------------------------------------------------------------------------------------+ | expires | 2016 - 05 -26T04: 53 : 35 .489593Z | | id | gAAAAABXRnM_CMNnU2fc8gFUnM9Fj3Ooxr4RwnYG4gUXvsZQPOUVDweCGldl8f1WkB4xq0u3-uEKEBSIkC- | | | WuBGQhRN4S8Nef7Y0FlKohIM3P3HXQnjieMVr1_ze5UovQYsCVWh8-ObQFiK0zNrKSZ0rwwl-TdOygpeUxh8QOyAyyZJeQgmuGMc | | project_id | e4f62edc6ed547109768b515be56044a | | user_id | 6f4087ac3ed341b0855e7dec830cf65d | +------------+----------------------------------------------------------------------------------------------------------------------------+ |
10.)创建admin环境变量
1
2
3
4
5
6
7
8
9
|
[root@openstack ~]# vim admin-openrc export OS_PROJECT_DOMAIN_NAME= default export OS_USER_DOMAIN_NAME= default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin_passwd export OS_AUTH_URL=http: //192.168.100.120:35357/v3 export OS_IDENTITY_API_VERSION= 3 export OS_IMAGE_API_VERSION= 2 |
10.1)校验
1
2
3
4
5
6
7
8
|
[root@openstack ~]# . admin-openrc [root@openstack ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 6f4087ac3ed341b0855e7dec830cf65d | admin | | d5b1553154e942d6b513f8c706bf374f | demo | +----------------------------------+-------+ |