——先决条件


1.)创建数据库

MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; 
Query OK, 0 rows affected (0.00 sec)


——keystone服务搭建配置


1.)安装keystone服务

[root@openstack ~]# yum -y install openstack-keystone python-keystoneclient 
httpd mod_wsgi


2.)初始化keys

[root@openstack ~]# 
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone


3.)配置keystone服务

[root@openstack ~]# openssl rand -hex 10
3f554e582cefe3462106
[root@openstack ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
[root@openstack ~]# vim /etc/keystone/keystone.conf
   1: [DEFAULT]
  13: admin_token = 3f554e582cefe3462106
 526: [database]
 549: connection = mysql://keystone:keystone@localhost:3306/keystone
2005: provider = fernet


4.)同步数据库

[root@openstack ~]# keystone-manage db_sync
[root@openstack ~]# mysql -ukeystone -pkeystone -e 'use keystone;show tables;'
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| mapping                |
| migrate_version        |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+


5.)配置 Apache serivce

[root@openstack ~]# vim /etc/httpd/conf/httpd.conf
95: ServerName openstack
[root@openstack ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
 1:Listen 5000
 2:Listen 35357
 3:
 4:
 5:    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
 6:    WSGIProcessGroup keystone-public
 7:    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
 8:    WSGIApplicationGroup %{GLOBAL}
 9:    WSGIPassAuthorization On
10:   ErrorLogFormat "%{cu}t %M"
11:   ErrorLog /var/log/httpd/keystone-error.log
12:   CustomLog /var/log/httpd/keystone-access.log combined
13:
14:    
15:        Require all granted
16:    
17:
18:
19:
20:    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
21:    WSGIProcessGroup keystone-admin
22:    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
23:    WSGIApplicationGroup %{GLOBAL}
24:    WSGIPassAuthorization On
25:    ErrorLogFormat "%{cu}t %M"
26:    ErrorLog /var/log/httpd/keystone-error.log
27:    CustomLog /var/log/httpd/keystone-access.log combined
28:
29:    
30:        Require all granted
31:    
32:
[root@openstack ~]# chown -R keystone:keystone /var/log/keystone
[root@openstack ~]# systemctl enable httpd.service
[root@openstack ~]# systemctl start httpd.service 
[root@openstack ~]# systemctl status httpd.service
[root@openstack keystone]# netstat -antup|grep httpd|grep LISTEN
tcp6       0      0 :::5000                 :::*                    LISTEN      4612/httpd          
tcp6       0      0 :::80                   :::*                    LISTEN      4612/httpd          
tcp6       0      0 :::35357                :::*                    LISTEN      4612/httpd


6.)设置临时admin token                                     

[root@openstack ~]# export OS_TOKEN=3f554e582cefe3462106                                                        
[root@openstack ~]# export OS_URL=http://192.168.100.120:35357/v3
[root@openstack ~]# export OS_IDENTITY_API_VERSION=3


7.)Create the service entity and API endpoints


7.1)Create the service entity for the Identity service

[root@openstack ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | de06d252af684090b3568cac0f65cbb8 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

7.2)Create the Identity service API endpoints

[root@openstack ~]# openstack endpoint create --region RegionOne identity public http://192.168.100.120:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 9455f80c88cb4a188febacde56aaaff0 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.100.120:5000/v3   |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne identity internal http://192.168.100.120:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 24c58182056a493a801d3717ed287d07 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.100.120:5000/v3   |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne identity admin http://192.168.100.120:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 7e71ee55d7614341837c07d4552b29f7 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.100.120:35357/v3  |
+--------------+----------------------------------+


8.)创建domain projects users 和 roles


8.1)Create the default domain

[root@openstack ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | d68aa40d66034dc89a3b2d896e86477d |
| name        | default                          |
+-------------+----------------------------------+


8.2)创建一个管理项目(project),用户(user)和角色(role)来管理操作当前环境

8.2.1)Create the admin project

[root@openstack ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 505647f0f06e408e9d176da82a6684f1 |
| enabled     | True                             |
| id          | e4f62edc6ed547109768b515be56044a |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+

8.2.2)Create the admin user

[root@openstack ~]# openstack user create --domain default --password admin_passwd admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled   | True                             |
| id        | 6f4087ac3ed341b0855e7dec830cf65d |
| name      | admin                            |
+-----------+----------------------------------+

8.2.3)Create the admin role

[root@openstack ~]# openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | b3b1f608b109465bb9b96a4b0320dfdb |
| name      | admin                            |
+-----------+----------------------------------+

8.2.4)Add the admin role to the admin project and user

[root@openstack ~]# openstack role add --project admin --user admin admin


8.3)Create the service project

[root@openstack ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 505647f0f06e408e9d176da82a6684f1 |
| enabled     | True                             |
| id          | 51600729375b45b480ad7d0d7b0e8a3c |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+


8.4) Create the demo project

[root@openstack ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 505647f0f06e408e9d176da82a6684f1 |
| enabled     | True                             |
| id          | a66c04b887774bca86161003fdb4a33a |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+

8.4.1) Create the demo user

[root@openstack ~]# openstack user create --domain default --password demo_passwd demo
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled   | True                             |
| id        | d5b1553154e942d6b513f8c706bf374f |
| name      | demo                             |
+-----------+----------------------------------+

8.4.2)Create the demo role

[root@openstack ~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 242935dcb84840fb9f127f27ffd5e765 |
| name      | user                             |
+-----------+----------------------------------+

8.4.3)Add the user role to the demo project and user

[root@openstack ~]# openstack role add --project demo --user demo user


9.)验证操作

[root@openstack ~]# unset OS_TOKEN OS_URL
[root@openstack ~]# openstack \
--os-auth-url http://192.168.100.120:35357/v3 \
--os-project-domain-name default \
--os-user-domain-name default \
--os-project-name admin \
--os-username admin \
--os-password admin_passwd \
token issue
+------------+----------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                      |
+------------+----------------------------------------------------------------------------------------------------------------------------+
| expires    | 2016-05-26T04:51:35.701908Z                                                                                                |
| id         | gAAAAABXRnLH0FzjXcBrcDEj_GGVMyFCjxH1t4SdAEJyI06vFJAV699czB03nQ-B                                                           |
|            | -wn3tzXHjYuJ1Mp5BoYNbj9B0EUsFYlZ1IyYM0EQ6coa7pHsKEVeXVhVTROVOPMmaYZspcnKMhnWwaiWq7OIOAv5YMmUDlYSqSi1ZjqDThqHAq-Z1dhUb6w    |
| project_id | e4f62edc6ed547109768b515be56044a                                                                                           |
| user_id    | 6f4087ac3ed341b0855e7dec830cf65d                                                                                           |
+------------+----------------------------------------------------------------------------------------------------------------------------+
[root@openstack ~]# openstack \
--os-auth-url http://192.168.100.120:5000/v3 \
--os-project-domain-name default \
--os-user-domain-name default \
--os-project-name admin \
--os-username admin \
--os-password admin_passwd \
token issue
+------------+----------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                      |
+------------+----------------------------------------------------------------------------------------------------------------------------+
| expires    | 2016-05-26T04:53:35.489593Z                                                                                                |
| id         | gAAAAABXRnM_CMNnU2fc8gFUnM9Fj3Ooxr4RwnYG4gUXvsZQPOUVDweCGldl8f1WkB4xq0u3-uEKEBSIkC-                                        |
|            | WuBGQhRN4S8Nef7Y0FlKohIM3P3HXQnjieMVr1_ze5UovQYsCVWh8-ObQFiK0zNrKSZ0rwwl-TdOygpeUxh8QOyAyyZJeQgmuGMc                       |
| project_id | e4f62edc6ed547109768b515be56044a                                                                                           |
| user_id    | 6f4087ac3ed341b0855e7dec830cf65d                                                                                           |
+------------+----------------------------------------------------------------------------------------------------------------------------+


10.)创建admin环境变量

[root@openstack ~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin_passwd
export OS_AUTH_URL=http://192.168.100.120:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2


10.1)校验

[root@openstack ~]# . admin-openrc 
[root@openstack ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 6f4087ac3ed341b0855e7dec830cf65d | admin |
| d5b1553154e942d6b513f8c706bf374f | demo  |
+----------------------------------+-------+