第四节 先电云openstack手动搭建keystone认证服务

--------controller节点-------------------
1.安装Keystone服务软件包

#yum install -y openstack-keystone httpd mod_wsgi

2.创建Keystone数据库

# mysql -u root -p000000

------------创建数据库---------------

CREATE DATABASE keystone;
-------------设置授权用户和密码---------------------
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000';
-----------’%'表示从任何地址连接 --------------------
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
exit;
3.配置数据库连接
#vi /etc/keystone/keystone.conf
在 [database]节点下添加:

connection = mysql+pymysql://keystone:000000@controller/keystone

在[token]下修改

provider = uuid

为:

provider =fernet

初始化身份认证服务的数据库:

#su -s /bin/sh -c "keystone-manage db_sync" keystone

4.创建令牌
--------------生成admin_token的随机值(保存下这个值,后面会用到)----------------

#openssl rand -hex 10

复制产生的随机数保存在记事本上后面用!!!(我的是4f4ab0f57fa3f4c7f9f9)

#vi /etc/keystone/keystone.conf

修改[DEFAULT]节点下的:admin_token={随机数}
5.创建签名密钥和证书
(1)初始化keys

#keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

(2)配置apache:

#vi  /etc/httpd/conf/httpd.conf

将ServerName www.example.com:80
改为:ServerName controller
(3)生成wsgi配置文件:
#vi /etc/httpd/conf.d/wsgi-keystone.conf加入:
Listen 5000
Listen 35357


    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined
 
    
        Require all granted
    

 

    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined
 
    
        Require all granted
    


保存后,启动httpd
#systemctl enable httpd.service
#systemctl start httpd.service

6.创建服务实体和API端点
(1)设置环境变量

#export OS_TOKEN=4f4ab0f57fa3f4c7f9f9
#export OS_URL=http://controller:35357/v3
#export OS_IDENTITY_API_VERSION=3

(2)创建keystone的service:

#openstack service create --name keystone --description "OpenStack Identity" identity

(3)创建keystone的endpoint:

#openstack endpoint create --region RegionOne identity public http://controller:5000/v3

#openstack endpoint create --region RegionOne identity internal http://controller:5000/v3

#openstack endpoint create --region RegionOne identity admin http://controller:35357/v3

6-2
1.创建域、项目、用户和角色
(1)创建默认域default:

#openstack domain create --description "Default Domain" default

(2)创建admin的租户:

#openstack project create --domain default --description "Admin Project" admin

(3)创建admin用户:

#openstack user create --domain default --password 000000 admin

(4)创建admin角色:

#openstack role create admin

(5)将用户租户角色连接起来

#openstack role add --project admin --user admin admin

(6)创建服务目录

#openstack project create --domain default --description "Service Project" service

(7)创建demo信息类似admin

#openstack project create --domain default --description "Demo Project" demo
#openstack user create --domain default --password 000000 demo
#openstack role create user
#openstack role add --project demo --user demo user

2.清除环境变量

#unset OS_TOKEN OS_URL

3.验证
(1)作为 admin 用户,请求认证令牌:

#openstack --os-auth-url http://controller:35357/v3   --os-project-domain-name default --os-user-domain-name default  --os-project-name admin --os-username admin token issue

输入密码之后,有正确的输出即为配置正确。
(2)作为demo 用户,请求认证令牌:

#openstack --os-auth-url http://controller:5000/v3   --os-project-domain-name default --os-user-domain-name default  --os-project-name demo --os-username demo token issue

4.创建admin环境变量admin-openrc.sh

#vi admin-openrc.sh

在里面添加以下内容:

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

5.生效环境变量

#source admin-openrc.sh

6.验证输入命令:

#openstack token issue

环境变量命令:

#source admin-openrc.sh

再输入验证命令
有任何疑问或建议欢迎留言讨论,下一节进行Glance镜像服务的安装欢迎访问,点击传送。

你可能感兴趣的:(openstack)