第四节 先电云openstack手动搭建keystone认证服务
--------controller节点-------------------
1.安装Keystone服务软件包
#yum install -y openstack-keystone httpd mod_wsgi
2.创建Keystone数据库
# mysql -u root -p000000
------------创建数据库---------------
CREATE DATABASE keystone;
-------------设置授权用户和密码---------------------
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000';
-----------’%'表示从任何地址连接 --------------------
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
exit;
3.配置数据库连接
#vi /etc/keystone/keystone.conf
在 [database]节点下添加:
connection = mysql+pymysql://keystone:000000@controller/keystone
在[token]下修改
provider = uuid
为:
provider =fernet
初始化身份认证服务的数据库:
#su -s /bin/sh -c "keystone-manage db_sync" keystone
4.创建令牌
--------------生成admin_token的随机值(保存下这个值,后面会用到)----------------
#openssl rand -hex 10
复制产生的随机数保存在记事本上后面用!!!(我的是4f4ab0f57fa3f4c7f9f9)
#vi /etc/keystone/keystone.conf
修改[DEFAULT]节点下的:admin_token={随机数}
5.创建签名密钥和证书
(1)初始化keys
#keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
(2)配置apache:
#vi /etc/httpd/conf/httpd.conf
将ServerName www.example.com:80
改为:ServerName controller
(3)生成wsgi配置文件:
#vi /etc/httpd/conf.d/wsgi-keystone.conf加入:
Listen 5000
Listen 35357
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
保存后,启动httpd
#systemctl enable httpd.service
#systemctl start httpd.service
6.创建服务实体和API端点
(1)设置环境变量
#export OS_TOKEN=4f4ab0f57fa3f4c7f9f9
#export OS_URL=http://controller:35357/v3
#export OS_IDENTITY_API_VERSION=3
(2)创建keystone的service:
#openstack service create --name keystone --description "OpenStack Identity" identity
(3)创建keystone的endpoint:
#openstack endpoint create --region RegionOne identity public http://controller:5000/v3
#openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
#openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
6-2
1.创建域、项目、用户和角色
(1)创建默认域default:
#openstack domain create --description "Default Domain" default
(2)创建admin的租户:
#openstack project create --domain default --description "Admin Project" admin
(3)创建admin用户:
#openstack user create --domain default --password 000000 admin
(4)创建admin角色:
#openstack role create admin
(5)将用户租户角色连接起来
#openstack role add --project admin --user admin admin
(6)创建服务目录
#openstack project create --domain default --description "Service Project" service
(7)创建demo信息类似admin
#openstack project create --domain default --description "Demo Project" demo
#openstack user create --domain default --password 000000 demo
#openstack role create user
#openstack role add --project demo --user demo user
2.清除环境变量
#unset OS_TOKEN OS_URL
3.验证
(1)作为 admin 用户,请求认证令牌:
#openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
输入密码之后,有正确的输出即为配置正确。
(2)作为demo 用户,请求认证令牌:
#openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
4.创建admin环境变量admin-openrc.sh
#vi admin-openrc.sh
在里面添加以下内容:
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
5.生效环境变量
#source admin-openrc.sh
6.验证输入命令:
#openstack token issue
环境变量命令:
#source admin-openrc.sh
再输入验证命令
有任何疑问或建议欢迎留言讨论,下一节进行Glance镜像服务的安装欢迎访问,点击传送。