3.安装OpenStack-keystone

安装keystone（控制器上安装）

使用root用户访问数据库

mysql -uroot -ptoyo123
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
  IDENTIFIED BY 'toyo123';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
  IDENTIFIED BY 'toyo123';
exit

生成令牌 后面会用到的需要记住

openssl rand -hex 

4f0f715c2cdcce1bb59e

安装keystone程序包

yum install –y openstack-keystone python-keystoneclient

启动memcached服务并将其配置为开机自启动

systemctl enable memcached.service
systemctl start memcached.service

编辑/etc/keystone/keystone.conf文件

mv /etc/keystone/keystone.conf /etc/keystone/keystone.conf_bak
vim /etc/keystone/keystone.conf

[DEFAULT]

admin_token     = 4f0f715c2cdcce1bb59e

log_dir = /var/log/keystone

verbose = True

[database]

connection = mysql://keystone:toyo123@controller/keystone

[memcache]

servers = localhost:

[token]

provider = keystone.token.providers.uuid.Provider

driver =     keystone.token.persistence.backends.sql.Token

[revoke]

driver = keystone.contrib.revoke.backends.sql.Revoke

创建通用的证书和密钥，并限制访问相关的文件与填充身份服务数据库

keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
chown -R keystone:keystone /var/log/keystone
chown -R keystone:keystone /etc/keystone/ssl
chmod -R o-rwx /etc/keystone/ssl
su -s /bin/sh -c "keystone-manage db_sync" keystone

启动身份服务并将其配置为开机自启动

systemctl enable openstack-keystone.service
systemctl start openstack-keystone.service

我建议您使用 cron的配置周期性任务是清除过期令牌小时：

(crontab -l -u keystone >& | grep -q token_flush) || \
  echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' \
  >> /var/spool/cron/keystone

配置系统环境

export OS_SERVICE_TOKEN=4f0f715c2cdcce1bb59e
export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

创建租户，用户和角色

keystone tenant-create --name admin --description "Admin Tenant"
keystone user-create --name admin --pass Abcd1234 --email test@test.com
keystone role-create --name admin
keystone user-role-add --user admin --tenant admin --role admin

创建演示租户和用户环境与服务租户

keystone tenant-create --name demo --description "Demo Tenant"
keystone user-create --name demo --tenant demo --pass Abcd1234 --email test@test.com
keystone user-role-add --user demo -—tenant demo --role demo
keystone tenant-create --name service --description "Service Tenant"

创建服务实体和API端点

keystone service-create --name keystone --type identity \
  --description "OpenStack Identity"
keystone endpoint-create \
  --service-id $(keystone service-list | awk '/ identity / {print $2}') \
  --publicurl http://controller:5000/v2.0 \
  --internalurl http://controller:5000/v2.0 \
  --adminurl http://controller:35357/v2.0 \
  --region regionOne

取消设置临时的临时OS_SERVICE_TOKEN和 OS_SERVICE_ENDPOINT环境变量：

不要取消环境变量可能会造成一些问题,这里只是告诉大家怎么取消

unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

验证keystone：

keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 \
  --os-auth-url http://controller:35357/v2.0 token-get
keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 \
  --os-auth-url http://controller:35357/v2.0 tenant-list
keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 \
  --os-auth-url http://controller:35357/v2.0 user-list
keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 \
  --os-auth-url http://controller:35357/v2.0 role-list
keystone --os-tenant-name demo --os-username demo --os-password Abcd1234 \
  --os-auth-url http://controller:35357/v2.0 token-get
keystone --os-tenant-name demo --os-username demo --os-password Abcd1234 \
  --os-auth-url http://controller:35357/v2.0 user-list