OpenStack Train版-2.安装keystone身份认证服务

安装 keystone 认证

mysql -uroot
create database keystone;
grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'KEYSTONE_DBPASS';
grant all privileges on keystone.* to 'keystone'@'%' identified by 'KEYSTONE_DBPASS';
flush privileges;

yum install openstack-keystone httpd mod_wsgi -y
cp /etc/keystone/keystone.conf{,.bak}
egrep -v '^$|^#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf

openstack-utils能够让openstack安装更加简单，直接在命令行修改配置文件

yum install -y openstack-utils -y
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet

#填充keystone数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
mysql keystone -e 'show tables'

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne

mysql keystone -e 'select * from role'

配置Apache HTTP服务器

#一定记得关闭selinux setenforce 0

echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
systemctl restart httpd.service
systemctl enable httpd.service

为admin用户添加环境变量，目的是可以提高客户端操作的效率,省去不必要的输入

#官方文档将admin用户和demo租户的变量写入到了家目录下,本文中创建的租户为mysuer

cat >> ~/admin-openrc << EOF
#admin-openrc
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
source ~/admin-openrc

创建域，项目，用户和角色

#创建新域的方法
openstack domain create --description "An Example Domain" example

#创建service 项目
openstack project create --domain default --description "Service Project" service

#创建myproject项目
openstack project create --domain default --description "Demo Project" myproject

#创建myuser用户,需要输入新用户的密码(--password-prompt为交互式,--password+密码为非交互式)
openstack user create --domain default --password MYUSER_PASSWORD myuser

#创建user角色
openstack role create user

#查看角色
openstack role list

#将user角色添加到myproject项目和myuser用户
openstack role add --project myproject --user myuser user

#验证keystone
unset OS_AUTH_URL OS_PASSWORD

以admin用户身份请求身份验证令牌,使用admin用户密码ADMIN_PASS

openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue

为创建的myuser用户，请请求认证令牌, 使用myuser用户密码MYUSER_PASSWORD

openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue

为myuser用户也添加一个环境变量文件,密码为myuser用户的密码,

cat >> ~/myuser-openrc << EOF
#myuser-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=MYUSER_PASSWORD
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF

#需要用到此用户的时候source生效一下

官方文档中创建了demo用户，也添加一个环境变量文件

cat >> ~/demo-openrc << EOF
#demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF

请求身份验证令牌

openstack token issue