OpenStack-Train版安装keystone身份认证服务
1. 创建keystone数据库并授权
mysql -uroot
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_ZHL';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_ZHL';
2. 安装keystone软件包
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi
3. 修改配置文件
cp -a /etc/keystone/keystone.conf{,.bak}
grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
[root@controller ~]# yum install -y openstack-utils
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_ZHL@controller/keystone
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
4. 填充数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet密钥存储库
这是新版本的OpenStack的新功能,在Train版本下,keystone不再使用简单的字符串作为临时token,而是使用下面创建的fernet的用户来运行keystone。同时,keystone也不再对管理员用户和普通用户的服务端点区分使用不同的端口5000和35357,而是只使用5000端口不再使用35357端口。
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage bootstrap --bootstrap-password ADMIN_ZHL \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
5. 修改apache配置
[root@controller ~]# echo "ServerName controller" >> /etc/httpd/conf/httpd.conf
创建wsgi配置文件软链接
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动和开机自启动apache
[root@controller ~]# systemctl enable httpd.service
[root@controller ~]# systemctl start httpd.service
6. 初始化环境变量
[root@controller ~]# cat >> ~/.bashrc << EOF
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_ZHL
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
EOF
[root@controller ~]# source ~/.bashrc
[root@controller ~]# openstack token issue
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-03-23T02:38:25+0000 |
| id | gAAAAABeeBMR_SDxODtJdG7FtmbU2JVg_gOrBjQztTiwlvefuI5ctPtA-I90p3yjvGqhiKBtnDcRPuNx__M3Rnpqna_YSGp4CvjzK6HycI5cdKf5UQ_Z8XoctSc7ZSJFR1AcTtFEbU_zFXdasBddiF2MHt1p7UpVzx2scwjO0tHtSbscDJH-iWg |
| project_id | 4f6a8c97a0a8474b862315415ebfb16d |
| user_id | 79b5b58714d147d8a76945c7cfc8d3a2 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
7. 创建服务所使用的项目
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 0aee41f749504587abd5161be69dbb0c |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
8. 创建user角色
[root@controller ~]# openstack role create user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | f99d906bde1145ce9c51dd27d336ade3 |
| name | user |
| options | {} |
+-------------+----------------------------------+