Keystone部署在控制节点上,用以为OpenStack提供身份认证服务,之后OpenStack的所有核心服务组件都要依靠keystone来识别认证租户的权限。
控制节点
进入mariadb,创建keystone的用户和数据库
创建db
create database keystone;
创建用户keystone并给与它keystone库的所有权限
grant all privileges on keystone.* to 'keystone'@'%' identified by 'keystone';
离开数据库,正式开始部署keystone服务
安装keystone软件包
yum -y install openstack-keystone httpd mod_wsgi
修改配置文件
vim /etc/keystone/keystone.conf
OpenStack的配置文件都有一个共同的特点:长的匪夷所思。
这篇配置文件总共有2940行,有兴趣的童鞋可以读一下。我在配置文件里列出需要的内容和其含义
同步keystone数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化fernet密钥存储库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
引导对admin的身份服务
keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://controller1:35357/v3/ \
--bootstrap-internal-url http://controller1:5000/v3/ \
--bootstrap-public-url http://controller1:5000/v3/ \
--bootstrap-region-id RegionOne
查看keystone-manage的用法帮助
keystone-manage --help
keystone组件基于Apache来提供服务,因此不需要启动keystone,只需要启动httpd
编辑httpd的配置文件
vim /etc/httpd/conf/httpd.conf
要修改的项为:
ServerName controller1
为httpd和keystone的启动方式建立链接
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动httpd
systemctl enable httpd
systemctl restart httpd
配置admin超级管理员账户信息
cat > /root/openrc <<EOF
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller1:35357/v3
export OS_IDENTITY_API_VERSION=3
EOF
source openrc
创建一个服务项目以管理我们为OpenStack添加的每一个服务
openstack project create --domain default \
--description "Service Project" service
检查一下是否按照我们的要求成功部署
查看admin用户是否创建
openstack user list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| 180bddd489644a97850e1460564a3ca1 | admin |
+----------------------------------+-----------+
查看service项目是否成功创建
openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 50d5ad7be7344c3486323dbe9fb6a991 | admin |
| d90c0e74b2df442db8ac502e650bff51 | service |
+----------------------------------+---------+
如果都出现了,那么证明我们完成了keystone的部署
配置文件
配置文件/etc/keystone/keystone.conf
[DEFAULT]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
# 提供数据库的连接方式
connection = mysql+pymysql://keystone:keystone@controller1/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]
[token]
# fernet是一种安全的消息传递格式,这里设定令牌提供者为fernet
provider = fernet
[tokenless_auth]
[trust]