7.1. 创建数据库
mysql -u root -p
create database keystone;
grant all privileges on keystone.* to'keystone'@'kilo' identified by 'keystone_dbpass';
grant all privileges on keystone.* to'keystone'@'localhost' identified by 'keystone_dbpass';
grant all privileges on keystone.* to'keystone'@'%' identified by 'keystone_dbpass';
exit
7.2. 生成token
openssl rand -hex 10
ae3b19ba29ee81a66b3a
7.3. 安装keystone
默认keystone服务监听端口5000 和 35357,尽管如此向导配置 Apache HTTP server 监听这些端口,为了避免端口冲突,安装后禁止开机启动keystone 服务
sudo bash -c "echo manual > /etc/init/keystone.override"
sudo apt-get install keystonepython-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
sudo apt-get install libmysqld-dev python2.7-dev
sudo apt-get install python-dateutilpython-docutils python-feedparser python-gdata python-jinja2 python-ldappython-libxslt1 python-lxml python-mako python-mock python-openidpython-psycopg2 python-psutil python-pybabel python-pychart python-pydotpython-pyparsing python-reportlab python-simplejson python-tz python-unittest2python-vatnumber python-vobject python-webdav python-werkzeug python-xlwtpython-yaml python-zsi
sudo apt-get install python-pip
sudo easy_install MySQL-python
7.4. 编辑keystone.conf
vim /etc/keystone.conf
[DEFAULT]
admin_token=ae3b19ba29ee81a66b3a
verbose = true
log_dir = /var/log/keystone
[database]
connection =mysql://keystone:keystone_dbpass@kilo/keystone
[memcache]
servers = localhost:11211
[token]
provider =keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token
[revoke]
driver =keystone.contrib.revoke.backends.sql.Revoke
7.5. 生成keystone数据库
sudo bash -c "keystone-managedb_sync" keystone
7.6. 配置Apache HTTP Server
7.6.1. apache2.conf
vim /etc/apache2/apache2.conf
ServerName kilo
7.6.2. wsgi-keystone.conf
vim/etc/apache2/sites-available/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost*:5000>
WSGIDaemonProcess keystone-publicprocesses=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /var/www/cgi-bin/keystone/main
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog/var/log/apache2/keystone-error.log
CustomLog/var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost*:35357>
WSGIDaemonProcess keystone-adminprocesses=5 threads=1 user=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
LogLevel info
ErrorLog/var/log/apache2/keystone-error.log
CustomLog /var/log/apache2/keystone-access.logcombined
</VirtualHost>
7.6.3. 禁用默认的虚拟主机
sudo rm/etc/apache2/sites-enabled/000-default.conf
7.6.4. 启用Identify服务virtual host
sudo ln -s/etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
7.6.5. 创建WSGI组件的目录结构
mkdir -p /var/www/cgi-bin/keystone
7.6.6. 下载WSGI 组件
sudo apt-get install curl
curl http://git.openstack.org/cgit/openstack/keystone/plain/httpd/keystone.py?h=stable/kilo| tee admin main
其中admin和main的内容:
# Copyright 2013OpenStack Foundation
#
# Licensed under the Apache License, Version2.0 (the "License"); you may
# not use this file except in compliance withthe License. You may obtain
# a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreedto in writing, software
# distributed under the License isdistributed on an "AS IS" BASIS, WITHOUT
# WARRANTIES OR CONDITIONS OF ANY KIND, eitherexpress or implied. See the
# License for the specific language governingpermissions and limitations
# under the License.
import os
fromkeystone.server import wsgi as wsgi_server
name =os.path.basename(__file__)
# NOTE(ldbragst):'application' is required in this context by WSGI spec.
# The followingis a reference to Python Paste Deploy documentation
#http://pythonpaste.org/deploy/
application =wsgi_server.initialize_application(name)
sudo mkdir -p /var/www/cgi-bin/keystone
sudo cp main admin/var/www/cgi-bin/keystone/
7.6.7. 修改权限
sudo chown -R keystone:keystone/var/www/cgi-bin/keystone
sudo chmod 755 /var/www/cgi-bin/keystone/*
7.6.8. 重启apache
sudo service keystone stop
sudo rm -rf /var/lib/keystone/keystone.db
sudo service apache2 restart
7.7. 创建服务实例和API endpoint
7.7.1. 配置token
此token就是最前面生成的,在/etc/keystone/keystone.conf的里面的值
export OS_TOKEN=ae3b19ba29ee81a66b3a
7.7.2. 配置endpoint URL
export OS_URL=http://kilo:35357/v2.0
7.7.3. 服务实例和API endpoint
openstack service create --name keystone--description "Openstack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description |Openstack Identity |
| enabled | True |
| id | 4bd57cab43ca468e88a7400f9fb1f408 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
openstack endpoint create --publicurlhttp://kilo:5000/v2.0 --internalurl http://kilo:5000/v2.0 --adminurlhttp://kilo:35357/v2.0 --region RegionOne identity
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| adminurl | http://kilo:35357/v2.0 |
| id | 06ec8b819388494a98cb88a7c78203f8 |
|internalurl | http://kilo:5000/v2.0 |
| publicurl | http://kilo:5000/v2.0 |
| region | RegionOne |
| service_id | 4bd57cab43ca468e88a7400f9fb1f408 |
| service_name |keystone |
| service_type |identity |
+--------------+----------------------------------+
7.8. 创建管理员租户、用户和角色
7.8.1. 创建admin租户
openstack project create --description"Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description |Admin Project |
| enabled | True |
| id | 9e4ff200c6994bd6bd6e589c21afa2f8 |
| name | admin |
+-------------+----------------------------------+
7.8.2. 创建admin用户
openstack user create --password-promptadmin
User Password:
Repeat UserPassword:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 4d95b044ee0b45b689feb081c59c4dd2 |
| name | admin |
| username |admin |
+----------+----------------------------------+
7.8.3. 创建admin角色
openstack role create admin
+-------+----------------------------------+
| Field |Value |
+-------+----------------------------------+
| id | 14b826a870464c67900a963d675cc8cb |
| name | admin |
+-------+----------------------------------+
7.8.4. 添加admin角色到admin租户和用户
openstack role add --project admin --useradmin admin
+-------+----------------------------------+
| Field |Value |
+-------+----------------------------------+
| id | 14b826a870464c67900a963d675cc8cb |
| name | admin |
+-------+----------------------------------+
7.9. 创建一个service租户
openstack project create --description"Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description |Service Project |
| enabled | True |
| id | 59ed3315efaa43f1aba5b935b7509157 |
| name | service |
+-------------+----------------------------------+
7.10. 创建非管理员demo租户
7.10.1. 创建demo租户
openstack project create --description"Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description |Demo Project |
| enabled | True |
| id | 76f2a7cabeae4075af5b4f8b0aff4619 |
| name | demo |
+-------------+----------------------------------+
7.10.2. 创建demo用户
openstack user create --password-promptdemo
User Password:
Repeat UserPassword:
+----------+----------------------------------+
| Field | Value |
+----------+----------------------------------+
| email | None |
| enabled | True |
| id | 3b9b50cce7c243059862dc8f4d1e5438 |
| name | demo |
| username |demo |
+----------+----------------------------------+
7.10.3. 创建_member_角色
openstack role create _member_
+-------+----------------------------------+
| Field |Value |
+-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
| name | _member_ |
+-------+----------------------------------+
7.10.4. 添加_member_角色到demo租户和用户
openstack role add --project demo --userdemo _member_
+-------+----------------------------------+
| Field |Value |
+-------+----------------------------------+
| id | 9fe2ff9ee4384b1894a90878d3e92bab |
| name | _member_ |
+-------+----------------------------------+
7.11. 验证keystone安装部署
7.11.1. 为了安全,禁用临时token
编辑/etc/keystone/keystone-paste.ini 文件 , 移除 admin_token_auth从 [pipeline:public_api], [pipeline:admin_api], 和 [pipeline:api_v3] 部分
7.11.2. 去掉环境变量OS_TOKEN和OS_URL
unset OS_TOKEN OS_URL
7.11.3. 作为管理员,请求身份验证令牌API版本2
openstack --os-auth-url http://kilo:35357--os-project-name admin --os-username admin --os-auth-type password token issue
Password: (admin的密码)
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-05-25T06:36:29Z |
| id | dfc8bf7eb61449b2a88e80985c5e51a8 |
| project_id |9e4ff200c6994bd6bd6e589c21afa2f8 |
| user_id | 4d95b044ee0b45b689feb081c59c4dd2 |
+------------+----------------------------------+
7.11.4. Identity版本 3 API 添加支持域
openstack --os-auth-url http://kilo:35357--os-project-domain-id default --os-user-domain-id default --os-project-nameadmin --os-username admin --os-auth-type password token issue
Password: (admin的密码)
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-05-25T06:39:16.198261Z |
| id | e3cbd99b3e1f42cb96ee5b98464a0cf1 |
| project_id |9e4ff200c6994bd6bd6e589c21afa2f8 |
| user_id | 4d95b044ee0b45b689feb081c59c4dd2 |
+------------+----------------------------------+
7.11.5. admin,列出用户作为admin核实admin可以执行 admin-only CLI 命令
openstack --os-auth-url http://kilo:35357--os-project-name admin --os-username admin --os-auth-type password projectlist
Password: (admin的密码)
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 59ed3315efaa43f1aba5b935b7509157| service |
|76f2a7cabeae4075af5b4f8b0aff4619 | demo |
|9e4ff200c6994bd6bd6e589c21afa2f8 | admin |
+----------------------------------+---------+
7.11.6. admin,列出用户核实认证服务
openstack --os-auth-url http://kilo:35357--os-project-name admin --os-username admin --os-auth-type password user list
Password: (admin的密码)
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4d95b044ee0b45b689feb081c59c4dd2| admin |
|3b9b50cce7c243059862dc8f4d1e5438 | demo |
+----------------------------------+-------+
7.11.7. admin列出角色验证keystone服务
openstack --os-auth-url http://kilo:35357--os-project-name admin --os-username admin --os-auth-type password role list
Password: (admin的密码)
+----------------------------------+----------+
| ID | Name |
+----------------------------------+----------+
|14b826a870464c67900a963d675cc8cb | admin |
| 9fe2ff9ee4384b1894a90878d3e92bab| _member_ |
+----------------------------------+----------+
7.11.8. Demo,请求token认证从3版本的API
openstack --os-auth-url http://kilo:35357--os-project-domain-id default --os-user-domain-id default --os-project-namedemo --os-username demo --os-auth-type password token issue
Password: (demo的密码)
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-05-25T06:48:22.322489Z |
| id | c3cc2c309e454a65a8d6a7b45a6c56c3 |
| project_id |76f2a7cabeae4075af5b4f8b0aff4619 |
| user_id | 3b9b50cce7c243059862dc8f4d1e5438 |
+------------+----------------------------------+
7.12. keystone环境变量
7.12.1. 创建脚本
vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
exportOS_USER_DOMAIN_ID=default
exportOS_PROJECT_NAME=admin
exportOS_TENANT_NAME=admin
exportOS_USERNAME=admin
exportOS_PASSWORD=admin
exportOS_AUTH_URL=http://kilo:35357/v3
vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
exportOS_USER_DOMAIN_ID=default
exportOS_PROJECT_NAME=demo
exportOS_TENANT_NAME=demo
exportOS_USERNAME=demo
exportOS_PASSWORD=demo
exportOS_AUTH_URL=http://kilo:5000/v3
7.12.2. 执行脚本,认证令牌
source admin-openrc.sh
openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2015-05-25T07:00:18.609990Z |
| id | d9d853c69d76433fb0a95b41bb5bd8d6 |
| project_id |9e4ff200c6994bd6bd6e589c21afa2f8 |
| user_id | 4d95b044ee0b45b689feb081c59c4dd2 |
+------------+----------------------------------+