Keystone
安装和配置
本节介绍如何在控制器节点上安装和配置代号为keystone的OpenStack Identity服务。出于可伸缩性的目的,此配置部署了Fernet令牌和Apache HTTP服务器来处理请求。
先决条件
在安装和配置Identity服务之前,必须创建数据库。
使用数据库访问客户端以root用户身份连接到数据库服务器:
$ mysql -u root -p
Create the keystone database:
MariaDB [(none)]> CREATE DATABASE keystone;
Grant proper access to the keystone database:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
Replace KEYSTONE_DBPASS with a suitable password.
Exit the database access client.
安装和配置组件
注意
默认配置文件因分发而异。您可能需要添加这些部分和选项,而不是修改现有的部分和选项。此外,...配置片段中的省略号()表示您应保留的潜在默认配置选项。
1运行以下命令以安装软件包:
# yum install openstack-keystone httpd mod_wsgi
2Edit the /etc/keystone/keystone.conf 文件并完成以下操作:
在该[database]部分中,配置数据库访问:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
Replace KEYSTONE_DBPASS with the password you chose for the database.
Note
Comment out or remove any other connection options in the [database] section.
在该[token]部分中,配置Fernet令牌提供程序:
[token]
# ...
provider = fernet
3Populate the Identity service database:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
4初始化Fernet密钥存储库:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5引导身份服务:
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
Replace ADMIN_PASS with a suitable password for an administrative user.
Configure the Apache HTTP server
Edit the /etc/httpd/conf/httpd.conf file and configure the ServerName option to reference the controller node:
ServerName controller
Create a link to the /usr/share/keystone/wsgi-keystone.conf file:
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
Finalize the installation
1启动Apache HTTP服务并将其配置为在系统引导时启动:
# systemctl enable httpd.service
# systemctl start httpd.service
2配置管理帐户
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure-rdo.
Create a domain, projects, users, and roles
1虽然本指南中的keystone-manage bootstrap步骤中已存在“默认”域,但创建新域的正式方法是:
$ openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2f4f80574fd84fe6ba9067228ae0a50c |
| name | example |
+-------------+----------------------------------+
2本指南使用的服务项目包含您添加到环境中的每项服务的唯一用户。创建service 项目:
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
3常规(非管理员)任务应使用非特权项目和用户。例如,本指南创建demo项目和用户。
创建demo项目:
$ openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
Note
Do not repeat this step when creating additional users for this project.
Create the demo user:
$ openstack user create --domain default \
--password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
Create the user role:
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
Add the user role to the demo project and user:
$ openstack role add --project demo --user demo user
注意
此命令不提供输出。
注意
您可以重复此过程以创建其他项目和用户。
验证操作
在安装其他服务之前验证Identity服务的操作。
注意
在控制器节点上执行这些命令。
取消设置临时 变量OS_AUTH_URL和OS_PASSWORD环境变量:
$ unset OS_AUTH_URL OS_PASSWORD
2作为admin用户,请求身份验证令牌:
$ openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
Note
This command uses the password for the admin user.
3作为demo用户,请求身份验证令牌:
$ openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
Note
This command uses the password for the demo user and API port 5000 which only allows regular (non-admin) access to the Identity service API.
创建OpenStack客户端环境脚本
前面的部分使用环境变量和命令选项的组合来通过openstack客户端与Identity服务进行交互 。为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。这些脚本通常包含所有客户端的常用选项,但也支持唯一选项。有关更多信息,请参阅“ OpenStack最终用户指南”。
创建脚本
创建客户端环境的脚本admin和demo 项目和用户。本指南的未来部分引用这些脚本来加载客户端操作的适当凭据。
注意
客户端环境脚本的路径不受限制。为方便起见,您可以将脚本放在任何位置,但请确保它们可以访问并位于适合部署的安全位置,因为它们包含敏感凭据。
创建和编辑admin-openrc文件并添加以下内容:
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
替换ADMIN_PASS为您admin在Identity服务中为用户选择的密码。
创建和编辑demo-openrc文件并添加以下内容:
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
替换DEMO_PASS为您demo在Identity服务中为用户选择的密码。
使用脚本
1要将客户端作为特定项目和用户运行,只需在运行它们之前加载关联的客户端环境脚本即可。例如:
加载admin-openrc文件以使用Identity服务的位置以及admin项目和用户凭据填充环境变量:
$ . admin-openrc
2Request an authentication token:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:44:35.659723Z |
| id | gAAAAABWvjYj-Zjfg8WXFaQnUd1DMYTBVrKw4h3fIagi5NoEmh21U72SrRv2trl |
| | JWFYhLi2_uPR31Igf6A8mH2Rw9kv_bxNo1jbLNPLGzW_u5FC7InFqx0yYtTwa1e |
| | eq2b0f6-18KZyQhs7F3teAta143kJEWuNEYET-y7u29y0be1_64KYkM7E |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
Openstack Queens版本双节点架构笔记1,虚拟机环境安装: https://blog.csdn.net/qq_38387984/article/details/83245908
Openstack Queens版本双节点架构笔记2,Openstack环境安装: https://blog.csdn.net/qq_38387984/article/details/83245941
Openstack Queens版本双节点架构笔记3,Keystone安装:https://blog.csdn.net/qq_38387984/article/details/83274421
Openstack Queens版本双节点架构笔记4,Glance安装:https://blog.csdn.net/qq_38387984/article/details/83274547
Openstack Queens版本双节点架构笔记5,Nova安装:https://blog.csdn.net/qq_38387984/article/details/83274567
Openstack Queens版本双节点架构笔记6,Neutron安装:https://blog.csdn.net/qq_38387984/article/details/83274578
Openstack Queens版本双节点架构笔记7,Dashboard安装:https://blog.csdn.net/qq_38387984/article/details/83274601
Openstack Queens版本双节点架构笔记8,验证Databoard实例 https://blog.csdn.net/qq_38387984/article/details/83502979
Openstack Queens版本双节点架构笔记9,Ceph安装1: https://blog.csdn.net/qq_38387984/article/details/83502996
Openstack Queens版本双节点架构笔记10,Ceph安装2:https://blog.csdn.net/qq_38387984/article/details/83503016
Openstack Queens版本双节点架构笔记11,Ceph安装3:https://blog.csdn.net/qq_38387984/article/details/83503033