目录
六、创建域(domain),项目(projects),用户(users)与角色(roles)
具体步骤可参考官方文档:OpenStack Docs: OpenStack Installation Guide for Ubuntu
一、先决条件
在你配置 OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌。
1.进入数据库
$ mysql -u root -p1234
2.创建 keystone 数据库
CREATE DATABASE keystone;
3.对``keystone``数据库授予恰当的权限
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
KEYSTONE_DBPASS 为自设密码,可用合适密码替换
4.退出客户端
5.生成一个随机初始值作为管理员的临时令牌,即 token
$ openssl rand -hex 10
二、配置组件
1.安装Keystone组件
禁用Keystone服务在安装完成后自启
$ echo "manual" > /etc/init/keystone.override
安装软件包
$ apt-get install keystone apache2 libapache2-mod-wsgi
2.配置keystone服务
$ vim /etc/keystone/keystone.conf
① 在``[DEFAULT]``部分,定义初始管理令牌的值:
[DEFAULT]
admin_token = ADMIN_TOKEN
使用前面步骤生成的随机数替换 ADMIN_TOKEN 值
② 在 [database] 部分,配置数据库访问:
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
将 KEYSTONE_DBPASS 替换为你为 keystone 数据库选择的密码
大约在550行,注释掉之前的 connection
③ 在 [token] 部分,配置Fernet UUID令牌的提供者
[token]
provider = fernet
大约在2007行
3.同步数据库
$ su -s /bin/sh -c "keystone-manage db_sync" keystone
4.初始化Fernet keys
$ keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
三、配置Apache服务
1.编辑 /etc/apache2/apache2.conf 文件,为控制节点配置 ServerName 选项
$ vim /etc/apache2/apache2.conf
在文件中靠前的位置添加该项
ServerName controller
2.配置虚拟主机
$ vim /etc/apache2/sites-available/wsgi-keystone.conf
文件内容如下
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/apache2/keystone.log
CustomLog /var/log/apache2/keystone_access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
3.开启认证服务虚拟主机
$ ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
4.重启Apache服务
$ service apache2 restart
5.删除默认的SQLite数据库
$ rm -f /var/lib/keystone/keystone.db
四、配置服务实体和API访问端点
1.配置认证令牌
$ export OS_TOKEN=ADMIN_TOKEN
将 ADMIN_TOKEN 替换为前面步骤生成的认证令牌 token
2.配置端点URL
$ export OS_URL=http://controller:35357/v3
3.配置认证 API 版本
$ export OS_IDENTITY_API_VERSION=3
五、创建服务实体和API端点
1.创建服务实体和身份认证服务:
$ openstack service create --name keystone --description "OpenStack Identity" identity
root@controller:~# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 4ef1a211f40a4620b6ff8c827eff578a |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
2.创建认证服务的 API 端点:
$ openstack endpoint create --region RegionOne identity public http://controller:5000/v3
$ openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
$ openstack endpoint cre