[TOC]
## 功能简述
keystone的主要功能:认证管理,授权管理和服务目录
认证:也可以理解成账号管理,openstack所有的用户,都是在keystone上注册的。
授权: glance,nova,neutron,cinder等其他服务都统一使用keystone的账号管理,就像现在很多网站支持qq登陆是一样的。
服务目录:每增加一个服务,都需要在keystone上做注册登记,用户通过keystone可以知道由有那些服务,这么服务的url地址是多少,然后用户就可以直接访问这些服务。
## 服务部署
[官网参考链接](https://docs.openstack.org/mitaka/zh_CN/install-guide-rdo/keystone-install.html)
### 安装配置keystone
**a:创库授权**
```sh
#需先登录数据库
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
```
**b:安装keystone相关软件包**
```sh
yum install openstack-keystone httpd mod_wsgi -y
yum install openstack-utils -y
```
**c:修改配置文件**
```sh
# 备份
\cp /etc/keystone/keystone.conf{,.bak}
grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
#非交互式配置
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
#校验
[root@controller opt]# md5sum /etc/keystone/keystone.conf
d5acb3db852fe3f247f4f872b051b7a9 /etc/keystone/keystone.conf
```
**d:同步数据库**
```sh
su -s /bin/sh -c "keystone-manage db_sync" keystone
#确认库中是否有表:
mysql -e "show tables from keystone;"
```
**e:初始化fernet**
```sh
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
```
### 配置启动httpd
**修改httpd配置**
```sh
echo "ServerName controller" >>/etc/httpd/conf/httpd.conf
```
**创建wsgi配置**
```sh
vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
```
**校验并启动**
```sh
[root@controller ~]# md5sum /etc/httpd/conf.d/wsgi-keystone.conf
8f051eb53577f67356ed03e4550315c2 /etc/httpd/conf.d/wsgi-keystone.conf
systemctl enable httpd.service
systemctl start httpd.service
```
### 创建服务和注册api:
**设置环境变量**
```sh
export OS_TOKEN=ADMIN_TOKEN
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
```
**创建服务注册API**
```sh
openstack service create --name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne identity public http://controller:5000/v3
openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
```
### 权限相关设置
**创建域、项目、用户、角色**
```sh
openstack domain create --description "Default Domain" default
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password ADMIN_PASS admin
openstack role create admin
```
**关联项目,用户,角色**
```sh
openstack role add --project admin --user admin admin
```
**在admin项目上,给admin用户赋予admin角色**
```sh
openstack project create --domain default --description "Service Project" service
```
**测试keystone的授权**
```sh
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin --os-password ADMIN_PASS token issue
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin --os-password ADMIN_PASS user list
```
取消环境变量后,执行openstack就会如上面那样要求输入很多参数,才能执行命令,如果测试OK的话,可以写脚本定义好环境变量,每次登陆后手动载入环境变量即可
### 创建环境变量脚本
**创建脚本**
```sh
cat >admin-openrc <
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
EOF
```
**载入脚本**
```sh
source admin-openrc
#试试执行脚本然后
openstack service list
openstack user list
```