keystone配置概况
采用包安装方式安装的keystone,重要的文件结构有如下:
/etc/keystone/ - 包含keystone所有的配置信息
/var/log/keystone/ - 默认的日志输出目录
/usr/share/keystone/ - 包含初始化数据库需要的脚本sample_data.sh
这里建议将系统的日志输出、keystone的数据库、初始化数据库的脚本都配置到一个目录下,比如:/home/keystone,这样便于管理。
采用包安装方式安装的keystone配置文件在/etc/keystone目录下,主要的配置文件包括:
-----------------------------------------------------------------------------------------------------
default_catalog.templates //目录配置文件,标注openstack其他服务的网络位置
ec2rc
keystone.conf.dpkg-dist //主配置文件模板
keystone.conf //keystone主配置文件
keystone-paste.ini.dpkg-dist //PasteDeploy配置文件模板
keystone-paste.ini //PasteDeploy配置文件
logging.conf.sample //日志配置文件模板
policy.json //权限管理文件
ssl/ //用来建立PKI的目录
------------------------------------------------------------------------------------------------------
keystone主要的配置文件介绍
keystone的配置文件是基于Paste的ini格式的通用Python WSGI配置应用,其中主要有,
1. keystone-paste.ini
是PasteDeploy的配置入口点,在本文件中配置WSGI pipeline和filter等信
2. keystone.conf
这是keystone最主要的配置文件,内容包括通用的配置参数和具体针对不同驱动的配置参数
该文件的结构如下:
- [DEFAULT] - General configuration
- [assignment] - Assignment system driver configuration
- [auth] - Authentication plugin configuration
- [cache] - Caching layer configuration
- [catalog] - Service catalog driver configuration
- [credential] - Credential system driver configuration
- [endpoint_filter] - Endpoint filtering extension configuration
- [endpoint_policy] - Endpoint policy extension configuration
- [federation] - Federation driver configuration
- [identity] - Identity system driver configuration
- [identity_mapping] - Identity mapping system driver configuration
- [kvs] - KVS storage backend configuration
- [ldap] - LDAP configuration options
- [memcache] - Memcache configuration options
- [oauth1] - OAuth 1.0a system driver configuration
- [os_inherit] - Inherited role assignment extension
- [paste_deploy] - Pointer to the PasteDeploy configuration file
- [policy] - Policy system driver configuration for RBAC
- [revoke] - Revocation system driver configuration
- [saml] - SAML configuration options
- [signing] - Cryptographic signatures for PKI based tokens
- [ssl] - SSL configuration
- [token] - Token driver & token provider configuration
- [trust] - Trust extension configuration
--------------------------------------------------------------------------------------------------------
正常运行keystone需要的部分配置与操作
#锁定keystone端口,keystone使用在IANA注册的35357端口,为了避免冲突,可以将该端口从临时端口范围中排除(可选)
$ sudo sysctl -w 'net.ipv4.ip_local_reserved_ports=35357'
#或者在/etc/sysctl.conf文件中添加相同的信息(可选)
$ sudo vim /etc/sysctl.conf
#在打开的文末添加
net.ipv4.ip_local_reserved_ports = 35357
#将配置目录划归给当前用户,使其启动keystone时拥有读取配置文件的权限
$ sudo chown -R darren:darren /etc/keystone
#配置keystone
$ vim /etc/keystone/keystone.conf
#取消这些字段前面的注释,激活默认配置
[DEFAULT] admin_token=YOUR_ADMIN_TOKEN public_bind_host=0.0.0.0 admin_bind_host=0.0.0.0 compute_port=8774 admin_port=35357 public_port=5000 public_endpoint=http://localhost:5000/ admin_endpoint=http://localhost:35357/ log_config_append=/etc/keystone/logging.conf policy_file=policy.json [auth] methods=external,password,token password=keystone.auth.plugins.password.Password token=keystone.auth.plugins.token.Token external=keystone.auth.plugins.external.DefaultDomain [catalog] template_file=default_catalog.templates driver=keystone.catalog.backends.sql.Catalog [credential] driver=keystone.credential.backends.sql.Credential [database] #connection = sqlite:////var/lib/keystone/keystone.db #格式 connection = mysql://USER:PASSWORD@HOST:PORT/DATABASE connection = mysql://keystone:KEYSTONE_PASS@127.0.0.1:3306/keystone [identity] driver=keystone.identity.backends.sql.Identity [paste_deploy] config_file=keystone-paste.ini [signing] certfile=/etc/keystone/ssl/certs/signing_cert.pem keyfile=/etc/keystone/ssl/private/signing_key.pem ca_certs=/etc/keystone/ssl/certs/ca.pem ca_key=/etc/keystone/ssl/private/cakey.pem [token] driver=keystone.token.backends.sql.Token
#后台重启keystone服务
$ keystone-all &
#初始化keystone数据库,创建keystone数据库中的各个数据表
$ keystone-manage db_sync
#将管理认证信息设置成系统变量,添加到.bashrc文件的末尾
cd cat >> .bashrc export OS_SERVICE_TOKEN=darren export OS_SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0 ctrl-D
#初始化keystone数据,将相应的数据写入已经创建好的数据库
$ /usr/share/keystone/sample_data.sh
至此为止已经完成keystone的初始化,以后可以利用keystone-all命令来启动keystone服务器和Identity API,用keystone-manage来实现一些线上不能完成的操作,用keystone CLI来与keystone服务器完成各种交互了。
查看主配置文件keystone.conf的全面详细解读,参考《Juno版keystone配置完全详解》
查看刚刚建立的数据库中新建了哪些数据表,参考《Juno版Keystone数据库结构》。