进入root权限
进入数据库
$ mysql -u root -p #创建数据库 >>> CREATE DATABASE keystone; #赋予数据库权限 # <KEYSTONE_DBPASS>为自定义密码 -建议换成1234 或者其他数字 >>> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; >>> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS'; #退出数据库 >>> exit
安装Keystone组件
#禁用Keystone服务在安装完成后自启 $ echo "manual" > /etc/init/keystone.override # 安装软件包 $ apt-get install keystone apache2 libapache2-mod-wsgi
生成随机值作为临时令牌`token`
$ openssl rand -hex 10
---------
ce3a92ef9d6296a93eb4
--------------会生成一段类似上面的令牌,保存下来
#配置Glance服务 $ vim /etc/keystone/keystone.conf # 文件内容 [DEFAULT] #<ADMIN_TOKEN>为生成的随机值 admin_token = ADMIN_TOKEN [database] #<KEYSTONE_DBPASS>注意和前面赋予权限一致 (换成密码) 务必把原来的connection注释掉,只能有一个connection connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone [token] #大约在1987行 :1987可直接跳转 provider = fernet # 同步数据库 $ su -s /bin/sh -c "keystone-manage db_sync" keystone
这里同步数据库容易出错,出错后参考:https://www.jianshu.com/p/3a2ce134b786
#初始化Fernet令牌 $ keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone # 配置Apache服务 $ vim /etc/apache2/apache2.conf # 文件内容,在文件中靠前的位置添加该项 ServerName controller #配置虚拟主机 $ vim /etc/apache2/sites-available/wsgi-keystone.conf # 文件内容 Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/apache2/keystone.log CustomLog /var/log/apache2/keystone_access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> #启用虚拟机 ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled #重启Apache服务 $ service apache2 restart
# 删除默认的SQLite数据库 $ rm -f /var/lib/keystone/keystone.db #创建服务实体和API访问端点 #配置身份认证令牌`token` # <ADMIN_TOKEN>为生成的随机值 $ export OS_TOKEN=ADMIN_TOKEN #配置API访问端点 $ export OS_URL=http://controller:35357/v3 # 配置API的版本 $ export OS_IDENTITY_API_VERSION=3 #创建`identity`服务实体 $ openstack service create --name keystone --description "OpenStack Identity" identity
创建`identity`服务的访问端点`endpoint`
$ openstack endpoint create --region RegionOne identity public http://controller:5000/v3 $ openstack endpoint create --region RegionOne identity internal http://controller:5000/v3 $ openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
创建域(domain),项目(projects),用户(users)与角色(roles)
# 创建域`default` $ openstack domain create --description "Default Domain" default #创建项目`admin` $ openstack project create --domain default --description "Admin Project" admin #创建用户`admin` $ openstack user create --domain default --password-prompt admin #创建角色`admin` $ openstack role create admin #为项目`admin`与用户`admin`添加角色`admin` $ openstack role add --project admin --user admin admin #创建项目`service` $ openstack project create --domain default --description "Service Project" service #创建项目`demo` $ openstack project create --domain default --description "Demo Project" demo #创建用户`demo` $ openstack user create --domain default --password-prompt demo #创建角色`user` $ openstack role create user # 为项目`demo`与用户`demo`添加角色`user` $ openstack role add --project demo --user demo user
测试操作
+ 配置Keystone服务 ```bash $ vim /etc/keystone/keystone-paste.ini # 文件内容 ## 分别从[pipeline:public_api],[pipeline:admin_api] 和 [pipeline:api_v3] 中移除 admin_token_auth [pipeline:public_api] pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service [pipeline:admin_api] pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service [pipeline:api_v3] pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3 ``` + 移除临时令牌`token`与访问URL ```bash $ unset OS_TOKEN OS_URL ``` + 使用`amdin`用户请求令牌`token` ```bash $ openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue ``` + 使用`demo`用户请求令牌(token) ```bash $ openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
创建脚本
+ 为`admin`用户创建脚本 ```bash $ mkdir /openstack $ vim /openstack/admin-openrc # 文件内容 ## <ADMIN_PASS>为demo用户的密码 export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ``` + 为`demo`用户创建脚本 ```bash $ vim /openstack/demo-openrc # 文件内容 ## <DEMO_PASS>为demo用户的密码 export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=DEMO_PASS export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ```
使用脚本
```bash # 使用admin-openrc脚本 $ source /openstack/admin-openrc # 使用demo-openrc脚本 $ source /openstack/demo-openrc ``` + 请求令牌`token` ```bash openstack token issue ```