——先决条件
1.)创建数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
——keystone服务搭建配置
1.)安装keystone服务
[root@openstack ~]# yum -y install openstack-keystone python-keystoneclient
httpd mod_wsgi
2.)初始化keys
[root@openstack ~]#
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
3.)配置keystone服务
[root@openstack ~]# openssl rand -hex 10
3f554e582cefe3462106
[root@openstack ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
[root@openstack ~]# vim /etc/keystone/keystone.conf
1: [DEFAULT]
13: admin_token = 3f554e582cefe3462106
526: [database]
549: connection = mysql://keystone:keystone@localhost:3306/keystone
2005: provider = fernet
4.)同步数据库
[root@openstack ~]# keystone-manage db_sync
[root@openstack ~]# mysql -ukeystone -pkeystone -e 'use keystone;show tables;'
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| mapping |
| migrate_version |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
5.)配置 Apache serivce
[root@openstack ~]# vim /etc/httpd/conf/httpd.conf
95: ServerName openstack
[root@openstack ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
1:Listen 5000
2:Listen 35357
3:
4:<VirtualHost *:5000>
5: WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
6: WSGIProcessGroup keystone-public
7: WSGIScriptAlias / /usr/bin/keystone-wsgi-public
8: WSGIApplicationGroup %{GLOBAL}
9: WSGIPassAuthorization On
10: ErrorLogFormat "%{cu}t %M"
11: ErrorLog /var/log/httpd/keystone-error.log
12: CustomLog /var/log/httpd/keystone-access.log combined
13:
14: <Directory /usr/bin>
15: Require all granted
16: </Directory>
17:</VirtualHost>
18:
19:<VirtualHost *:35357>
20: WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
21: WSGIProcessGroup keystone-admin
22: WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
23: WSGIApplicationGroup %{GLOBAL}
24: WSGIPassAuthorization On
25: ErrorLogFormat "%{cu}t %M"
26: ErrorLog /var/log/httpd/keystone-error.log
27: CustomLog /var/log/httpd/keystone-access.log combined
28:
29: <Directory /usr/bin>
30: Require all granted
31: </Directory>
32:</VirtualHost>
[root@openstack ~]# chown -R keystone:keystone /var/log/keystone
[root@openstack ~]# systemctl enable httpd.service
[root@openstack ~]# systemctl start httpd.service
[root@openstack ~]# systemctl status httpd.service
[root@openstack keystone]# netstat -antup|grep httpd|grep LISTEN
tcp6 0 0 :::5000 :::* LISTEN 4612/httpd
tcp6 0 0 :::80 :::* LISTEN 4612/httpd
tcp6 0 0 :::35357 :::* LISTEN 4612/httpd
6.)设置临时admin token
[root@openstack ~]# export OS_TOKEN=3f554e582cefe3462106
[root@openstack ~]# export OS_URL=http://192.168.100.120:35357/v3
[root@openstack ~]# export OS_IDENTITY_API_VERSION=3
7.)Create the service entity and API endpoints
7.1)Create the service entity for the Identity service
[root@openstack ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | de06d252af684090b3568cac0f65cbb8 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+ 7.2)Create the Identity service API endpoints
[root@openstack ~]# openstack endpoint create --region RegionOne identity public http://192.168.100.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9455f80c88cb4a188febacde56aaaff0 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.100.120:5000/v3 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne identity internal http://192.168.100.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 24c58182056a493a801d3717ed287d07 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.100.120:5000/v3 |
+--------------+----------------------------------+
[root@openstack ~]# openstack endpoint create --region RegionOne identity admin http://192.168.100.120:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 7e71ee55d7614341837c07d4552b29f7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | de06d252af684090b3568cac0f65cbb8 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.100.120:35357/v3 |
+--------------+----------------------------------+
8.)创建domain projects users 和 roles
8.1)Create the default domain
[root@openstack ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | d68aa40d66034dc89a3b2d896e86477d |
| name | default |
+-------------+----------------------------------+
8.2)创建一个管理项目( project ),用户(user)和角色(role)来管理操作当前环境
8.2.1)Create the admin project
[root@openstack ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | e4f62edc6ed547109768b515be56044a |
| is_domain | False |
| name | admin |
| parent_id | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+ 8.2.2) Create the admin user
[root@openstack ~]# openstack user create --domain default --password admin_passwd admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | 6f4087ac3ed341b0855e7dec830cf65d |
| name | admin |
+-----------+----------------------------------+ 8.2.3) Create the admin role
[root@openstack ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | b3b1f608b109465bb9b96a4b0320dfdb |
| name | admin |
+-----------+----------------------------------+
8.2.4)Add the admin role to the admin project and user
[root@openstack ~]# openstack role add --project admin --user admin admin
8.3)Create the service project
[root@openstack ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | 51600729375b45b480ad7d0d7b0e8a3c |
| is_domain | False |
| name | service |
| parent_id | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+
8.4) Create the demo project
[root@openstack ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | a66c04b887774bca86161003fdb4a33a |
| is_domain | False |
| name | demo |
| parent_id | 505647f0f06e408e9d176da82a6684f1 |
+-------------+----------------------------------+ 8.4.1) Create the demo user
[root@openstack ~]# openstack user create --domain default --password demo_passwd demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 505647f0f06e408e9d176da82a6684f1 |
| enabled | True |
| id | d5b1553154e942d6b513f8c706bf374f |
| name | demo |
+-----------+----------------------------------+ 8.4.2) Create the demo role
[root@openstack ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 242935dcb84840fb9f127f27ffd5e765 |
| name | user |
+-----------+----------------------------------+
8.4.3)Add the user role to the demo project and user
[root@openstack ~]# openstack role add --project demo --user demo user
9.)验证操作
[root@openstack ~]# unset OS_TOKEN OS_URL
[root@openstack ~]# openstack \
--os-auth-url http://192.168.100.120:35357/v3 \
--os-project-domain-name default \
--os-user-domain-name default \
--os-project-name admin \
--os-username admin \
--os-password admin_passwd \
token issue
+------------+----------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+----------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-05-26T04:51:35.701908Z |
| id | gAAAAABXRnLH0FzjXcBrcDEj_GGVMyFCjxH1t4SdAEJyI06vFJAV699czB03nQ-B |
| | -wn3tzXHjYuJ1Mp5BoYNbj9B0EUsFYlZ1IyYM0EQ6coa7pHsKEVeXVhVTROVOPMmaYZspcnKMhnWwaiWq7OIOAv5YMmUDlYSqSi1ZjqDThqHAq-Z1dhUb6w |
| project_id | e4f62edc6ed547109768b515be56044a |
| user_id | 6f4087ac3ed341b0855e7dec830cf65d |
+------------+----------------------------------------------------------------------------------------------------------------------------+
[root@openstack ~]# openstack \
--os-auth-url http://192.168.100.120:5000/v3 \
--os-project-domain-name default \
--os-user-domain-name default \
--os-project-name admin \
--os-username admin \
--os-password admin_passwd \
token issue
+------------+----------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+----------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-05-26T04:53:35.489593Z |
| id | gAAAAABXRnM_CMNnU2fc8gFUnM9Fj3Ooxr4RwnYG4gUXvsZQPOUVDweCGldl8f1WkB4xq0u3-uEKEBSIkC- |
| | WuBGQhRN4S8Nef7Y0FlKohIM3P3HXQnjieMVr1_ze5UovQYsCVWh8-ObQFiK0zNrKSZ0rwwl-TdOygpeUxh8QOyAyyZJeQgmuGMc |
| project_id | e4f62edc6ed547109768b515be56044a |
| user_id | 6f4087ac3ed341b0855e7dec830cf65d |
+------------+----------------------------------------------------------------------------------------------------------------------------+
10.)创建admin环境变量
[root@openstack ~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin_passwd
export OS_AUTH_URL=http://192.168.100.120:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
10.1)校验
[root@openstack ~]# . admin-openrc
[root@openstack ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 6f4087ac3ed341b0855e7dec830cf65d | admin |
| d5b1553154e942d6b513f8c706bf374f | demo |
+----------------------------------+-------+
运维网声明
1、欢迎大家加入本站运维交流群:群②:261659950 群⑤:202807635 群⑦870801961 群⑧679858003
2、本站所有主题由该帖子作者发表,该帖子作者与运维网 享有帖子相关版权
3、所有作品的著作权均归原作者享有,请您和我们一样尊重他人的著作权等合法权益。如果您对作品感到满意,请购买正版
4、禁止制作、复制、发布和传播具有反动、淫秽、色情、暴力、凶杀等内容的信息,一经发现立即删除。若您因此触犯法律,一切后果自负,我们对此不承担任何责任
5、所有资源均系网友上传或者通过网络收集,我们仅提供一个展示、介绍、观摩学习的平台,我们不对其内容的准确性、可靠性、正当性、安全性、合法性等负责,亦不承担任何法律责任
6、所有作品仅供您个人学习、研究或欣赏,不得用于商业或者其他用途,否则,一切后果均由您自己承担,我们对此不承担任何法律责任
7、如涉及侵犯版权等问题,请您及时通知我们,我们将立即采取措施予以解决
8、联系人Email:admin@iyunv.com 网址:www.yunweiku.com