openstack安装（liberty）--安装认证服务（Identity service）

34323 · 发表于 2016-8-5 09:18:05

二、安装认证服务（Identity service）
1.1建立数据库

1 2	[iyunv@controller1 ~]# mysql -uroot -p MariaDB [(none)]> CREATE DATABASE keystone;

1.2授权数据库访问

1 2	MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

2.1生成临时随机数（token）

1 2	[iyunv@controller1 ~]# openssl rand -hex 10 4904808b108b787d950f

3.1安装包

1	[iyunv@controller1 ~]# yum install openstack-keystone httpd mod_wsgi memcached python-memcached

3.2启动memcached服务

1
2
3

[iyunv@controller1 ~]# systemctl enable memcached.service
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[iyunv@controller1 ~]# systemctl start memcached.service

3.3编辑配置文件

1
2
3
4
5
6
7
8
9
10
11
12
13
14

[iyunv@controller1 ~]# vi /etc/keystone/keystone.conf
[DEFAULT]
admin_token = 4904808b108b787d950f
[database]
connection = mysql://keystone:keystone@controller1/keystone
[memcache]
servers = localhost:11211
[token]
provider = uuid
driver = memcache
[revoke]
driver = sql
[DEFAULT] #可选，用于排错
verbose = True

3.4初始化数据库

1	[iyunv@controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone #没有消息输出

4.1配置HTTP服务

1 2	[iyunv@controller1 ~]# vi /etc/httpd/conf/httpd.conf ServerName controller1

4.2创建配置文件

1
2
3

[iyunv@controller1 ~]# vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
   ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
      <IfVersion >= 2.4>
         Require all granted
      </IfVersion>
      <IfVersion < 2.4>
         Order allow,deny
         Allow from all
      </IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
   ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
      <IfVersion >= 2.4>
         Require all granted
      </IfVersion>
      <IfVersion < 2.4>
         Order allow,deny
         Allow from all
      </IfVersion>
</Directory>
</VirtualHost>

4.3启动服务并开机自动启动

1
2
3

[iyunv@controller1 ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[iyunv@controller1 ~]# systemctl start httpd.service

5.1配置TOKEN

1
2
3

[iyunv@controller1 ~]# export OS_TOKEN=4904808b108b787d950f
[iyunv@controller1 ~]# export OS_URL=http://controller1:35357/v3
[iyunv@controller1 ~]# export OS_IDENTITY_API_VERSION=3

5.2创建业务实体 ##错误查看LOG（ vi /etc/keystone/keystone.conf）

1
2
3
4
5
6
7
8
9
10

5.3创建API端点

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

6.1创建域（默认domains）

6.2创建项目（project/tenants）

1
2
3
4
5
6
7
8
9
10
11
12

6.3创建管理员用户

1
2
3
4
5
6
7
8
9
10
11

6.4创建管理员角色

1
2
3
4
5
6
7

6.5添加角色到项目和管理员用户

1	[iyunv@controller1 ~]# openstack role add --project admin --user admin admin

7.1创建服务项目

1
2
3
4
5
6
7
8
9
10
11
12

8.1创建非管理员项目（demo）

1
2
3
4
5
6
7
8
9
10
11
12

8.2创建非管理员用户

1
2
3
4
5
6
7
8
9
10
11

8.3创建非管理员角色

1
2
3
4
5
6
7

8.4添加角色到项目和管理员用户

1	[iyunv@controller1 ~]# openstack role add --project demo --user demo user

9.1验证，取消环境变量

1	[iyunv@controller1 ~]# unset OS_TOKEN OS_URL

9.2安全配置，移除admin_token_auth

1
2
3
4
5
6
7
8
9
10
11
12
13

[iyunv@controller1 ~]# vi /usr/share/keystone/keystone-dist-paste.ini
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3

9.3使用管理员要求一个令牌

1
2
3
4
5
6
7
8
9
10

[iyunv@comtroller1 ~]# openstack --os-auth-url http://controller1:35357/v3  --os-project-domain-id default --os-user-domain-id default  --os-project-name admin --os-username admin --os-auth-type password  token issue
Password: admin
+------------+----------------------------------+
| Field    | Value                         |
+------------+----------------------------------+
| expires | 2016-07-11T06:46:59.482835Z    |
| id       | 0139a994069a44b28030f0e1ad877eab |
| project_id | c4d6ba1cb9424cbcaa32e6b9daeb4a19 |
| user_id | f04f9a6391ce4bb3840bc1dfa1181583 |
+------------+----------------------------------+

9.4使用一般用户要求一个令牌

1
2
3
4
5
6
7
8
9
10
11
12
13

[iyunv@controller1 ~]# openstack --os-auth-url http://controller1:5000/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue
Password: demo
+------------+----------------------------------+
| Field    | Value                         |
+------------+----------------------------------+
| expires | 2016-07-11T06:49:35.051544Z    |
| id       | b265f81e99674727ab5d3ef270f105bc |
| project_id | 77bbdcc40d8e4cd5abc08fb15585cb4e |
| user_id | de2f5efaee794b51b50c602cc9914742 |
+------------+----------------------------------+

10.1配置客户端环境脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

[iyunv@controller1 ~]# vi ~/admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller1:35357/v3
export OS_IDENTITY_API_VERSION=3
[iyunv@controller1 ~]# vi ~/demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller1:5000/v3
export OS_IDENTITY_API_VERSION=3

10.2使用脚本并验证

1
2
3
4
5
6
7
8
9
10

账号		自动登录	找回密码
密码			立即注册

VMware vcenter+vSphere 6.5 U2共享

【跟谁学】韩宇极简英语课-技术人员不得不

用Zabbix通过JMX方式监控weblogic

winhex数据恢复教程（非常巨大，内容丰富）

Symantec Backup Exec 2015 2016/2012 BE20

NetScaler VPX部署之：NetScaler Gateway调

zabbix3.4.1安装部署+微信推送信息+大屏显

[经验分享] openstack安装（liberty）--安装认证服务（Identity service）

相关帖子

浏览过的版块

扫码加入运维网微信交流群