[iyunv@controller1 ~]# mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE keystone;
1.2授权数据库访问
1
2
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
[iyunv@controller1 ~]# openstack user create --domain default --password-prompt admin
User Password:admin
Repeat User Password:admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | f04f9a6391ce4bb3840bc1dfa1181583 |
| name | admin |
+-----------+----------------------------------+
6.4创建管理员角色
1
2
3
4
5
6
7
[iyunv@controller1 ~]# openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | c778dd4b4c864c3685db4d4feb0acd52 |
| name | admin |
+-------+----------------------------------+
6.5添加角色到项目和管理员用户
1
[iyunv@controller1 ~]# openstack role add --project admin --user admin admin
7.1创建服务项目
1
2
3
4
5
6
7
8
9
10
11
12
[iyunv@controller1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 78b459d13b3041a6b06fd0b961bc26f1 |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
[iyunv@controller1 ~]# openstack user create --domain default --password-prompt demo
User Password:demo
Repeat User Password:demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | de2f5efaee794b51b50c602cc9914742 |
| name | demo |
+-----------+----------------------------------+
8.3创建非管理员角色
1
2
3
4
5
6
7
[iyunv@controller1 ~]# openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | e9e4bbf1608c4cd3b4fcde2575a5ded3 |
| name | user |
+-------+----------------------------------+
8.4添加角色到项目和管理员用户
1
[iyunv@controller1 ~]# openstack role add --project demo --user demo user
9.1验证,取消环境变量
1
[iyunv@controller1 ~]# unset OS_TOKEN OS_URL
9.2安全配置,移除admin_token_auth
1
2
3
4
5
6
7
8
9
10
11
12
13
[iyunv@controller1 ~]# vi /usr/share/keystone/keystone-dist-paste.ini
[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3