KeyStone - QLGQ/learning-python GitHub Wiki
认证服务
安装和配置
创建数据库
[root@controller ~]# mysql -uroot -p123456
# 创建keystone数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
# 授予数据库访问权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
Query OK, 0 rows affected (0.00 sec)
# 用合适的密码替换KEYSTONE_DBPASS。
安装软件包
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
编辑/etc/keystone/keystone.conf文件
[root@controller ~]# cd /etc/keystone/
[root@controller keystone]# cp keystone.conf keystone.conf.bak
[root@controller keystone]# egrep -v "^#|^$" keystone.conf.bak > keystone.conf
[root@controller keystone]# vim keystone.conf
添加如下内容:
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
...
provider = fernet
导入数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet key数据库
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
引导身份认证
[root@controller ~]# keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://controller:35357/v3/ \
--bootstrap-internal-url http://controller:35357/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
配置httpd服务器
[root@controller ~]# sed -i 's/#ServerName www.example.com:80/ServerName controller/g' /etc/httpd/conf/httpd.conf
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动http服务
[root@controller ~]# systemctl enable httpd.service
[root@controller ~]# systemctl start httpd.service
[root@controller ~]# netstat -lntp |grep http
配置管理用户
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=admin
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:35357/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
创建用户、域、角色
[root@controller ~]# openstack project create --domain default
--description "Service Project" service
[root@controller ~]# openstack project create --domain default
--description "Demo Project" demo
[root@controller ~]# openstack user create --domain default
--password-prompt demo
密码123456
[root@controller ~]# openstack role create user
[root@controller ~]# openstack role add --project demo --user demo user
验证
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3
--os-project-domain-name Default
--os-user-domain-name Default \
--os-project-name admin
--os-username admin token issue
[root@controller ~]# 密码admin
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3
--os-project-domain-name Default
--os-user-domain-name Default
--os-project-name demo
--os-username demo token issue
[root@controller ~]# 密码123456
创建OpenStack客户端环境脚本
[root@controller ~]# vim admin-openrc
添加如下内容
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller ~]# vim demo-openrc
添加如下内容
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
验证
[root@controller ~]# . admin-openrc
[root@controller ~]# . demo-openrc
[root@controller ~]# openstack token issue
