一、安裝配置控制節點
1.建立資料庫并添權重限
mysql -uroot -p123123
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123123’;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123123';
exit
2.生成一個随機值在初始的配置中作為管理者的令牌
openssl rand -hex 10
3.安裝keystone
yum install openstack-keystone httpd mod_wsgi
4.編輯檔案/etc/keystone/keystone.conf
vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = ADMIN_TOKEN #ADMIN_TOKEN是上一步産生的管理者令牌的值
[database]
connection = mysql+pymysql://keystone:[email protected]/keystone
[token]
provider = fernet
5.初始化身份認證服務的資料庫
su -s /bin/sh -c "keystone-manage db_sync" keystone ##忽略所有輸出
6.初始化FernetKeys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
7.配置ApacheHTTP伺服器
1)編輯/etc/httpd/conf/httpd.conf檔案
vi /etc/httpd/conf/httpd.conf
ServerName controller ##配置ServerName為controller
2)建立檔案/etc/httpd/conf.d/wsgi-keystone.conf
vi/etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
:wq
3)啟動ApacheHTTP服務并配置其随系統啟動
systemctl enable httpd.service
systemctl start httpd.service
二、建立服務實體和API端點
1.建立環境變量
export OS_TOKEN=ADMIN_TOKEN ##前面生成的認證令牌
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
2.建立服務實體和API端點
openstack service create --name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne identity public http://controller:5000/v3
openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
三、建立域、項目、使用者和角色
1.建立域default
openstack domain create --description "Default Domain" default
2.建立admin項目
openstack project create --domain default --description "Admin Project" admin
3.建立admin使用者
openstack user create --domain default --password-prompt admin #提示輸入admin密碼
4.建立admin角色
openstack role create admin
5.添加admin角色到admin項目和使用者上
openstack role add --project admin --user admin admin
6.建立service項目
openstack project create --domain default --description "Service Project" service
7.建立demo項目
openstack project create --domain default --description "Demo Project" demo
8.建立demo使用者
openstack user create --domain default --password-prompt demo #提示輸入demo使用者密碼
9.建立user角色
openstack role create user
10.添加user角色到demo項目和使用者
openstack role add --project demo --user demo user
四、驗證操作
1.編輯/etc/keystone/keystone-paste.ini 檔案,從[pipeline:public_api]`[pipeline:admin_api]和[pipeline:api_v3]部分删除admin_token_auth
2.重置OS_TOKEN和OS_URL環境變量
unset OS_TOKEN OS_URL
3.作為admin使用者,請求認證令牌
openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-namedefault --os-project-name admin --os-username admin token issue ##輸入admin使用者的密碼
4.作為demo使用者,請求認證令牌
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name default --os-user-domain-namedefault --os-project-name demo --os-username demo token issue ##輸入demo使用者的密碼
五、建立openstack用戶端環境腳本
1.編輯檔案 admin-openrc 并添加如下内容:
vim /root/admin-openrc.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123123 #改為admin使用者密碼
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
2.編輯檔案demo-openrc并添加如下内容
vim /root/demo-openrc.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123123 #改為demo使用者密碼
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
3.測試,使用admin環境變量
source /root/admin-openrc.sh
openstack token issue #擷取admin使用者的認證令牌
轉載于:https://blog.51cto.com/19941212/1900500