――先决条件
1.)创建数据库
MariaDB [(none)]> CREATE DATABASE keystone;Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
――keystone服务搭建配置
1.)安装keystone服务
[root@openstack ~]# yum -y install openstack-keystone python-keystoneclient httpd mod_wsgi
2.)初始化keys
[root@openstack ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
3.)配置keystone服务
[root@openstack ~]# openssl rand -hex 103f554e582cefe3462106[root@openstack ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak[root@openstack ~]# vim /etc/keystone/keystone.conf 1: [DEFAULT] 13: admin_token = 3f554e582cefe3462106 526: [database] 549: connection = mysql://keystone:keystone@localhost:3306/keystone2005: provider = fernet
4.)同步数据库
[root@openstack ~]# keystone-manage db_sync[root@openstack ~]# mysql -ukeystone -pkeystone -e 'use keystone;show tables;'+------------------------+| Tables_in_keystone |+------------------------+| access_token || assignment || consumer || credential || domain || endpoint || endpoint_group || federation_protocol || group || id_mapping || identity_provider || idp_remote_ids || mapping || migrate_version || policy || policy_association || project || project_endpoint || project_endpoint_group || region || request_token || revocation_event || role || sensitive_config || service || service_provider || token || trust || trust_role || user || user_group_membership || whitelisted_config |+------------------------+
5.)配置 Apache serivce
[root@openstack ~]# vim /etc/httpd/conf/httpd.conf95: ServerName openstack[root@openstack ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf 1:Listen 5000 2:Listen 35357 3: 4:<VirtualHost *:5000> 5: WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} 6: WSGIProcessGroup keystone-public 7: WSGIScriptAlias / /usr/bin/keystone-wsgi-public 8: WSGIApplicationGroup %{GLOBAL} 9: WSGIPassAuthorization On10: ErrorLogFormat "%{cu}t %M"11: ErrorLog /var/log/httpd/keystone-error.log12: CustomLog /var/log/httpd/keystone-access.log combined13:14: <Directory /usr/bin>15: Require all granted16: </Directory>17:</VirtualHost>18:19:<VirtualHost *:35357>20: WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}21: WSGIProcessGroup keystone-admin22: WSGIScriptAlias / /usr/bin/keystone-wsgi-admin23: WSGIApplicationGroup %{GLOBAL}24: WSGIPassAuthorization On25: ErrorLogFormat "%{cu}t %M"26: ErrorLog /var/log/httpd/keystone-error.log27: CustomLog /var/log/httpd/keystone-access.log combined28:29: <Directory /usr/bin>30: Require all granted31: </Directory>32:</VirtualHost>[root@openstack ~]# chown -R keystone:keystone /var/log/keystone[root@openstack ~]# systemctl enable httpd.service[root@openstack ~]# systemctl start httpd.service [root@openstack ~]# systemctl status httpd.service[root@openstack keystone]# netstat -antup|grep httpd|grep LISTENtcp6 0 0 :::5000 :::* LISTEN 4612/httpd tcp6 0 0 :::80 :::* LISTEN 4612/httpd tcp6 0 0 :::35357 :::* LISTEN 4612/httpd
6.)设置临时admin token
[root@openstack ~]# export OS_TOKEN=3f554e582cefe3462106 [root@openstack ~]# export OS_URL=http://192.168.100.120:35357/v3[root@openstack ~]# export OS_IDENTITY_API_VERSION=3
7.)Create the service entity and API endpoints
7.1)Create the service entity for the Identity service
[root@openstack ~]# openstack service create --name keystone --description "OpenStack Identity" identity+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | OpenStack Identity || enabled | True || id | de06d252af684090b3568cac0f65cbb8 || name | keystone || type | identity |+-------------+----------------------------------+
7.2)Create the Identity service API endpoints
[root@openstack ~]# openstack endpoint create --region RegionOne identity public http://192.168.100.120:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 9455f80c88cb4a188febacde56aaaff0 || interface | public || region | RegionOne || region_id | RegionOne || service_id | de06d252af684090b3568cac0f65cbb8 || service_name | keystone || service_type | identity || url | http://192.168.100.120:5000/v3 |+--------------+----------------------------------+[root@openstack ~]# openstack endpoint create --region RegionOne identity internal http://192.168.100.120:5000/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 24c58182056a493a801d3717ed287d07 || interface | internal || region | RegionOne || region_id | RegionOne || service_id | de06d252af684090b3568cac0f65cbb8 || service_name | keystone || service_type | identity || url | http://192.168.100.120:5000/v3 |+--------------+----------------------------------+[root@openstack ~]# openstack endpoint create --region RegionOne identity admin http://192.168.100.120:35357/v3+--------------+----------------------------------+| Field | Value |+--------------+----------------------------------+| enabled | True || id | 7e71ee55d7614341837c07d4552b29f7 || interface | admin || region | RegionOne || region_id | RegionOne || service_id | de06d252af684090b3568cac0f65cbb8 || service_name | keystone || service_type | identity || url | http://192.168.100.120:35357/v3 |+--------------+----------------------------------+
8.)创建domain projects users 和 roles
8.1)Create the default domain
[root@openstack ~]# openstack domain create --description "Default Domain" default+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Default Domain || enabled | True || id | d68aa40d66034dc89a3b2d896e86477d || name | default |+-------------+----------------------------------+
8.2)创建一个管理项目(project),用户(user)和角色(role)来管理操作当前环境
8.2.1)Create the admin project
[root@openstack ~]# openstack project create --domain default --description "Admin Project" admin+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Admin Project || domain_id | 505647f0f06e408e9d176da82a6684f1 || enabled | True || id | e4f62edc6ed547109768b515be56044a || is_domain | False || name | admin || parent_id | 505647f0f06e408e9d176da82a6684f1 |+-------------+----------------------------------+
8.2.2)Create the admin user
[root@openstack ~]# openstack user create --domain default --password admin_passwd admin+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | 505647f0f06e408e9d176da82a6684f1 || enabled | True || id | 6f4087ac3ed341b0855e7dec830cf65d || name | admin |+-----------+----------------------------------+
8.2.3)Create the admin role
[root@openstack ~]# openstack role create admin+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | b3b1f608b109465bb9b96a4b0320dfdb || name | admin |+-----------+----------------------------------+
8.2.4)Add the admin role to the admin project and user
[root@openstack ~]# openstack role add --project admin --user admin admin
8.3)Create the service project
[root@openstack ~]# openstack project create --domain default --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | 505647f0f06e408e9d176da82a6684f1 || enabled | True || id | 51600729375b45b480ad7d0d7b0e8a3c || is_domain | False || name | service || parent_id | 505647f0f06e408e9d176da82a6684f1 |+-------------+----------------------------------+
8.4) Create the demo project
[root@openstack ~]# openstack project create --domain default --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | 505647f0f06e408e9d176da82a6684f1 || enabled | True || id | a66c04b887774bca86161003fdb4a33a || is_domain | False || name | demo || parent_id | 505647f0f06e408e9d176da82a6684f1 |+-------------+----------------------------------+
8.4.1) Create the demo user
[root@openstack ~]# openstack user create --domain default --password demo_passwd demo+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | 505647f0f06e408e9d176da82a6684f1 || enabled | True || id | d5b1553154e942d6b513f8c706bf374f || name | demo |+-----------+----------------------------------+
8.4.2)Create the demo role
[root@openstack ~]# openstack role create user+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | 242935dcb84840fb9f127f27ffd5e765 || name | user |+-----------+----------------------------------+
8.4.3)Add the user role to the demo project and user
[root@openstack ~]# openstack role add --project demo --user demo user
9.)验证操作
[root@openstack ~]# unset OS_TOKEN OS_URL[root@openstack ~]# openstack \--os-auth-url http://192.168.100.120:35357/v3 \--os-project-domain-name default \--os-user-domain-name default \--os-project-name admin \--os-username admin \--os-password admin_passwd \token issue+------------+----------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+----------------------------------------------------------------------------------------------------------------------------+| expires | 2016-05-26T04:51:35.701908Z || id | gAAAAABXRnLH0FzjXcBrcDEj_GGVMyFCjxH1t4SdAEJyI06vFJAV699czB03nQ-B || | -wn3tzXHjYuJ1Mp5BoYNbj9B0EUsFYlZ1IyYM0EQ6coa7pHsKEVeXVhVTROVOPMmaYZspcnKMhnWwaiWq7OIOAv5YMmUDlYSqSi1ZjqDThqHAq-Z1dhUb6w || project_id | e4f62edc6ed547109768b515be56044a || user_id | 6f4087ac3ed341b0855e7dec830cf65d |+------------+----------------------------------------------------------------------------------------------------------------------------+[root@openstack ~]# openstack \--os-auth-url http://192.168.100.120:5000/v3 \--os-project-domain-name default \--os-user-domain-name default \--os-project-name admin \--os-username admin \--os-password admin_passwd \token issue+------------+----------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+----------------------------------------------------------------------------------------------------------------------------+| expires | 2016-05-26T04:53:35.489593Z || id | gAAAAABXRnM_CMNnU2fc8gFUnM9Fj3Ooxr4RwnYG4gUXvsZQPOUVDweCGldl8f1WkB4xq0u3-uEKEBSIkC- || | WuBGQhRN4S8Nef7Y0FlKohIM3P3HXQnjieMVr1_ze5UovQYsCVWh8-ObQFiK0zNrKSZ0rwwl-TdOygpeUxh8QOyAyyZJeQgmuGMc || project_id | e4f62edc6ed547109768b515be56044a || user_id | 6f4087ac3ed341b0855e7dec830cf65d |+------------+----------------------------------------------------------------------------------------------------------------------------+
10.)创建admin环境变量
[root@openstack ~]# vim admin-openrcexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=admin_passwdexport OS_AUTH_URL=http://192.168.100.120:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2
10.1)校验
[root@openstack ~]# . admin-openrc [root@openstack ~]# openstack user list+----------------------------------+-------+| ID | Name |+----------------------------------+-------+| 6f4087ac3ed341b0855e7dec830cf65d | admin || d5b1553154e942d6b513f8c706bf374f | demo |+----------------------------------+-------+
本文出自 “命运.” 博客,请务必保留此出处http://hypocritical.blog.51cto.com/3388028/1788392