标签:角色 操作 gid provider get 认证服务 uuid ali power
部署在controller节点
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'127.0.0.1' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 se
MariaDB [(none)]> flush privileges ;
Query OK, 0 rows affected (0.00 sec)
KeyStone服务的监听端口是5000和35357,配置Apache HTTP服务监听这两个端口,为了避免端口冲突,禁止KeyStone开机自启动:
root@controller:~#?echo "manual" > /etc/init/keystone.override
安装keystone及相关软件包:
root@controller:~# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache
生成admin token?:
root@controller:~# openssl rand -hex 10
38b35fc6a494b91f56cc
配置文件:/etc/keystone/keystone.conf
root@controller:~# vi /etc/keystone/keystone.conf
#[default]部分,配置初始admin_token
[DEFAULT]
verbose = True
admin_token = 38b35fc6a494b91f56cc?
#[database]部分,配置数据库连接
[database]
connection = mysql://keystone:keystone@controller/keystone
#[memcache]部分,配置memcache服务
[memcache]
servers = 127.0.0.1:11211
#[revoke] 部分,配置SQL的撤回驱动
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke
#[token]部分,配置UUID令牌的提供者和memcached的持久化驱动
[token]
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token
初始化keystone数据库:
root@controller:~# su -s /bin/sh -c "keystone-manage db_sync" keystone
apache2.conf添加:
root@controller:~# vi /etc/apache2/apache2.conf
ServerName controller
创建/etc/apache2/sites-available/wsgi-keystone.conf文件,添加如下内容:
Listen 5000
Listen 35357
<VirtualHost *:5000>
? ? WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
? ? WSGIProcessGroup keystone-public
? ? WSGIScriptAlias / /var/www/cgi-bin/keystone/main
? ? WSGIApplicationGroup %{GLOBAL}
? ? WSGIPassAuthorization On
? ? <IfVersion >= 2.4>
? ? ? ErrorLogFormat "%{cu}t %M"
? ? </IfVersion>
? ? LogLevel info
? ? ErrorLog /var/log/apache2/keystone-error.log
? ? CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
? ? WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
? ? WSGIProcessGroup keystone-admin
? ? WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
? ? WSGIApplicationGroup %{GLOBAL}
? ? WSGIPassAuthorization On
? ? <IfVersion >= 2.4>
? ? ? ErrorLogFormat "%{cu}t %M"
? ? </IfVersion>
? ? LogLevel info
? ? ErrorLog /var/log/apache2/keystone-error.log
? ? CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
启用身份认证服务的虚拟主机:
root@controller:~# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled
为WSGI组件创建目录结构:
root@controller:~# mkdir -p /var/www/cgi-bin/keystone
WSGI组件:
root@controller:~# vi /var/www/cgi-bin/keystone/admin
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)
root@controller:~# vi /var/www/cgi-bin/keystone/main
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)
设置目录权限,并重启apache2:
root@controller:~# chown -R keystone:keystone /var/www/cgi-bin/keystone
root@controller:~# chmod 755 /var/www/cgi-bin/keystone/*
root@controller:~# service apache2 restart
?* Restarting web server apache2? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ? ?[ OK ]?
删除ubuntu默认创建的SQLite数据库:
root@controller:~# rm -f /var/lib/keystone/keystone.db
设置临时环境变量,校验令牌、端点URL:
root@controller:~#? export OS_TOKEN=ADMIN_TOKEN
root@controller:~#? export OS_URL=http://controller:35357/v2.0
为认证服务创建服务实体:
root@controller:~# openstack service create --name keystone --description "OpenStack Identity" identity
配置认证服务的API端点:
root@controller:~# openstack endpoint create --publicurl http://controller:5000/v2.0 --internalurl http://controller:5000/v2.0 --adminurl http://controller:35357/v2.0 --region RegionOne identity
创建admin租户:
root@controller:~# openstack project create --description "Admin Project" admin
创建admin用户:
root@controller:~# openstack user create --password-prompt admin
User Password:admin
Repeat User Password:admin
创建admin角色:
root@controller:~# openstack role create admin
添加admin角色到admin租户和用户:
root@controller:~# openstack role add --project admin --user admin admin
为其他的OpenStack服务创建服务项目:
root@controller:~# openstack project create --description "Service Project" service
创建demo项目:
root@controller:~# openstack project create --description "Demo Project" demo
创建demo用户:
root@controller:~# openstack user create --password-prompt demo
User Password:demo
Repeat User Password:demo
创建demo角色:
root@controller:~# openstack role create user
添加user角色到demo租户和用户:
root@controller:~# openstack role add --project demo --user demo user
基于安全的原因,禁止校验令牌的机制
移除 admin_token_auth从 [pipeline:public_api], [pipeline:admin_api], 和 [pipeline:api_v3] 部分
root@controller:~# unset OS_TOKEN OS_URL
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://$(hostname):35357/v3
export OS_IMAGE_API_VERSION=2
export OS_VOLUME_API_VERSION=2
export OS_REGION_NAME=RegionOne
export OS_COMPUTE_API_VERSION=3
export OS_IDENTITY_API_VERSION=2
标签:角色 操作 gid provider get 认证服务 uuid ali power
原文地址:https://www.cnblogs.com/wshenjin/p/11365916.html