3.安装OpenStack-keystone

安装keystone（控制器上安装）

使用root用户访问数据库

mysql -uroot -ptoyo123
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' 
  IDENTIFIED BY 'toyo123';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' 
  IDENTIFIED BY 'toyo123';
exit

生成令牌 后面会用到的需要记住

openssl rand -hex 10

4f0f715c2cdcce1bb59e

安装keystone程序包

       

yum install –y openstack-keystone python-keystoneclient

启动memcached服务并将其配置为开机自启动

    

systemctl enable memcached.service
systemctl start memcached.service

编辑/etc/keystone/keystone.conf文件

       

mv /etc/keystone/keystone.conf /etc/keystone/keystone.conf_bak
vim /etc/keystone/keystone.conf
   
[DEFAULT]
   
admin_token     = 4f0f715c2cdcce1bb59e
   
log_dir = /var/log/keystone
   
verbose = True
   
 
   
[database]
   
connection = mysql://keystone:toyo123@controller/keystone
   
 
   
[memcache]
   
servers = localhost:11211
   
 
   
[token]
   
provider = keystone.token.providers.uuid.Provider
   
driver =     keystone.token.persistence.backends.sql.Token
    
   
[revoke]
   
driver = keystone.contrib.revoke.backends.sql.Revoke

创建通用的证书和密钥，并限制访问相关的文件与填充身份服务数据库

keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
chown -R keystone:keystone /var/log/keystone
chown -R keystone:keystone /etc/keystone/ssl
chmod -R o-rwx /etc/keystone/ssl
su -s /bin/sh -c "keystone-manage db_sync" keystone

启动身份服务并将其配置为开机自启动      

systemctl enable openstack-keystone.service
systemctl start openstack-keystone.service

我建议您使用 cron的配置周期性任务是清除过期令牌小时： 

(crontab -l -u keystone 2>&1 | grep -q token_flush) || 
  echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' 
  >> /var/spool/cron/keystone

配置系统环境

export OS_SERVICE_TOKEN=4f0f715c2cdcce1bb59e
export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

创建租户，用户和角色

keystone tenant-create --name admin --description "Admin Tenant"
keystone user-create --name admin --pass Abcd1234 --email test@test.com
keystone role-create --name admin
keystone user-role-add --user admin --tenant admin --role admin

创建演示租户和用户环境与服务租户

keystone tenant-create --name demo --description "Demo Tenant"
keystone user-create --name demo --tenant demo --pass Abcd1234 --email test@test.com
keystone user-role-add --user demo -—tenant demo --role demo
keystone tenant-create --name service --description "Service Tenant"

 

创建服务实体和API端点

keystone service-create --name keystone --type identity 
  --description "OpenStack Identity"
keystone endpoint-create 
  --service-id $(keystone service-list | awk '/ identity / {print $2}') 
  --publicurl http://controller:5000/v2.0 
  --internalurl http://controller:5000/v2.0 
  --adminurl http://controller:35357/v2.0 
  --region regionOne

 

取消设置临时的临时OS_SERVICE_TOKEN和 OS_SERVICE_ENDPOINT环境变量：

不要取消环境变量可能会造成一些问题,这里只是告诉大家怎么取消

unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

 

验证keystone：

           

keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 
  --os-auth-url http://controller:35357/v2.0 token-get
keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 
  --os-auth-url http://controller:35357/v2.0 tenant-list
keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 
  --os-auth-url http://controller:35357/v2.0 user-list
keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 
  --os-auth-url http://controller:35357/v2.0 role-list
keystone --os-tenant-name demo --os-username demo --os-password Abcd1234 
  --os-auth-url http://controller:35357/v2.0 token-get
keystone --os-tenant-name demo --os-username demo --os-password Abcd1234 
  --os-auth-url http://controller:35357/v2.0 user-list