安装keystone(控制器上安装)
使用root用户访问数据库
mysql -uroot -ptoyo123 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'toyo123'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'toyo123'; exit
生成令牌 后面会用到的需要记住
openssl rand -hex 10 4f0f715c2cdcce1bb59e
安装keystone程序包
yum install –y openstack-keystone python-keystoneclient
启动memcached服务并将其配置为开机自启动
systemctl enable memcached.service
systemctl start memcached.service
编辑/etc/keystone/keystone.conf文件
mv /etc/keystone/keystone.conf /etc/keystone/keystone.conf_bak vim /etc/keystone/keystone.conf [DEFAULT] admin_token = 4f0f715c2cdcce1bb59e log_dir = /var/log/keystone verbose = True [database] connection = mysql://keystone:toyo123@controller/keystone [memcache] servers = localhost:11211 [token] provider = keystone.token.providers.uuid.Provider driver = keystone.token.persistence.backends.sql.Token [revoke] driver = keystone.contrib.revoke.backends.sql.Revoke
创建通用的证书和密钥,并限制访问相关的文件与填充身份服务数据库
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone chown -R keystone:keystone /var/log/keystone chown -R keystone:keystone /etc/keystone/ssl chmod -R o-rwx /etc/keystone/ssl su -s /bin/sh -c "keystone-manage db_sync" keystone
启动身份服务并将其配置为开机自启动
systemctl enable openstack-keystone.service
systemctl start openstack-keystone.service
我建议您使用 cron的配置周期性任务是清除过期令牌小时:
(crontab -l -u keystone 2>&1 | grep -q token_flush) || echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone
配置系统环境
export OS_SERVICE_TOKEN=4f0f715c2cdcce1bb59e export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
创建租户,用户和角色
keystone tenant-create --name admin --description "Admin Tenant" keystone user-create --name admin --pass Abcd1234 --email test@test.com keystone role-create --name admin keystone user-role-add --user admin --tenant admin --role admin
创建演示租户和用户环境与服务租户
keystone tenant-create --name demo --description "Demo Tenant"
keystone user-create --name demo --tenant demo --pass Abcd1234 --email test@test.com
keystone user-role-add --user demo -—tenant demo --role demo
keystone tenant-create --name service --description "Service Tenant"
创建服务实体和API端点
keystone service-create --name keystone --type identity
--description "OpenStack Identity"
keystone endpoint-create
--service-id $(keystone service-list | awk '/ identity / {print $2}')
--publicurl http://controller:5000/v2.0
--internalurl http://controller:5000/v2.0
--adminurl http://controller:35357/v2.0
--region regionOne
取消设置临时的临时OS_SERVICE_TOKEN和 OS_SERVICE_ENDPOINT环境变量:
不要取消环境变量可能会造成一些问题,这里只是告诉大家怎么取消
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
验证keystone:
keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 --os-auth-url http://controller:35357/v2.0 token-get keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 --os-auth-url http://controller:35357/v2.0 tenant-list keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 --os-auth-url http://controller:35357/v2.0 user-list keystone --os-tenant-name admin --os-username admin --os-password Abcd1234 --os-auth-url http://controller:35357/v2.0 role-list keystone --os-tenant-name demo --os-username demo --os-password Abcd1234 --os-auth-url http://controller:35357/v2.0 token-get keystone --os-tenant-name demo --os-username demo --os-password Abcd1234 --os-auth-url http://controller:35357/v2.0 user-list