OpenStack kilo版(2) keystone部署

部署在controller节点

配置数据库

MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 se)

MariaDB [(none)]> flush privileges ;
Query OK, 0 rows affected (0.00 sec)

安装keystone

KeyStone服务的监听端口是5000和35357，配置Apache HTTP服务监听这两个端口，为了避免端口冲突，禁止KeyStone开机自启动：

root@controller:~# echo "manual" > /etc/init/keystone.override

安装keystone及相关软件包：

root@controller:~# apt-get install keystone python-openstackclient apache2 libapache2-mod-wsgi memcached python-memcache

生成admin token ：

root@controller:~# openssl rand -hex 10
38b35fc6a494b91f56cc

配置keystone

配置文件：/etc/keystone/keystone.conf

root@controller:~# vi /etc/keystone/keystone.conf
#[default]部分，配置初始admin_token
[DEFAULT]
verbose = True
admin_token = 38b35fc6a494b91f56cc 

#[database]部分，配置数据库连接
[database]
connection = mysql://keystone:keystone@controller/keystone

#[memcache]部分，配置memcache服务
[memcache]
servers = 127.0.0.1:11211

#[revoke] 部分，配置SQL的撤回驱动
[revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke

#[token]部分，配置UUID令牌的提供者和memcached的持久化驱动
[token]
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token

初始化keystone数据库：

root@controller:~# su -s /bin/sh -c "keystone-manage db_sync" keystone

配置keystone的apache2接口

apache2.conf添加：

root@controller:~# vi /etc/apache2/apache2.conf
ServerName controller

创建/etc/apache2/sites-available/wsgi-keystone.conf文件，添加如下内容：

Listen 5000
Listen 35357
<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /var/www/cgi-bin/keystone/main
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    LogLevel info
    ErrorLog /var/log/apache2/keystone-error.log
    CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>
<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /var/www/cgi-bin/keystone/admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    LogLevel info
    ErrorLog /var/log/apache2/keystone-error.log
    CustomLog /var/log/apache2/keystone-access.log combined
</VirtualHost>

启用身份认证服务的虚拟主机：

root@controller:~# ln -s /etc/apache2/sites-available/wsgi-keystone.conf /etc/apache2/sites-enabled/

为WSGI组件创建目录结构：

root@controller:~# mkdir -p /var/www/cgi-bin/keystone

WSGI组件：

root@controller:~# vi /var/www/cgi-bin/keystone/admin
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)

root@controller:~# vi /var/www/cgi-bin/keystone/main
import os
from keystone.server import wsgi as wsgi_server
name = os.path.basename(__file__)
application = wsgi_server.initialize_application(name)

设置目录权限，并重启apache2：

root@controller:~# chown -R keystone:keystone /var/www/cgi-bin/keystone
root@controller:~# chmod 755 /var/www/cgi-bin/keystone/*
root@controller:~# service apache2 restart
 * Restarting web server apache2                                                                                                 [ OK ] 

删除ubuntu默认创建的SQLite数据库：

root@controller:~# rm -f /var/lib/keystone/keystone.db

配置服务实体与API端点

设置临时环境变量，校验令牌、端点URL：

root@controller:~# export OS_TOKEN=38b35fc6a494b91f56cc 
root@controller:~# export OS_URL=http://controller:35357/v2.0

为认证服务创建服务实体：

root@controller:~# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 6a5ef8cc6d7146b49a09c2b5a250d98c |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

配置认证服务的API端点：

root@controller:~# openstack endpoint create --publicurl http://controller:5000/v2.0 --internalurl http://controller:5000/v2.0 --adminurl http://controller:35357/v2.0 --region RegionOne identity
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| adminurl     | http://controller:35357/v2.0     |
| id           | 4f9a0e3b90d843b88e7585a799db18ea |
| internalurl  | http://controller:5000/v2.0      |
| publicurl    | http://controller:5000/v2.0      |
| region       | RegionOne                        |
| service_id   | 6a5ef8cc6d7146b49a09c2b5a250d98c |
| service_name | keystone                         |
| service_type | identity                         |
+--------------+----------------------------------+

创建项目（租户）、用户和角色

创建admin租户：

root@controller:~# openstack project create --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| enabled     | True                             |
| id          | 89254dc0494c4f15936f0f762ff050eb |
| name        | admin                            |
+-------------+----------------------------------+

创建admin用户：

root@controller:~# openstack user create --password-prompt admin
User Password:admin
Repeat User Password:admin
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | a9806b1ab70046a3b70b8c06f7f3ec82 |
| name     | admin                            |
| username | admin                            |
+----------+----------------------------------+

创建admin角色：

root@controller:~# openstack role create admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | f0b9e3c9be924357bf8e918dbc2faf91 |
| name  | admin                            |
+-------+----------------------------------+

添加admin角色到admin租户和用户：

root@controller:~# openstack role add --project admin --user admin admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | f0b9e3c9be924357bf8e918dbc2faf91 |
| name  | admin                            |
+-------+----------------------------------+

创建服务项目

为其他的OpenStack服务创建服务项目：

root@controller:~# openstack project create --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| enabled     | True                             |
| id          | 48aa039e42004e3ba6cc3f20852b98b9 |
| name        | service                          |
+-------------+----------------------------------+

创建普通项目和用户

创建demo项目：

root@controller:~# openstack project create --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| enabled     | True                             |
| id          | adc9030ca7d64a8994fb4ac66dbe5424 |
| name        | demo                             |
+-------------+----------------------------------+

创建demo用户：

root@controller:~# openstack user create --password-prompt demo
User Password:demo
Repeat User Password:demo
+----------+----------------------------------+
| Field    | Value                            |
+----------+----------------------------------+
| email    | None                             |
| enabled  | True                             |
| id       | d7f9819344a948139df33094deafb8a6 |
| name     | demo                             |
| username | demo                             |
+----------+----------------------------------+

创建user角色：

root@controller:~# openstack role create user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 7154d51117a74ec091b475cc7386fad7 |
| name  | user                             |
+-------+----------------------------------+

添加user角色到demo租户和用户：

root@controller:~# openstack role add --project demo --user demo user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 7154d51117a74ec091b475cc7386fad7 |
| name  | user                             |
+-------+----------------------------------+

其他

基于安全的原因，禁止校验令牌的机制
1、编辑 vi /etc/keystone/keystone-paste.ini：

移除 admin_token_auth从 [pipeline:public_api], [pipeline:admin_api], 和 [pipeline:api_v3] 部分

[pipeline:public_api]
pipeline = …
[pipeline:admin_api]
pipeline = …
[pipeline:api_v3]
pipeline = …

2、取消设置的操作系统环境变量：

root@controller:~# unset OS_TOKEN OS_URL

3、admin脚本，/root/admin-openrc.sh：

export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://$(hostname):35357/v3
export OS_IMAGE_API_VERSION=2
export OS_VOLUME_API_VERSION=2
export OS_REGION_NAME=RegionOne
export OS_COMPUTE_API_VERSION=3
export OS_IDENTITY_API_VERSION=2