![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
最後天新: 2014/09/29
Identity Service
安裝有關的包:
controller:
yum install openstack-keystone python-keystoneclient
compute:
yum install python-keystoneclient
controller 設定 mysql:
mysql -u root -p
mysql> CREATE DATABASE keystone;
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> flush privileges;
mysql> exit
設定 openstack config:
[database] <-- Section
connection <-- config
openstack-config --set /etc/keystone/keystone.conf database connection mysql://keystone:KEYSTONE_DBPASS@controller_pri/keystone
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_bind_host controller_pri
openstack-config --set /etc/keystone/keystone.conf DEFAULT public_bind_host controller_pub
# 建立 Table
su -s /bin/sh -c "keystone-manage db_sync" keystone
# 設置 admin_token
ADMIN_TOKEN=$(openssl rand -hex 10)
echo $ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN
# By default, Keystone uses PKI tokens. Create the signing keys and certificates and restrict access to the generated data
keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
chown -R keystone:keystone /etc/keystone/ssl
chmod -R o-rwx /etc/keystone/ssl
Service Auto Start:
service openstack-keystone start
chkconfig openstack-keystone on
# purge expired tokens every hour
# 查看本身有沒有設定 cron jobs
crontab -l -u keystone 2>&1 | grep -q token_flush
# 沒有的話就要設定 cron jobs 了
echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/keystone
# 用 admin_token 去建立 users, tenants, and roles
export OS_SERVICE_TOKEN=$ADMIN_TOKEN
export OS_SERVICE_ENDPOINT=http://controller_pri:35357/v2.0
ADMIN_PASS=????
ADMIN_EMAIL=???@???
# admin
keystone user-create --name=admin --pass=$ADMIN_PASS --email=$ADMIN_EMAIL
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | [email protected] | | enabled | True | | id | 065f59bd572c45e59e68b801f32a5ada | | name | admin | | username | admin | +----------+----------------------------------+
keystone role-create --name=admin
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 696a43905dad4bac8ef30c2cd7a270a9 | | name | admin | +----------+----------------------------------+
keystone tenant-create --name=admin --description="Admin Tenant"
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 0e61ba054af84f6f99e52766b6ff441f | | name | admin | +-------------+----------------------------------+
keystone user-role-add --user=admin --tenant=admin --role=admin
# By default, the Identity Service creates a special _member_ role.
# The OpenStack dashboard automatically grants access to users with this role.
keystone user-role-add --user=admin --role=_member_ --tenant=admin
keystone tenant-create --name=demo --description="Demo Tenant"
keystone tenant-create --name=service --description="Service Tenant"
Define services and API endpoints
# Create a service entry for the Identity Service:
keystone service-create --name=keystone --type=identity --description="OpenStack Identity"
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 19843c7de26b426bb6e808d983bed7ef | | name | keystone | | type | identity | +-------------+----------------------------------+
keystone endpoint-create \
--service-id=$(keystone service-list | awk '/ identity / {print $2}') \
--publicurl=http://controller_pub:5000/v2.0 \
--internalurl=http://controller_pri:5000/v2.0 \
--adminurl=http://controller_pri:35357/v2.0
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://controller_pri:35357/v2.0 | | id | 7a4e7311c6c2410e90b97381e6fc158b | | internalurl | http://controller_pri:5000/v2.0 | | publicurl | http://controller_pub:5000/v2.0 | | region | regionOne | | service_id | 19843c7de26b426bb6e808d983bed7ef | +-------------+----------------------------------+
# Verify the Identity Service installation
unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
# name-based authentication ( your user account is established with the expected credentials )
keystone --os-username=admin --os-password=ADMIN_PASS \
--os-auth-url=http://controller_pri:35357/v2.0 token-get
# authorization behaves as expected (on a tenant)
keystone --os-username=admin --os-password=ADMIN_PASS \
--os-tenant-name=admin \
--os-auth-url=http://controller:35357/v2.0 token-get
失敗時會見到:
The request you have made requires authentication. (HTTP 401)
source admin-openrc.sh
touch admin-openrc.sh
chmod 400 admin-openrc.sh
export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_TENANT_NAME=admin export OS_AUTH_URL=http://controller_pri:35357/v2.0
# 有了以上 environment variable 後, 就可以 token-get
keystone token-get
Property | Value | expires | id | tenant_id | user_id
有關 cmd:
keystone user-list
+----------------------------------+-------+---------+---------------------------+ | id | name | enabled | email | +----------------------------------+-------+---------+---------------------------+ | 065f59bd572c45e59e68b801f32a5ada | admin | True | [email protected] | +----------------------------------+-------+---------+---------------------------+
keystone user-role-list --user admin --tenant admin
+----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 065f59bd572c45e59e68b801f32a5ada | 0e61ba054af84f6f99e52766b6ff441f | | 696a43905dad4bac8ef30c2cd7a270a9 | admin | 065f59bd572c45e59e68b801f32a5ada | 0e61ba054af84f6f99e52766b6ff441f | +----------------------------------+----------+----------------------------------+----------------------------------+
keystone service-list
+----------------------------------+----------+----------+--------------------+ | id | name | type | description | +----------------------------------+----------+----------+--------------------+ | 19843c7de26b426bb6e808d983bed7ef | keystone | identity | OpenStack Identity | +----------------------------------+----------+----------+--------------------
Configure File
/etc/keystone/keystone.conf
[DEFAULT] # A "shared secret" that can be used to bootstrap Keystone. admin_token = ??????????????????? public_bind_host=0.0.0.0 public_port=5000 # for the admin service admin_bind_host=0.0.0.0 admin_port=35357 compute_port=8774
Command
keystone help
keystone help <command>
keystone [options] <command> [command-options]
# --os-token and --os-endpoint
subcommand:
service:
service-get
service-create
service-delete
service-list
