在前面的章节里面,我们配置了基本环境,也安装keystone服务,并且创建了keystone的数据库,在这一篇里面,我们说怎么配置keystone。
首先编辑keystone服务,需要修改如下数据
编辑 /etc/keystone/keystone.conf
[database]
# ...
connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
[token]
# ...
provider = fernet
将keystone服务同步到数据库
[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
验证同步是否成功,如果成功,应该有如下输出
[root@linux-node1 ~]# mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;" +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config |
初始化Fernet key 资源库
[root@linux-node1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@linux-node1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone [root@linux-node1 ~]#
验证初始化是否成功,如果fernet-keys & credential-keys 下面多了两个文件,则为正确
[root@linux-node1 ~]# cd /etc/keystone/
[root@linux-node1 keystone]# tree fernet-keys/ fernet-keys/ ├── 0 └── 1 0 directories, 2 files [root@linux-node1 keystone]# tree credential-keys/ credential-keys/ ├── 0 └── 1 0 directories, 2 files
启动keystone服务
keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://192.168.56.11:35357/v3/ \
--bootstrap-internal-url http://192.168.56.11:5000/v3/ \
--bootstrap-public-url http://192.168.56.11:5000/v3/ \
--bootstrap-region-id RegionOne
因为keystone需要用httpd服务来运行,这里配置一下httpd.conf
[root@linux-node1 keystone]# vim /etc/httpd/conf/httpd.conf #line 96: ServerName 192.168.56.11:80
创建链接
[root@linux-node1 keystone]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
将httpd启动并设置为开机启动
[root@linux-node1 httpd]# systemctl start httpd [root@linux-node1 httpd]# systemctl enable httpd Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
将前面遗漏的rabbitmq和database也设置为开机启动
[root@linux-node1 httpd]# systemctl enable rabbitmq-server mariadb
配置admin用户环境变量
[root@linux-node1 ~]# cat admin-openstack.sh export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://192.168.56.11:35357/v3 export OS_IDENTITY_API_VERSION=3
安装openstack客户端
[root@linux-node1 ~]# yum install python-openstackclient openstack-selinux -y
在本文档中,给每个服务用一个只包含唯一user的service project,现在创建这个 service project
#首先需引入环境变量 [root@linux-node1 ~]# source admin-openstack.sh
openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | id | 773e022475654ab0a4fbbfd66dec62bd | | is_domain | False | name | service | | parent_id | default | +-------------+----------------------------------+ [root@linux-node1 ~]#
一般的任务应该有一个未授权的项目和user,现在我们创建这个demo(non-admin)用户和项目
openstack project create --domain default \
--description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | id | 1d5b969df6da43e69e4a956297404f5c | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+
Create the demo user: openstack user create --domain default \
--password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 291f02337e514343a09a92932a86fd22 | | name | demo | options | {} | | password_expires_at | None | +-----------+----------------------------------+
创建user角色
[root@linux-node1 ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 8996a91ed1214d82b107ca0e9aa94b15 | | name | user | +-----------+----------------------------------+
将user角色赋予demo project 和user
[root@linux-node1 ~]# openstack role add --project demo --user demo user
[root@linux-node1 ~]#
验证刚才所做的操作
首先unset环境变量 OS_AUTH_URL and OS_PASSWORD
[root@linux-node1 ~]# unset OS_AUTH_URL OS_PASSWORD
用admin用户生成token
openstack --os-auth-url http://192.168.56.11:35357/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue Password: +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ | Field | Value | +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ | expires | 2018-01-11T07:31:39+0000 | | id | gAAAAABaVwTLT729scUG7kebG-S6MuXD2Ta9caG- IowiOBR5D4yQhs3xFdZTBEFbc-XKSzdpnJxT- J6DeQPy0uIZOExYFReTs_938NpQ5CWl_AzwNn5ZTAKrzj41d7_rQX6GYHLWDv4HGJG8_lTp_Ba9N0nsY oDJ13r3pMJ28qgk1KT56T8L9Ys | | project_id | fb6761ab3d3d43569d5fdfafcdfa5e28 | | user_id | d010fba89633421a800698b0e5300d50 | +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ [root@linux-node1 ~]#
用demo用户生成token
openstack --os-auth-url http://192.168.56.11:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name demo --os-username demo token issue Password: +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ | Field | Value | +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ | expires | 2018-01-11T07:34:04+0000 | | id | gAAAAABaVwVcKzYPlTB9sg- x21HDgCyCBqujQO4dqDaawlOSBixQFiSnFgRCiNx48MsLrLsGmX1o6HqcBOo84xPBy1UQIfUQlNhszd5 a_FpkHjY9AK61QTWV-AKBCzGUNJzyT7PNzs82ANF1K5dOltTsDVx40pmYMc0C6zXjIjHZsU2yuVLPOmY | | project_id | 1d5b969df6da43e69e4a956297404f5c | | user_id | 291f02337e514343a09a92932a86fd22 | +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+
编辑demo用户的环境变量
[root@linux-node1 ~]# cat demo-openstack.sh export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://192.168.56.11:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
导入demo环境变量,用openstack token issue可以直接为demo用户生成token
[root@linux-node1 ~]# source demo-openstack.sh [root@linux-node1 ~]# openstack token issue +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ | Field | Value | +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ | expires | 2018-01-11T07:37:38+0000 | | id | gAAAAABaVwYysLrhxRdCprzhvU6r1S_kG3qo6bLNxjpq2IX_Ezwg1dAjnqPGXHMD5nYzqVyGViZQtJ5p W8IJDv0JN6Y9nT1hDbD-P- BRrhw0ki6eaSgoR0PiofIK1DmT3EV_RkPWT0Gd_CnEjbJFM6UcNts6E8tVsXku3vJZPG2GmIXcwLlqza M| | project_id | 1d5b969df6da43e69e4a956297404f5c | | user_id | 291f02337e514343a09a92932a86fd22 | +------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+ [root@linux-node1 ~]#
同理也可导入admin环境变量,用openstack token issue为admin用户生成环境变量
keystone服务的安装配置介绍到这里