keystone是OpenStack的组件之一,用于为OpenStack家族中的其它组件成员提供统一的认证服务,包括身份验证、令牌的发放和校验、服务列表、用户权限的定义等等。云环境中所有的服务之间的授权和认证都需要经过 keystone. 因此 keystone 是云平台中第一个即需要安装的服务。
作为 OpenStack 的基础支持服务,Keystone 做下面这几件事情:
管理用户及其权限
维护 OpenStack Services 的 Endpoint(服务端点)
Authentication(认证)和 Authorization(鉴权)
酒店就类似于project项目,酒店提供住宿的服务service,user相当于客人,endpoint相当于客人住酒店时的询问的酒店的地址,role为角色,如客人定了个豪华套房,name他就是贵宾,定了标间,他就是普通客人,credentials相当于入住酒店时提供的身份证,酒店前台利用身份证获取身份信息并提供房间,这个过程相当于authentication,办理入住后拿到的房卡相当于token,利用token就可以刷开房间门进行住宿这项service。
1.安装keystone
# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
2.设置Memcache开启启动并启动Memcached
[root@linux-node1 ~]# systemctl enable memcached.service
[root@linux-node1 ~]# vim /etc/sysconfig/memcached
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 10.0.0.20,::1"
[root@linux-node1 ~]# systemctl start memcached.service
3.配置KeyStone数据库
[root@linux-node1 ~]# vim /etc/keystone/keystone.conf
[database]
connection = mysql+pymysql://keystone:keystone@10.0.0.20/keystone
2)设置Token和Memcached
[token]
provider = fernet
3).同步数据库:
[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@linux-node1 ~]# mysql -h 10.0.0.20 -ukeystone -pkeystone -e " use keystone;show tables;"
4)初始化fernet keys
[root@linux-node1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@linux-node1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5)初始化keystone
[root@linux-node1 ~]# keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://10.0.0.0.20:35357/v3/ \
--bootstrap-internal-url http://10.0.0.0.20:35357/v3/ \
--bootstrap-public-url http://10.0.0.0.20:5000/v3/ \
--bootstrap-region-id RegionOne
6).验证Keystone配置
[root@linux-node1 ~]# grep "^[a-z]" /etc/keystone/keystone.conf
connection = mysql+pymysql://keystone:keystone@10.0.0.0.20/keystone
provider = fernet
7)KeyStone启动
[root@linux-node1 ~]# vim /etc/httpd/conf/httpd.conf
ServerName 10.0.0.0.20:80
创建配置文件
[root@linux-node1 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动keystone,并查看端口。
[root@linux-node1 ~]# systemctl enable httpd.service
[root@linux-node1 ~]# systemctl start httpd.service
设置环境变量
[root@linux-node1 ~]# export OS_USERNAME=admin
[root@linux-node1 ~]# export OS_PASSWORD=admin
[root@linux-node1 ~]# export OS_PROJECT_NAME=admin
[root@linux-node1 ~]# export OS_USER_DOMAIN_NAME=Default
[root@linux-node1 ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@linux-node1 ~]# export OS_AUTH_URL=http://10.0.0.0.20:35357/v3
[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3
创建项目和demo用户
# openstack project create --domain default --description "Demo Project" demo
# openstack user create --domain default --password demo demo
# openstack role create user
# openstack role add --project demo --user demo user
创建Service项目
# openstack project create --domain default --description "Service Project" service
创建glance用户
# openstack user create --domain default --password glance glance
# openstack role add --project service --user glance admin
创建nova用户
# openstack user create --domain default --password nova nova
# openstack role add --project service --user nova admin
创建placement用户
# openstack user create --domain default --password placement placement
# openstack role add --project service --user placement admin
创建Neutron用户
# openstack user create --domain default --password neutron neutron
# openstack role add --project service --user neutron admin
创建cinder用户
# openstack user create --domain default --password cinder cinder
# openstack role add --project service --user cinder admin
验证Keystone
[root@linux-node1 ~]# unset OS_AUTH_URL OS_PASSWORD
[root@linux-node1 ~]# openstack --os-auth-url http://10.0.0.0.20:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
Password:
…
[root@linux-node1 ~]# openstack --os-auth-url http://10.0.0.0.20:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue
Password:
[root@linux-node1 ~]# source admin-openstack.sh
[root@linux-node1 ~]# openstack token issue
[root@linux-node1 ~]# source demo-openstack.sh
[root@linux-node1 ~]# openstack token issue