$ mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
安装
# yum install openstack-keystone httpd mod_wsgi
配置文件/etc/keystone/keystone.conf
admin令牌
[DEFAULT]
...
admin_token = ADMIN_TOKEN
数据库
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
令牌生成方式
[token]
...
provider = fernet
注:上面的ADMIN_TOKEN可用openssl rand -hex 10命令生成,或者填入一串自定义的字符串
数据库同步
# su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化fernet秘钥。
令牌的生成方式参考:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
配置Apache
编辑/etc/httpd/conf/httpd.conf
更改一下内容
ServerName controller
创建/etc/httpd/conf.d/wsgi-keystone.conf配置文件,加入以下内容
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
配置启动项,启动
# systemctl enable httpd.service
# systemctl start httpd.service
创建service,API endpoint
为了避免不必要的篇幅,将admin_token,endpoint url配置到环境变量。
$ export OS_TOKEN=ADMIN_TOKEN
$ export OS_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
创建service
$ openstack service create \
--name keystone --description "OpenStack Identity" identity
创建endpoint,依次有public,internal,admin
$ openstack endpoint create --region RegionOne \
identity public :5000/v3
$ openstack endpoint create --region RegionOne \
identity internal :5000/v3
$ openstack endpoint create --region RegionOne \
identity admin :35357/v3
创建域,项目,用户,角色 domain,project,user,role
创建domain
openstack domain create --description "Default Domain" default
创建project
openstack user create --domain default \
--password-prompt admin
创建admin role
openstack role create admin
将admin角色加入admin项目中
openstack role add --project admin --user admin admin
创建service项目
openstack project create --domain default \
--description "Service Project" service
创建demo项目
openstack project create --domain default \
--description "Demo Project" demo
创建demo用户
openstack user create --domain default \
--password-prompt demo
创建user角色
openstack role create user
将user角色加入到demo项目中
openstack role add --project demo --user demo user
注:记住创建用户时的密码。
验证admin用户