c、Alice选择一个租户,通过用户名和密码申请token,keystone认证用户名、密码、tenant后,返回token2。(其实1、2步仅仅是为了查询tenant,如果已经知道tenant,可以忽略1、2步)
d、Alice通过token2发送创建server的请求,keystone验证token2(包括该token是否有效,是否有权限创建虚拟机等)成功后,然后再把请求下发到nova,最终创建虚拟机
2、前期准备
1)登陆mysql,创建数据库
mysql -uroot -ptn1Pi6Ytm
>createdatabase keystone;
>GRANTALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'f6zx0gURv';
>GRANTALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'f6zx0gURv';
说明:创建一个keystone库,并且授权给keystone用户所有权限,密码为f6zx0gURv
2)安装相关的包
yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
3)启动memcached服务
systemctl enable memcached.service
systemctl start memcached.service
3、编辑配置文件
编辑keystone配置文件
vim /etc/keystone/keystone.conf //修改或增加配置如下
[DEFAULT]
admin_token= 3qiVpzU2x
verbose= true
[database]
connection= mysql://keystone:f6zx0gURv@controller/keystone
[memcache]
servers= localhost:11211
[token]
provider= uuid
driver= memcache
[revoke]
driver= sql
4、导入数据
1)导入keystone相关的数据
su -s /bin/sh -c "keystone-manage db_sync" keystone
注意:这里会有个提示 Nohandlers could be found for logger "oslo_config.cfg" 忽略它,不影响
2)检查有没有正常导入数据:
mysql -ukeystone -pf6zx0gURv -hcontroller -t keystone -e "show tables"
看是否有列出表来,如果是空,说明没有成功导入数据
5、配置httpd
1)先编辑apache配置文件
vim /etc/httpd/conf/httpd.conf //增加或更改
ServerName controller
2)编辑配置文件
vim /etc/httpd/conf.d/wsgi-keystone.conf //内容如下
Listen5000
Listen35357
<VirtualHost*:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion>= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion>= 2.4>
Require all granted
</IfVersion>
<IfVersion< 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost*:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion>= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion>= 2.4>
Require all granted
</IfVersion>
<IfVersion< 2.4>
Order allow,deny
Allowf rom all
</IfVersion>
</Directory>
</VirtualHost>
3)启动apache
systemctl enable httpd.service
systemctl start httpd.service
6、创建服务实例
1)设置环境变量:
export OS_TOKEN=3qiVpzU2x
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
2)创建服务实例
openstack service create --name keystone--description "OpenStack Identity" identity
3)创建端点
openstack endpoint create --region RegionOne identity public :5000/v2.0
openstack endpoint create --region RegionOne identity internal :5000/v2.0
openstack endpoint create --region RegionOne identity admin :35357/v2.0
4)创建admin 租户
openstack project create --domain default --description "Admin Project" admin
5)创建admin用户 (密码为3qiVpzU2x)
openstack user create --domain default --password-prompt admin
6)创建admin角色
openstack role create admin
7)添加admin角色到admin租户和用户
openstack role add --project admin --user admin admin
8)创建service 租户
openstack project create --domain default --description "Service Project" service
9)创建demo租户
openstack project create --domain default --description "Demo Project" demo
10)创建demo用户 (密码9TtbgaA1q)
openstack user create --domain default --password-prompt demo
11)创建角色user
openstack role create user
12)添加user角色到demo租户和demo用户
openstack role add --project demo --user demo user
7、验证操作
验证admin用户和demo用户是否能正常登陆
1)首先做一个安全设置:
vim /usr/share/keystone/keystone-dist-paste.ini