OpenStack安装手册 - KEYSTONE身份认证服务配置安装.,建立KEYSTONE服务数据库,建立KEYSTONE服务配置文件存放目录
· 建立KEYSTONE服务数据库
mysql -uroot -popenstack -e 'create database keystone'
· 建立KEYSTONE服务配置文件存放目录
mkdir /etc/keystone
· 建立KEYSTONE服务启动用户
useradd -s /sbin/nologin -m -d /var/log/keystone keystone
· 在/etc/keystone建立default_catalog.templates作为KEYSTONE服务服务点配置文件,内容如下:
catalog.RegionOne.identity.publicURL = http://60.12.206.105:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://60.12.206.105:$(admin_port)s/v2.0
catalog.RegionOne.identity.internalURL = http://60.12.206.105:$(public_port)s/v2.0
catalog.RegionOne.identity.name = Identity Service
catalog.RegionOne.compute.publicURL = http://60.12.206.105:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.adminURL = http://60.12.206.105:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.internalURL = http://60.12.206.105:8774/v2/$(tenant_id)s
catalog.RegionOne.compute.name = Compute Service
catalog.RegionOne.volume.publicURL = http://60.12.206.105:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.adminURL = http://60.12.206.105:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.internalURL = http://60.12.206.105:8776/v1/$(tenant_id)s
catalog.RegionOne.volume.name = Volume Service
catalog.RegionOne.ec2.publicURL = http://60.12.206.105:8773/services/Cloud
catalog.RegionOne.ec2.adminURL = http://60.12.206.105:8773/services/Admin
catalog.RegionOne.ec2.internalURL = http://60.12.206.105:8773/services/Cloud
catalog.RegionOne.ec2.name = EC2 Service
catalog.RegionOne.s3.publicURL = http://60.12.206.105:3333
catalog.RegionOne.s3.adminURL = http://60.12.206.105:3333
catalog.RegionOne.s3.internalURL = http://60.12.206.105:3333
catalog.RegionOne.s3.name = S3 Service
catalog.RegionOne.image.publicURL = http://60.12.206.105:9292/v1
catalog.RegionOne.image.adminURL = http://60.12.206.105:9292/v1
catalog.RegionOne.image.internalURL = http://60.12.206.105:9292/v1
catalog.RegionOne.image.name = Image Service
catalog.RegionOne.object_store.publicURL = http://60.12.206.105:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.adminURL = http://60.12.206.105:8080/
catalog.RegionOne.object_store.internalURL = http://60.12.206.105:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.name = Swift Service
· 在/etc/keystone建立policy.json作为KEYSTONE服务策略文件,内容如下:
{
"admin_required": [["role:admin"], ["is_admin:1"]]
}
· 在/etc/keystone建立keystone.conf作为KEYSTONE服务配置文件,内容如下:
[DEFAULT]
public_port = 5000
admin_port = 35357
admin_token = ADMIN
compute_port = 8774
verbose = True
debug = True
log_file = /var/log/keystone/keystone.log
use_syslog = False
syslog_log_facility = LOG_LOCAL0
[sql]
connection = mysql://root:openstack@localhost/keystone
idle_timeout = 30
min_pool_size = 5
max_pool_size = 10
pool_timeout = 200
[identity]
driver = keystone.identity.backends.sql.Identity
[catalog]
driver = keystone.catalog.backends.templated.TemplatedCatalog
template_file = /etc/keystone/default_catalog.templates
[token]
driver = keystone.token.backends.kvs.Token
[policy]
driver = keystone.policy.backends.simple.SimpleMatch
[ec2]
driver = keystone.contrib.ec2.backends.sql.Ec2
[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension s3_extension public_service
[pipeline:admin_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension crud_extension admin_service
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = xml_body public_version_service
[pipeline:admin_version_api]
pipeline = xml_body admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/ = admin_version_api
· 在/etc/init.d/下建立名为keystone的KEYSTONE服务启动脚本,内容如下:
#!/bin/sh
#
# keystone OpenStack Identity Service
#
# chkconfig: - 20 80
# description: keystone works provide apis to
# * Authenticate users and provide a token
# * Validate tokens
### END INIT INFO
. /etc/rc.d/init.d/functions
prog=keystone
prog_exec=keystone-all
exec="/usr/bin/$prog_exec"
config="/etc/$prog/$prog.conf"
pidfile="/var/run/$prog/$prog.pid"
[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog
lockfile=/var/lock/subsys/$prog
start() {
[ -x $exec ] || exit 5
[ -f $config ] || exit 6
echo -n $"Starting $prog: "
daemon --user keystone --pidfile $pidfile "$exec --config-file=$config &>/dev/null & echo $! > $pidfile"
retval=$?
echo
[ $retval -eq 0 ] && touch $lockfile
return $retval
}
stop() {
echo -n $"Stopping $prog: "
killproc -p $pidfile $prog
retval=$?
echo
[ $retval -eq 0 ] && rm -f $lockfile
return $retval
}
restart() {
stop
start
}
reload() {
restart
}
force_reload() {
restart
}
rh_status() {
status -p $pidfile $prog
}
rh_status_q() {
rh_status >/dev/null 2>&1
}
case "$1" in
start)
rh_status_q && exit 0
$1
;;
stop)
rh_status_q || exit 0
$1
;;
restart)
$1
;;
reload)
rh_status_q || exit 7
$1
;;
force-reload)
force_reload
;;
status)
rh_status
;;
condrestart|try-restart)
rh_status_q || exit 0
restart
;;
*)
echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"
exit 2
esac
exit $?
· 配置启动脚本:
chmod 755 /etc/init.d/keystone
mkdir /var/run/keystone
mkdir /var/lock/keystone
chown keystone:root /var/run/keystone
chown keystone:root /var/lock/keystone
· 启动KEYSTONE服务
/etc/init.d/keystone start
· 检测服务是否正常启动
通过netstat -ltunp查看是否有tcp 5000和tcp 35357端口监听
如果没有正常启动请查看/var/log/keystone/keystone.log文件排错
· 建立KEYSTONE服务初始化数据脚本keystone_data.sh,内容如下:
#!/bin/bash
# Variables set before calling this script:
# SERVICE_TOKEN - aka admin_token in keystone.conf
# SERVICE_ENDPOINT - local Keystone admin endpoint
# SERVICE_TENANT_NAME - name of tenant containing service accounts
# ENABLED_SERVICES - stack.sh's list of services to start
# DEVSTACK_DIR - Top-level DevStack directory
ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}
SERVICE_PASSWORD=${SERVICE_PASSWORD:-service}
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://localhost:35357/v2.0
SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-tenant}
function get_id () {
echo `$@ | awk '/ id / { print $4 }'`
}
# Tenants
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)
INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)
# Users
ADMIN_USER=$(get_id keystone user-create --name=admin
--pass="$ADMIN_PASSWORD"
--email=admin@example.com)
DEMO_USER=$(get_id keystone user-create --name=demo
--pass="$ADMIN_PASSWORD"
--email=demo@example.com)
# Roles
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)
# Add Roles to Users in Tenants
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT
# TODO(termie): these two might be dubious
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
# The Member role is used by Horizon and Swift so we need to keep it:
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT
NOVA_USER=$(get_id keystone user-create --name=nova
--pass="$SERVICE_PASSWORD"
--tenant_id $SERVICE_TENANT
--email=nova@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT
--user $NOVA_USER
--role $ADMIN_ROLE
GLANCE_USER=$(get_id keystone user-create --name=glance
--pass="$SERVICE_PASSWORD"
--tenant_id $SERVICE_TENANT
--email=glance@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT
--user $GLANCE_USER
--role $ADMIN_ROLE
SWIFT_USER=$(get_id keystone user-create --name=swift
--pass="$SERVICE_PASSWORD"
--tenant_id $SERVICE_TENANT
--email=swift@example.com)
keystone user-role-add --tenant_id $SERVICE_TENANT
--user $SWIFT_USER
--role $ADMIN_ROLE
RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)
keystone user-role-add --tenant_id $SERVICE_TENANT
--user $NOVA_USER
--role $RESELLER_ROLE
· 建立KEYSTONE服务数据库结构
keystone-manage db_sync
· 执行初始化数据脚本
bash keystone_data.sh
声明: 此文观点不代表本站立场;转载须要保留原文链接;版权疑问请联系我们。
