CentOS7.1 Liberty云平台之Identity篇(3)

一、安装及配置

1.创建数据库及管理用户

mysql -u root -p

CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';

[root@controller ~]# openssl rand -hex 10
a9a4aa734d77ebdd1d8d

2.安装keystone相关包

yum install openstack-keystone httpd mod_wsgi memcached python-memcached -y

systemctl start memcached.service
systemctl enable memcached.service

3.配置/etc/keystone/keystone.conf

[DEFAULT]
...
admin_token = a9a4aa734d77ebdd1d8d        #之前生成的初始token
verbose = True
[database]
...
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
[memcache]
...
servers = localhost:11211
[token]
...
provider = uuid
driver = memcache
[revoke]
...
driver = sql

4.同步keystone数据库

su -s /bin/sh -c "keystone-manage db_sync" keystone

5.配置Apache服务

ServerName controller

Listen 5000
Listen 35357

<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined

<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>

<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined

<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>

6.启动Apache服务，并设置开机自启

systemctl start httpd.service
systemctl enable httpd.service

二、创建服务实体及API端点

export OS_TOKEN=a9a4aa734d77ebdd1d8d
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

1.创建Identity服务实体

openstack service create --name keystone --description "OpenStack Identity" identity

2.创建Identity服务API端点

openstack endpoint create --region RegionOne identity public http://controller:5000/v2.0 openstack endpoint create --region RegionOne identity internal http://controller:5000/v2.0 openstack endpoint create --region RegionOne identity admin http://controller:35357/v2.0[/code] 
三、创建项目、用户和角色
创建管理项目、用户和角色

openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin
openstack role create admin
openstack role add --project admin --user admin admin
创建服务项目

openstack project create --domain default --description "Service Project" service
创建非管理项目、用户和角色

openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo
openstack role create user
openstack role add --project demo --user demo user

四、验证操作
编辑/usr/share/keystone/keystone-dist-paste.ini，在[pipeline:public_api],[pipeline:admin_api],
[pipeline:api_v3]中去掉admin_token_auth

[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth  json_body ec2_extension user_crud_extension public_service

[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth  json_body ec2_extension s3_extension crud_extension admin_service

[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth  json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3


取消环境变量

unset OS_TOKEN OS_URL

1.使用管理员用户请求认证token
openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue

2.使用非管理员用户请求认证token
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name demo --os-username demo --os-auth-type password token issue

五、创建openstack客户端环境脚本
1.管理员admin脚本
vim admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=111111
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

2.非管理员demo脚本
vim demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

3.使用脚本，如admin脚本
使脚本变量生效

source admin-openrc.sh
请求admin认证token

openstack token issue