1. 技术文章
  2. CentOS7安装OpenStack-02.安装Keyston认证服务组件

CentOS7安装OpenStack-02.安装Keyston认证服务组件

喜你入骨 提交于 2020-03-11 14:51:40

2.0.keystone认证服务

1)用户与认证:用户权限与用户行为跟踪

User          用户
Tenant        租户
Token         令牌
Role          角色

2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点

Service       服务
Endpoint      端点

2.1.在控制节点创建keystone相关数据库

1)创建keystone数据库并授权

# 登录mysql,密码为空mysql -u root -p
# 创建 keystone 数据库
CREATE DATABASE keystone;
# 对``keystone``数据库授予恰当的权限
grant all on keystone.* to keystone@'localhost' identified by 'keystone';
grant all on keystone.* to keystone@'%' identified by 'keystone';flush privileges;

2.2.在控制节点安装keystone相关软件包

1)安装keystone相关软件包

# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口

yum install openstack-keystone httpd mod_wsgi -y
yum install openstack-keystone python-keystoneclient openstack-utils -y

# 下面使用的快速配置方法需要安装Openstack-utils才可以实现

openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet

# keystone不需要启动,通过httpd服务进行调用

2.3.初始化同步keystone数据库

1)同步keystone数据库(44张)

su -s /bin/sh -c "keystone-manage db_sync" keystone

2)同步完成进行连接测试

mysql keystone -e 'show tables'

2.4.初始化Fernet令牌库

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

# 创建admin用户的密码,并宣告keystone服务端点(密码,三个服务端点)

keystone-manage bootstrap --bootstrap-password admin --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

2.5.配置启动Apache(httpd) 

1)修改httpd主配置文件

# 编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点sed  -i  "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf

2)配置虚拟主机

# 用下面的内容创建文件 /etc/httpd/conf.d/wsgi-keystone.conf,确保5000,和35357端口没被占用

echo '
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>
' >/etc/httpd/conf.d/wsgi-keystone.conf

3)启动httpd并配置开机自启动

systemctl start httpd.service
systemctl status httpd.service
netstat -anptl|grep httpd

systemctl enable httpd.service
systemctl list-unit-files |grep httpd.service

ss -ntl | grep -E "5000|35357"

# 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux

2.6.初始化keystone认证服务

1)创建 keystone 用户,初始化的服务实体和API端点(账号:密码=>admin:admin)

keystone-manage bootstrap --bootstrap-password admin --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

2)临时配置管理员账户的相关变量进行管理

 

标签
Keystone
log
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!