This blog comes from https://www.voidking.com/dev-ubuntu16-manual-openstack-keystone/
Quickly take notes
keystone Introduction
OpenStack Identity service integrated authentication, authorization, and directory services.
Identity service is usually the first service which the user interacts. Once authenticated, end-users can use their identity to access other OpenStack services. Similarly, other OpenStack services use identity services to ensure that users are who they say, and find the location of other services. Identity services can also be integrated with a number of external user management systems (such as LDAP).
Service users and other services can be located by the service identity directory service management through the use of. As the name suggests, the service catalog is a collection of OpenStack deployments available services. Each service can have one or more endpoints, each may be one of three types: admin, internal or public. In a production environment, for safety reasons, different types of terminal types can reside in a separate network is exposed to different types of users. For example, a public network API may be visible from the Internet, so customers can manage their cloud. Network management API may be limited to a cloud infrastructure management organization operator. API may be limited to the internal network host that contains OpenStack services. Further, OpenStack scalability to support multiple regions. For simplicity, this guide uses network management for all endpoint types and default RegionOne area. Area, service and endpoint creation of identity services together constitute a directory service deployment. OpenStack deployment of each service requires a service entry, and store the appropriate endpoint in Identity service. This can be done in the Identity Service installation and configuration is complete.
Identity service includes the following components:
server
centralized server using RESTful interfaces to provide authentication and authorization services.
Drivers
drivers or back-end integration services to the central server. They are used to access identity information OpenStack external repository, and may already exist in the deployment of OpenStack infrastructure (for example, SQL database or LDAP server).
Module
middleware module assembly operation in the use of OpenStack Identity service address space. These modules intercept a service request, extracts the user's credentials and sends it to a central server for authorization. Integrated Python Web server gateway using an interface between the middleware and OpenStack module assembly.
Installation Record
This section documents how to install and configure the node to the control code for the keystone OpenStack Identity service. For scalability purposes, the configuration will deploy Fernet Apache HTTP server and the token to process the request.
root user
In order to avoid permission problems, it is recommended to switch to the root user to operate (or to add a lot of sudo).sudo -i
Database Configuration
1. Log MariaDB mysql -uroot -p
, password openstack.
2. Create a keystone databaseCREATE DATABASE keystone;
3. Create keystone user, password openstack, and unauthorized access keystone databaseGRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'openstack';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'openstack';
4, Exitexit;
5, test Login
mysql -h localhost -ukeystone -p
mysql -h controller -ukeystone -p
Installation Components
1, the installation keystone, apache2 and libapache2-mod-wsgiapt -y install keystone apache2 libapache2-mod-wsgi
2, vim /etc/keystone/keystone.conf
edit the configuration:
1 |
# line 606: uncomment and specify Memcache Server |
3, the database data generating keystone
su -s /bin/bash keystone -c "keystone-manage db_sync"
(Non-root user sudo keystone-manage db_sync
)
View Log: tail /var/log/keystone/keystone-manage.log
see done on the implementation success.
Do not worry, you can log in to view data mariadb keystone of the database, the data, then the implementation success.
If you see an error in the log:
1 |
2018-06-30 18:37:40.845 4964 WARNING oslo_db.sqlalchemy.engines [-] SQL connection failed. 6 attempts left.: DBConnectionError: (pymysql.err.OperationalError) (2003, "Can't connect to MySQL server on 'controller' ([Errno 111] Connection refused)") (Background on this error at: http://sqlalche.me/e/e3q8) |
This is because, mysql may bind the IP.
Execution netstat -an | grep 3306
view, if only to see 127.0.0.1, then that is indeed bound IP.
The solution is to edit the 50-server.cnf, the bind-address = 127.0.0.1
comment out, and then restart mariadb, re-execute the command.
4, initialization Fernet key storekeystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5, guide service identity, password management openstack
1 |
keystone-manage bootstrap --bootstrap-password openstack \ |
Configuring apache
1, vim /etc/apache2/apache2.conf
added:
1 |
|
2, restart apacheservice apache2 restart
3, the new environment variable configuration keystonerc
1 |
export OS_USERNAME=admin |
4, the environment variables to take effectsource keystonerc
5, testecho $OS_USERNAME
Use Record
Creating a Domain
Identity services provide authentication services for each OpenStack services. The authentication service using a combination of domain, projects, users and roles.
1, guide service identity step already exists "default" domain, but the official way to create a new domain is:openstack domain create --description "An Example Domain" example
The successful implementation of the virtual machine, but the physical machine error:
1 |
Failed to discover available identity versions when contacting http://controller:5000/v3. Attempting to parse version from URL. |
netstat -an | grep 5000
And found port 5000 service has started.
View keystone logs, no new content, indicating that there is no successful connection.
Try to re-import data and re-install the database, we have failed.
If you see the same error, then the problem before installation devstack legacy is likely to eventually reinstall the system installed again executed successfully.
2. Create a service project in the default domain:openstack project create --domain default --description "Service Project" service
3, conventional (non-administrator) tasks and projects should use non-privileged user. Create a demo project:openstack project create --domain default --description "Demo Project" demo
4, create demo users:openstack user create --domain default --password-prompt demo
Follow the prompts to set a password for openstack.
5, create user roles:openstack role create user
6, add the user role to demo project and demo usersopenstack role add --project demo --user demo user
7, view the field, project, role, user
1 |
openstack domain list |
Verify operation
Identity verification operation services before you install other services.
1, unset temporary OS_AUTH_URL and OS_PASSWORD environment variables:unset OS_AUTH_URL OS_PASSWORD
2, as an admin user, request authentication tokens:
1 |
openstack --os-auth-url http://controller:5000/v3 \ |
Follow the prompts to enter the password openstack.
3, as the demo the user, request authentication tokens:
1 |
openstack --os-auth-url http://controller:5000/v3 \ |
创建OpenStack客户端环境脚本
前面几节使用了环境变量和命令选项的组合,通过openstack客户端与Identity服务进行交互。为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。这些脚本通常包含所有客户端的常用选项,但也支持独特的选项。
创建脚本
为admin和demo项目和用户创建客户端环境脚本。接下来引用这些脚本来加载客户端操作的适当凭据。这些脚本在控制节点和计算节点都适用。
1、创建并编辑admin-openrc文件并添加以下内容:
1 |
export OS_PROJECT_DOMAIN_NAME=Default |
2、创建并编辑demo-openrc文件并添加以下内容:
1 |
export OS_PROJECT_DOMAIN_NAME=Default |
使用脚本
要将客户端作为特定项目和用户运行,只需在运行它们之前加载关联的客户端环境脚本即可。例如:
1、加载admin-openrc文件以使用Identity服务的位置以及管理项目和用户凭据填充环境变量:. admin-openrc
或者source admin-openrc
2、请求身份验证令牌:openstack token issue