1.KeyStone Features
KeyStone has two main functions: user management and service catalog
User management including: authentication and authorization
There are four authentication modes: namely token tokens, account number and password, directory services, policy
Certification Core terms
Users Related:
User: a user can use OpenStack services
Project: prior to cross-Tenant (Tenant), is a resource isolation mode component services
Role: role is a permission to access the specified Project User resources
Token: token, a comprehensive encryption and authentication information
Use: Role given to a User role in a designated Project resource access.
Services catalog Related:
Service: Service OpenStack each component provides for user access
Endpoint: User Access Service is a url link entry
KeyStone configuration information
Profile: /etc/keystone/keystone.conf
Log Files: /var/log/keystone/keystone.log
2.KeyStone deployment
In OpenStack in accordance with any of the components are substantially database configuration, software installation, software configuration, data synchronization, HTTP configuration, permissions to operate six aspects.
- Database Configuration
And create a database connection
mysql -u root -p root
CREATE DATABASE keystone;
复制代码Configuring Permissions
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; -- 将keystone用户密码设置为keystone 复制代码- Software Installation
yum install -y openstack-keystone httpd mod_wsgi
- Edit Profile
vim /etc/keystone/keystone.conf
[DEFAULT]
#连接到消息队列
405 transport_url = rabbit://openstack:[email protected]:5672
[database]
#数据库配置连接控制节点的认证地址
661 connenction = mysql+pymysql://keystone:[email protected]/keystone
[token]
#配置token令牌的提供者,取消注释即可
2758 provider = fernet
复制代码Check for Modifications information
[root@controller keystone]# grep -ni '^[a-Z]' /etc/keystone/keystone.conf
- Initialization information
Synchronize database information
su -s /bin/sh -c "keystone-manage db_sync" keystone
复制代码Initialization keystone of authentication information
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
复制代码Openstack generate management information admin account api
Queen version of the admin user and ordinary users are connecting using port 5000, and the previous version of admin users to use port 35357. Here we must note, otherwise it will lead directly to the back of the component can not be deployed.
# keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http:// controller:5000/v3/ \
--bootstrap-internal-url http:// controller:5000/v3/ \
- bootstrap-public-url http:// controller:5000 /v3/ \
--bootstrap-region-id RegionOne
复制代码- Configure the http service
Edit Profile
# vim /etc/httpd/conf/httpd.conf
ServerName 192.168.188.100:80
复制代码Create a connection file
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d
Http service to start, and set the boot
systemctl enable httpd.service
systemctl start httpd.service
复制代码- Rights Profile
Configuring User Information
$ export OS_USERNAME=admin
$ export OS_PASSWORD=admin
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default $ export OS_AUTH_URL=http://controller:5000/v3 $ export OS_IDENTITY_API_VERSION=3 复制代码1. Create a project
Format:openstack project create --domain default --description "描述" <项目名>
Create a service project
openstack project create --domain default --description "Service Project" service
openstack project create --domain default --description "Demo Project" demo
复制代码Check the effect
openstack project list
2. Create a demo user, namely the average user
Format:openstack user create --domain default --password <密码> <用户名>
openstack user create --domain default --password demo demo
复制代码3. Create a role Role
Format:openstack role create <role名>
openstack role create user
复制代码4. to demo gives the user specified in the Project (ie "Demo Project") in the role of a Role access to a resource (ie user)
Format:openstack role add --project <项目名> --user <用户名> <角色组>
openstack role add --project demo --user demo user
复制代码3. Certification effect
- Test results
Cancellation environment variables
unset OS_AUTH_URL OS_PASSWORD
User Authentication
Format:
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name <项目> --os-username <用户> --os-password <密码> token issue
复制代码Using the admin verification
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin --os-password admin token issue
复制代码User authentication using demo
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo --os-password demo token issue
复制代码- Create an environment variable script to automatically set the user environment variables
Create admin user variable script
#vim admin-openstack.sh
export OS_PROJECT_DOMIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_USERNAME=admin
export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 复制代码openstack token issue
复制代码Create a demo user variable script