1、使用数据库访问客户端以 root 用户身份连接到数据库服务器
# mysql -uroot -p123
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
2、创建 keystone 数据库:
MariaDB [(none)]> CREATE DATABASE keystone default character set utf8;
3、授予对 keystone 数据库的适当访问权限:
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
4、安装keystone软件包
# yum install openstack-keystone httpd mod_wsgi -y
5、编辑 /etc/keystone/keystone.conf 文件
# cd /etc/keystone/ && mv keystone.conf keystone.conf.source && cat keystone.conf.source |grep -Ev "^#|^$" > keystone.conf && chown root:keystone keystone.conf
# vim /etc/keystone/keystone.conf
在 [database] “配置数据库访问”部分中:
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
在[token] 中,配置 Fernet 令牌提供程序:
[token]
# ...
provider = fernet
6、填充 Identity 服务数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
7、设置keystone组和用户信息验证
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
8、设置服务端点和适合管理用户的密码
# keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
admin-url 管理网服务端点
internal-url 内部网服务端点
public-url 公共网服务端点
RegionOne 工作域
9、配置http服务
修改配置文件:
# vim /etc/httpd/conf/httpd.conf
ServerName controller:80
创建链接指向:
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动http服务:
# systemctl enable httpd.service
# systemctl restart httpd.service
10、配置管理员帐户,并创建项目、域、用户、角色
# vim admin-openrc.sh
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
# source admin-openrc.sh
11、测试
# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
默认存在default域
/*
创建新域gz,(仅用于测试,可以不创建)。
# openstack domain create --description "An Example Domain" gz
# openstack domain list
# openstack domain set --disable ID (禁用域)
# openstack domain delete ID (删除域)
*/
12、一个租户在OpenStack里就是一个项目,创建用户时必须先要有租户(项目),同时还需要一个能分配给该用户的角色,这样创建的用户才有意义。
创建service项目(租户),service项目将作为OpenStack的系统项目,所有系统服务都要加入到service项目中
# openstack project create --domain default --description "Service Project" service
# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 46e3af96a209442399529bbae607fe39 | service |
| 7cdd91e3d1ea44fd98c6128815aaebe5 | admin |
+----------------------------------+---------+
创建user角色
# openstack role create user
# openstack role list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 0b20a1d4099d4a50b890efcf8a047fba | admin |
| 80837f633e0f42149f8840f796c647fd | user |
| be3ddcd762d843b3abc814be78f37a12 | reader |
| c5960064776e4557ac5ed75acac3e4a5 | member |
+----------------------------------+--------+
13、验证Keystone
# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2024-02-27T16:22:39+0000 |
| id | gAAAAABl3f4_X4uiefhFYOm883_TmT_W6jnNfS2inXGCJM6Tlh0yksAFyDma4r9p3XfsHSOSQIeFAB_a7fxfvCUZEi0kBIFcTJnSbv8UOLdPbSU1F-iPmBtSazentfPNPynEOcmuXEgvb5srdZg-OkUY_O_iQenBuBTWeIBX68ZkuobaRQFLrLE |
| project_id | 7cdd91e3d1ea44fd98c6128815aaebe5 |
| user_id | ec9958303bb04bae8a59f288b496bbdb |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
取消环境变量,验证
# unset OS_AUTH_URL OS_PASSWORD
使用admin用户,请求身份验证令牌。
# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default \
--os-user-domain-name Default \
--os-project-name admin \
--os-username admin token issue
输入admin的密码:admin
keystone.conf
[application_credential]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_receipts]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[jwt_tokens]
[ldap]
[memcache]
# new add
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller:11211
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[receipt]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[token]
provider = fernet
[tokenless_auth]
[totp]
[trust]
[unified_limit]
[wsgi]
admin-openrc.sh
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
