二、安装认证服务（Identity service）

1.1建立数据库

[root@controller1 ~]# mysql -uroot -pMariaDB [(none)]> CREATE DATABASE keystone;

1.2授权数据库访问

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';

2.1生成临时随机数（token）

[root@controller1 ~]# openssl rand -hex 104904808b108b787d950f

3.1安装包

[root@controller1 ~]# yum install openstack-keystone httpd mod_wsgi memcached python-memcached

3.2启动memcached服务

[root@controller1 ~]# systemctl enable memcached.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.[root@controller1 ~]# systemctl start memcached.service

3.3编辑配置文件

[root@controller1 ~]# vi /etc/keystone/keystone.conf[DEFAULT]admin_token = 4904808b108b787d950f[database]connection = mysql://keystone:keystone@controller1/keystone[memcache]servers = localhost:11211[token]provider = uuiddriver = memcache[revoke]driver = sql[DEFAULT] #可选，用于排错verbose = True

3.4初始化数据库

[root@controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone  #没有消息输出

4.1配置HTTP服务

[root@controller1 ~]# vi /etc/httpd/conf/httpd.conf ServerName controller1

4.2创建配置文件

[root@controller1 ~]# vi /etc/httpd/conf.d/wsgi-keystone.confListen 5000Listen 35357

     
          WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}    WSGIProcessGroup keystone-public    WSGIScriptAlias / /usr/bin/keystone-wsgi-public    WSGIApplicationGroup %{GLOBAL}    WSGIPassAuthorization On    
      
       = 2.4>      ErrorLogFormat "%{cu}t %M"        ErrorLog /var/log/httpd/keystone-error.log    CustomLog /var/log/httpd/keystone-access.log combined    
       
                
        
         = 2.4>            Require all granted                
         
          < 2.4>            Order allow,deny            Allow from all            
          
               WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}    WSGIProcessGroup keystone-admin    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin    WSGIApplicationGroup %{GLOBAL}    WSGIPassAuthorization On    
           
            = 2.4>      ErrorLogFormat "%{cu}t %M"        ErrorLog /var/log/httpd/keystone-error.log    CustomLog /var/log/httpd/keystone-access.log combined    
            
                     
             
              = 2.4>            Require all granted                
              
               < 2.4>            Order allow,deny            Allow from all            
              
             
            
           
          
         
        
       
      
     

4.3启动服务并开机自动启动

[root@controller1 ~]# systemctl enable httpd.serviceCreated symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.[root@controller1 ~]# systemctl start httpd.service

5.1配置TOKEN

[root@controller1 ~]# export OS_TOKEN=4904808b108b787d950f[root@controller1 ~]# export OS_URL=http://controller1:35357/v3[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3

5.2创建业务实体  ##错误查看LOG（ vi /etc/keystone/keystone.conf）

[root@controller1]# openstack service create --name keystone --description "OpenStack Identity" identity+-------------+----------------------------------+| Field       | Value                            |+-------------+----------------------------------+| description | OpenStack Identity               || enabled     | True                             || id          | f41a28a082fc408c8648d385822103e6 || name        | keystone                         || type        | identity                         |+-------------+----------------------------------+

5.3创建API端点

[root@controller1]# openstack endpoint create --region RegionOne   identity public http://controller1:5000/v2.0+--------------+----------------------------------+| Field        | Value                            |+--------------+----------------------------------+| enabled      | True                             || id           | bbf5d984ed76415ba2ce2821bc8ed250 || interface    | public                           || region       | RegionOne                        || region_id    | RegionOne                        || service_id   | f41a28a082fc408c8648d385822103e6 || service_name | keystone                         || service_type | identity                         || url          | http://controller1:5000/v2.0     |+--------------+----------------------------------+[root@controller1]# openstack endpoint create --region RegionOne   identity internal http://controller1:5000/v2.0+--------------+----------------------------------+| Field        | Value                            |+--------------+----------------------------------+| enabled      | True                             || id           | b5fb1bde51974e89835840a695042c29 || interface    | internal                         || region       | RegionOne                        || region_id    | RegionOne                        || service_id   | f41a28a082fc408c8648d385822103e6 || service_name | keystone                         || service_type | identity                         || url          | http://controller1:5000/v2.0     |+--------------+----------------------------------+[root@controller1]# openstack endpoint create --region RegionOne   identity admin http://controller1:35357/v2.0+--------------+----------------------------------+| Field        | Value                            |+--------------+----------------------------------+| enabled      | True                             || id           | d5d821b16b02482f9c66027da27be217 || interface    | admin                            || region       | RegionOne                        || region_id    | RegionOne                        || service_id   | f41a28a082fc408c8648d385822103e6 || service_name | keystone                         || service_type | identity                         || url          | http://controller1:35357/v2.0    |+--------------+----------------------------------+

6.1创建域（默认domains）

6.2创建项目（project/tenants）

[root@controller1 ~]# openstack project create --domain default --description "Admin Project" admin+-------------+----------------------------------+| Field       | Value                            |+-------------+----------------------------------+| description | Admin Project                    || domain_id   | default                          || enabled     | True                             || id          | c4d6ba1cb9424cbcaa32e6b9daeb4a19 || is_domain   | False                            || name        | admin                            || parent_id   | None                             |+-------------+----------------------------------+

6.3创建管理员用户

[root@controller1 ~]# openstack user create --domain default --password-prompt adminUser Password:adminRepeat User Password:admin+-----------+----------------------------------+| Field     | Value                            |+-----------+----------------------------------+| domain_id | default                          || enabled   | True                             || id        | f04f9a6391ce4bb3840bc1dfa1181583 || name      | admin                            |+-----------+----------------------------------+

6.4创建管理员角色

[root@controller1 ~]# openstack role create admin+-------+----------------------------------+| Field | Value                            |+-------+----------------------------------+| id    | c778dd4b4c864c3685db4d4feb0acd52 || name  | admin                            |+-------+----------------------------------+

6.5添加角色到项目和管理员用户

[root@controller1 ~]# openstack role add --project admin --user admin admin

7.1创建服务项目

[root@controller1 ~]# openstack project create --domain default --description "Service Project" service+-------------+----------------------------------+| Field       | Value                            |+-------------+----------------------------------+| description | Service Project                  || domain_id   | default                          || enabled     | True                             || id          | 78b459d13b3041a6b06fd0b961bc26f1 || is_domain   | False                            || name        | service                          || parent_id   | None                             |+-------------+----------------------------------+

8.1创建非管理员项目（demo）

[root@controller1 ~]# openstack project create --domain default --description "Demo Project" demo+-------------+----------------------------------+| Field       | Value                            |+-------------+----------------------------------+| description | Demo Project                     || domain_id   | default                          || enabled     | True                             || id          | 77bbdcc40d8e4cd5abc08fb15585cb4e || is_domain   | False                            || name        | demo                             || parent_id   | None                             |+-------------+----------------------------------+

8.2创建非管理员用户

[root@controller1 ~]# openstack user create --domain default --password-prompt demoUser Password:demoRepeat User Password:demo+-----------+----------------------------------+| Field     | Value                            |+-----------+----------------------------------+| domain_id | default                          || enabled   | True                             || id        | de2f5efaee794b51b50c602cc9914742 || name      | demo                             |+-----------+----------------------------------+

8.3创建非管理员角色

[root@controller1 ~]# openstack role create user+-------+----------------------------------+| Field | Value                            |+-------+----------------------------------+| id    | e9e4bbf1608c4cd3b4fcde2575a5ded3 || name  | user                             |+-------+----------------------------------+

8.4添加角色到项目和管理员用户

[root@controller1 ~]# openstack role add --project demo --user demo user

9.1验证，取消环境变量

[root@controller1 ~]# unset OS_TOKEN OS_URL

9.2安全配置，移除admin_token_auth

[root@controller1 ~]# vi /usr/share/keystone/keystone-dist-paste.ini[pipeline:public_api]# The last item in this pipeline must be public_service or an equivalent# application. It cannot be a filter.pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service[pipeline:admin_api]# The last item in this pipeline must be admin_service or an equivalent# application. It cannot be a filter.pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service[pipeline:api_v3]# The last item in this pipeline must be service_v3 or an equivalent# application. It cannot be a filter.pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3

9.3使用管理员要求一个令牌

[root@comtroller1 ~]# openstack --os-auth-url http://controller1:35357/v3  --os-project-domain-id default --os-user-domain-id default  --os-project-name admin --os-username admin --os-auth-type password  token issuePassword: admin+------------+----------------------------------+| Field      | Value                            |+------------+----------------------------------+| expires    | 2016-07-11T06:46:59.482835Z      || id         | 0139a994069a44b28030f0e1ad877eab || project_id | c4d6ba1cb9424cbcaa32e6b9daeb4a19 || user_id    | f04f9a6391ce4bb3840bc1dfa1181583 |+------------+----------------------------------+

9.4使用一般用户要求一个令牌

[root@controller1 ~]# openstack --os-auth-url http://controller1:5000/v3 \--os-project-domain-id default --os-user-domain-id default \--os-project-name demo --os-username demo --os-auth-type password \token issuePassword: demo+------------+----------------------------------+| Field      | Value                            |+------------+----------------------------------+| expires    | 2016-07-11T06:49:35.051544Z      || id         | b265f81e99674727ab5d3ef270f105bc || project_id | 77bbdcc40d8e4cd5abc08fb15585cb4e || user_id    | de2f5efaee794b51b50c602cc9914742 |+------------+----------------------------------+

10.1配置客户端环境脚本

[root@controller1 ~]# vi ~/admin-openrc.shexport OS_PROJECT_DOMAIN_ID=defaultexport OS_USER_DOMAIN_ID=defaultexport OS_PROJECT_NAME=adminexport OS_TENANT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://controller1:35357/v3export OS_IDENTITY_API_VERSION=3[root@controller1 ~]# vi ~/demo-openrc.shexport OS_PROJECT_DOMAIN_ID=defaultexport OS_USER_DOMAIN_ID=defaultexport OS_PROJECT_NAME=demoexport OS_TENANT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://controller1:5000/v3export OS_IDENTITY_API_VERSION=3

10.2使用脚本并验证

[root@controller1 ~]# source admin-openrc.sh [root@controller1 ~]# openstack token issue+------------+----------------------------------+| Field      | Value                            |+------------+----------------------------------+| expires    | 2016-07-11T07:35:18.783300Z      || id         | e44e5283e4a94280b73094e7d520031e || project_id | c4d6ba1cb9424cbcaa32e6b9daeb4a19 || user_id    | f04f9a6391ce4bb3840bc1dfa1181583 |+------------+----------------------------------+