OpenStack Pike Minimal安装：身份认证

Posted 2021-01-03

1.在controller节点上安装keystone

[email protected] ~]# yum install openstack-keystone httpd mod_wsgi -y

2.配置

[[email protected] ~]# vim /etc/keystone/keystone.conf

[database]
connection = mysql+pymysql://keystone:[email protected]/keystone
[token]
provider = fernet

3.填充数据库

[[email protected] ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
#日志文件所处位置
[[email protected] ~]# ll /var/log/keystone/keystone.log 
-rw-rw---- 1 root keystone 16062 Sep  4 01:05 /var/log/keystone/keystone.log
#查看数据库
[[email protected] ~]# mysql -h controller -ukeystone -pkeystone -e "use keystone;show tables;"

4.初始化Fernet key

[[email protected] ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[[email protected] ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

5.初始化服务

# keystone-manage bootstrap --bootstrap-password admin
--bootstrap-admin-url http://controller:35357/v3/
--bootstrap-internal-url http://controller:5000/v3/
--bootstrap-public-url http://controller:5000/v3/
--bootstrap-region-id RegionOne

6.配置httpd

[[email protected] ~]# vim /etc/httpd/conf/httpd.conf 
#修改ServerName为主机名
ServerName controller

[[email protected] ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

[[email protected] ~]# systemctl enable httpd.service
[[email protected] ~]# systemctl start httpd.service

7.创建登陆脚本

[[email protected] ~]# cat admin-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

[[email protected] ~]# cat demo-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

8.创建domain, projects, users, and roles

#先使用脚本登陆admin
[[email protected] ~]# . admin-openstack.sh

①创建service project

openstack project create --domain default --description "Service Project" service

②创建demo project

openstack project create --domain default --description "Demo Project" demo

③创建demo user

openstack user create --domain default --password-prompt demo

④创建 user role

openstack role create user

⑤将user role添加到demo project和user

openstack role add --project demo --user demo user

9.验证操作

①注销登陆

[[email protected] ~]# unset OS_AUTH_URL OS_PASSWORD

②验证admin用户

openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue

③验证demo用户

openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name demo --os-username demo token issue

④使用脚本查看

[[email protected] ~]# . admin-openstack.sh 
[[email protected] ~]# openstack token issue