Centos7 Install Openstack-(section II) Add Authentication Service (Keystone)
My blog address: Http://www.cnblogs.com/caoguo
According to OpenStack Official document configuration
Official Document Address: http://docs.openstack.org/juno/install-guide/install/yum/content/#
0x01. Authentication Service installation and configuration (Control node)
[Email protected] ~]#Mysql-uroot- PMariaDB [(none)]>CREATE DATABASE Keystone; MariaDB [(none)]>GRANT all privileges on keystone.* to 'Keystone'@'localhost' -identified by 'keystone_dbpass' ; MariaDB [(none)]>GRANT All privileges the keystone.* to 'Keystone' @'% ' -identified by 'keystone_dbpass' ; MariaDB [(none)]>flush Privileges;
Tenyum install-y openstack-keystone python-keystoneclientcp-rf/etc/ Keystone/keystone.conf/etc/keystone/keystone.conf.old
vi/etc/keystone/ keystone.conf #增加一下配置就可以了== = MySQL://keystone:[email protected]/ Keystone== = Keystone.contrib.revoke.backends.sql.Revoke
[Email protected] ~]#keystone-manage pki_setup--keystone-user Keystone--keystone- Group Keystone[[email protected]~]#chown-r keystone:keystone/var/log/ Keystone[[email protected]~]#chown-r keystone:keystone/etc/keystone/ SSL[[email protected]~]#chmod-r o-rwx/etc/keystone/ SSL[[email protected]~]#su-s/bin/sh-c "keystone-manage db_sync" Keystone[[email protected]~]#Systemctl Enable openstack- keystone.service[[email protected]~]#systemctl start Openstack-keystone.service
0x02. Create tenants, users, and Roles (Control node)
[Email protected] ~]# export os_service_token=~]# export os_service_endpoint=http:// controller:35357/v2.0
2-1. Create a administrative tenant, user, and role for administrative operations in your environment:
A. Create the admin tenant: (Creating tenant Admin)
" Admin Tenant "+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| Description | Admin Tenant | | Enabled | True | | ID | f42937a2fd484d638ce58e67fef59b67 | | name | Admin |+-------------+----------------------------------+
B. Create the Admin User: (creates admin)
[Email protected] ~]# Keystone user-create--name admin--pass admin_pass--Email [email protected]+----------+ ----------------------------------+| Property | Value |+----------+----------------------------------+| email | [Email protected] | | Enabled | True | | ID | CC58749F0ECB402D9F627EE72BDA5AFB | | name | admin | | Username | Admin |+----------+----------------------------------+
C. Create the Admin role: (Creating role Admin)
[Email protected] ~]# Keystone Role-create--name Admin+----------+----------------------------------+| Property | Value |+----------+----------------------------------+| ID | 4fa15a3b9fc6464694696fa75696b191 | | name | Admin |+----------+----------------------------------+
D. Add the Admin role to the admin tenant and User: (Add users to tenant and role)
[[email protected] ~]# Keystone User-role-add--user admin--tenant admin--role Admin
2-2. Create a demo tenant and user for typical operations in your environment:
A. Create the demo tenant: (Creating a tenant Demo)
" Demo Tenant "+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| Description | Demo Tenant | | Enabled | True | | ID | e15976585a8b45c4984f4ebd9db90b5c | | name | Demo |+-------------+----------------------------------+
B. Create the demo user under the demo tenant: (Add demo users to the tenant demo)
[Email protected] ~]# Keystone user-create--name demo--tenant demo--pass demo_pass-Email [email protected]+ ----------+----------------------------------+| Property | Value |+----------+----------------------------------+| email | [Email protected] | | Enabled | True | | ID | 5c8155359c20422c96e7bcd6aa6388ba | | name | Demo | | TenantId | e15976585a8b45c4984f4ebd9db90b5c | | Username | Demo |+----------+----------------------------------+
2-3.openstack services also require a tenant, user, and role to interact with other services.
Each service typically requires creating one or more unique users with the Admin role
Under the service tenant
A. Create the service tenant: (Creating a tenant service)
" Service Tenant "+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| Description | Service Tenant | | Enabled | True | | ID | 6826A4D9FA7F4E438F3C79010AD80DCD | | name | Service |+-------------+----------------------------------+
0x03. Create the service entity and API endpoint (control node)
3-1. Create the service entity for the Identity service:
[Email protected] ~]# Keystone Service-create--name Keystone--"OpenStack Identity" +-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| Description | OpenStack Identity | | Enabled | True | | ID | 5da5b6f72df341a7959ee7b42131c082 | | name | Keystone | | Type | Identity |+-------------+----------------------------------+
3-2. Create The Identity service API endpoints:
[Email protected] ~]# Keystone endpoint-Create--service-id $ (Keystone Service-list | awk'/identity/{print -$}') --publicurl http://controller:5000/v2.0 \--internalurl http://controller:5000/v2.0 \--adminurl http://controller:35357/v2.0 \--Region Regionone+-------------+----------------------------------+| Property | Value |+-------------+----------------------------------+| Adminurl | http//controller:35357/v2.0 || ID | 90af99e76cc54249b5ac3ec4269b0d99 | | InternalUrl | http//controller:5000/v2.0 || Publicurl | http//controller:5000/v2.0 || Region | Regionone | | service_id | 5da5b6f72df341a7959ee7b42131c082 |+-------------+----------------------------------+
0x04. Confirm above operation (Control node)
4-1. Destroying variables
[Email protected] ~]# unset os_service_token os_service_endpoint
4-2. Verify Token
[[email protected] ~]# Keystone--os-tenant-name admin--os-username admin--os---os-auth-url http:// controller:35357/v2.0 Token-get - -01t09: 34Z || ID | 6ce0cc1d7cf94cd39f66f8cad8d78da1 | | tenant_id | f42937a2fd484d638ce58e67fef59b67 | | user_id | CC58749F0ECB402D9F627EE72BDA5AFB |+-----------+----------------------------------+
4-3. Tenant List
[[email protected] ~]# Keystone--os-tenant-name admin--os-username admin--os---os-auth-url http:// controller:35357/v2.0 tenant-list+----------------------------------+---------+---------+| ID | name | Enabled |+----------------------------------+---------+---------+| f42937a2fd484d638ce58e67fef59b67 | admin | True | | e15976585a8b45c4984f4ebd9db90b5c | Demo | True | | 6826A4D9FA7F4E438F3C79010AD80DCD | Service | True |+----------------------------------+---------+---------+
4-4. List of users
[[email protected] ~]# Keystone--os-tenant-name admin--os-username admin--os---os-auth-url http:// controller:35357/v2.0 user-list+----------------------------------+-------+---------+----------------- -+| ID | name | Enabled | Email |+----------------------------------+-------+---------+------------------+| CC58749F0ECB402D9F627EE72BDA5AFB | admin | True | [Email protected] | | 5c8155359c20422c96e7bcd6aa6388ba | Demo | True | [Email protected] |+----------------------------------+-------+---------+------------------+
4-5. List of roles
[[email protected] ~]# Keystone--os-tenant-name admin--os-username admin--os---os-auth-url http:// controller:35357/v2.0 role-list+----------------------------------+----------+| ID | Name |+----------------------------------+----------+| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | | 4fa15a3b9fc6464694696fa75696b191 | Admin |+----------------------------------+----------+
4-6. Demo user gets token
[Email protected] ~]# Keystone--os-tenant-name demo--os-username demo--os---os-auth-url http:// controller:35357/v2.0 Token-get - -01t10: 54Z || ID | 8beacb3ab30e402583b9e1ff2bdf05ba | | tenant_id | e15976585a8b45c4984f4ebd9db90b5c | | user_id | 5c8155359c20422c96e7bcd6aa6388ba |+-----------+----------------------------------+
4-7. Attempt to access without permission
[[email protected] ~]# Keystone--os-tenant-name demo--os-username demo--os->--os-auth-url http://
controller:35357/v2.0 user-list403)
0x05. Create OpenStack Client environment Scripts (Control node)
5-1. Add environment Variables for admin
[Email protected] ~]# vi admin-openrc.sexport os_tenant_name=adminexport os_username= Adminexport Os_password=admin_passexport os_auth_url=http://controller:35357/v2.0
5-2. Add the environment variables for the demo user
[Email protected] ~]# vi demo-openrc.shexport os_tenant_name=demoexport os_username= Demoexport Os_password=demo_passexport os_auth_url=http://controller:5000/v2.0
Centos7 Openstack-(section II) Add Authentication Service (Keystone)