Install the SDK Based on the keystone source code in ubuntu12.04

Source: Internet
Author: User


Keystone Overview:
Keystone was developed independently as the core project in the early stage of openstack. Because the design concept adopted by openstack is that everything is an API, the call of the Design Service API cannot be separated from Keystone. As an Identity Authentication Service in openstack, Keystone plays a key role in openstack and implements identity API for authentication between other components of openstack.

Two keystone authentication methods:
UUID authentication principles
After a user passes keystone authentication with a valid user name and password, Keystone returns a token, which is a uuid. This token will be displayed when you perform other operations in the future. For example, when Nova receives a request, it will use this token to verify the request to Keystone. Keystone compares the token and checks the token validity period to determine whether the token is valid, then return the request to Nova to check whether the request is valid.

Principles of PKI Authentication
During keystone initialization, Keystone generates the CA Public Key ca. PEM and private key ca. Key. At the same time, Keystone's own public key Keystone. Pub and keystone. Key are generated, Keystone. Pub is signed by Ca, and keystone. PEM is generated.
After a user passes keystone authentication with a valid user name and password, Keystone encrypts the user's basic information through Keystone. Key and returns the ciphertext to the user as a token. When a user sends a request, for example, after Nova obtains the token, it first needs to obtain the keystone certificate keystone. PEM (this process only needs to be performed once), and then through keystone. to obtain the user information, you can know whether the user is legal.
You also need to determine the valid time of the token and whether the token exists. Therefore, after each token is obtained, Nova will first ask keystone for a token invalidation list to check whether the token is invalid. Of course, this process is still relatively light to the keystone load, so PKI effectively solves the problem that Keystone becomes a performance bottleneck.


Install the corresponding software package

[email protected]:~$ sudo apt-get install -y git python-dev sqlite3 libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev[email protected]:~$git clone https://github.com/openstack/keystone.git[email protected]:~$git clone https://github.com/openstack/python-keystoneclient.git keystone/client

Install MySQL database

[email protected]:~$sudo apt-get install mysql-server mysql-client python-mysqldb[email protected]:~$sudo mysql -u root -pmysql>create database keystone;mysql>grant all on keystone.* to ‘keystone‘@‘%‘ identified by ‘redhat‘;

Install keystone

[email protected]:~$python setup.py install

In this process, you may be prompted that the setuptools module is missing.

[email protected]:~$sudo apt-get install python-setuptools[email protected]:~$python setup.py install[email protected]:~$sudo pip install -e .

Modify the configuration file:

[email protected]:~$sudo mkdir -p /etc/keystone[email protected]:~$sudo cp etc/* /etc/keystone/[email protected]:~$sudo mv /etc/keystone/keystone.conf.sample /etc/keystone/keystone.conf[email protected]:~$sudo vim /etc/keystone/keystone.conf#admin token=ADMINadmin token=ADMIN#connection=<None>connection=mysql://root:[email protected]/keystone?charset=utf8admin_endpointpublic_endpoilt

Configure the log storage path

[email protected]:~$sudo mkdir -p /var/log/keystone[email protected]:~$touch /var/log/keystone/keystone.log[email protected]:~$sudo touch /var/log/keystone/keystone.log

Database Synchronization: Creates keystone-related database tables.

[email protected]:~$keystone-manage db_sync[email protected]:~$echo $?

Create a kestone account and an SSL Certificate

[email protected]:~$sudo useradd keystone[email protected]:~$sudo chown -R keystone.keystone /etc/keystone/[email protected]:~$sudo keystone-manage pki_setup --keystone-user=keystone --keystone-group=keyston

Start the keystone Service

[email protected]:~$echo $ keystone-all -d &[email protected]:~$echo $ps aux |grep keystonejunluobj 14911  0.0  4.0 123772 41368 pts/1    S    19:15   0:00 /usr/bin/python /usr/local/bin/keystone-all -djunluobj 14924  0.0  0.0  13588   936 pts/1    S+   19:29   0:00 grep --color=auto keystone

The keystone installation has been completed, but it is still unavailable because there are no tenants, users, passwords, services, etc.

Configure keytone

Set two environment variables here

[email protected]:~$ export OS_SERVICE_TOKEN=ADMIN[email protected]:~$ export SERVICE_ENDPOINT=http://192.168.0.103:35357/v2.0

View the user list:

[email protected]:~$ keystone user-list

Create tenant

[email protected]:~$ keystone tenant-create --name adminTenant --description "Admin Tenant" --enabled true

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/3E/70/wKiom1PHYECyPQ86AAD6p7iz7kk263.jpg "Title =" o1.jpg "alt =" wkiom1phyecypq86aad6p7iz7kk263.jpg "/>


Create user

You need to record the tenant ID and associate it with the tenant to which the user is associated.

 [email protected]:~$keystone user-create --tenant_id bf0df88bd9694e11951a896bde015cb0 --name admin --pass redhat --enabled true [email protected]:~$keystone user-create --tenant_id bf0df88bd9694e11951a896bde015cb0 --name user1 --pass redhat --enabled true

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/3E/70/wKiom1PHYEzijD5ZAAFmw41AQAY007.jpg "Title =" o2.jpg "alt =" wkiom1phyezijd5zaafmw41aqay007.jpg "/>

Use the keystone command to create a new role and assign the role to an admin user in step 1.

Create a role named adminrole. Remember the role ID generated by this command

[email protected]:~$ keystone role-create --name adminRole


650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M02/3E/70/wKiom1PHYFnBOM2-AAC7wn-6pIk761.jpg "Title =" o.jpg "alt =" wKiom1PHYFnBOM2-AAC7wn-6pIk761.jpg "/>


Up to now, tenant, user, and role have been created respectively, which are:

Tenant ID: bf0df88bd9694e11951a896bde015cb0
User ID: 0a46563787a7470ebca6e0faafb41174 (Admin)

Role ID: 87a6bda856014492b9f6164dc99f792d

[email protected]:~$ keystone user-role-add --user-id 0a46563787a7470ebca6e0faafb41174 \ > --tenant-id bf0df88bd9694e11951a896bde015cb0 > --role-id 87a6bda856014385b9f6164dc99f792d


Run the following two commands to perform a simple test:

[email protected]:~$ keystone user-role-list --user admin --tenant adminTenant [email protected]:~$ keystone user-list

650) This. width = 650; "src =" http://s3.51cto.com/wyfs02/M00/3E/71/wKioL1PHYm6QoLmdAAFlIO9dgqs812.jpg "Title =" o3.jpg "alt =" wkiol1phym6qolmdaaflio9dgqs812.jpg "/>


I wrote it here today, waiting for the future...


This article from the "every day progress a little" blog, please be sure to keep this source http://lj119.blog.51cto.com/605062/1439464

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.