Identity Services Overview
The OpenStack Authentication Management Service provides a single point of integration authentication, authorization, and service directory service. Other OpenStack services use authentication services as a common, unified API. In addition, services provide user information, but not included in OpenStack (such as LDAP services) can be integrated into an existing infrastructure. To benefit from the certification service, other OpenStack services need to work in conjunction with the Identity authentication service. When a OpenStack service receives a request from the user, it checks to see if the Identity Authentication Service user is authorized to request it. The identity service contains these components: Server
A centralized server uses the RESTful interface to provide authentication and authorization services. Drivers
The driver or service backend is integrated into a centralized server. They are external openstack in the identity repository used for access, and there may already be infrastructure deployed in OpenStack (for example, SQL databases or LDAP servers). Modules
The middleware module runs in the address space of the OpenStack component using the Identity authentication service. These modules intercept service requests, extract user credentials, and send them to a central server for authorization. Integration between the middleware module and the OpenStack component uses the Python Web Server Gateway Interface. Pre-demand
Mysql-uroot-pswpucs406mariadb-e "CREATE DATABASE Keystone;"
Mysql-uroot-pswpucs406mariadb-e "GRANT all privileges on keystone.* to ' Keystone ' @ ' localhost ' identified by ' swpucs406d Bkeystone ';
' Mysql-uroot-pswpucs406mariadb-e "GRANT all privileges on keystone.* to ' Keystone ' @ '% ' identified by ' Swpucs406dbkeyston E '; '
Mysql-uroot-pswpucs406mariadb-e "GRANT all privileges on keystone.* to ' Keystone ' @ ' controller ' identified by ' SWPUcs406 Dbkeystone ';
' Mysql-uroot-pswpucs406mariadb-e "FLUSH privileges;"
Installing Configuration Components
All controller nodes:
Yum install-y openstack-keystone httpd mod_wsgi openstack-utils
Edit/etc/keystone/keystone.conf File
Openstack-config--set/etc/keystone/keystone.conf DEFAULT admin_token swpucs406token
openstack-config--set/etc /keystone/keystone.conf Database Connection Mysql+pymysql://keystone:swpucs406dbkeystone@controller/keystone
Openstack-config--set/etc/keystone/keystone.conf token provider Fernet Openstack-config
keystone.conf default Public_bind_host 10.0.0.1X
openstack-config--set/etc/keystone/keystone.conf Default admin _bind_host 10.0.0.1X
Controller1 node:
Su-s/bin/sh-c "Keystone-manage db_sync" Keystone Keystone-manage fernet_setup--keystone-user Keystone
-- Keystone-group Keystone
Scp/etc/keystone/fernet-keys controller2:/etc/keystone/fernet-keys/
Controller2 node:
Mkdir-p/etc/keystone/fernet-keys
chown-r Keystone:keystone/etc/keystone/fernet-keys
all controller nodes, configuring the HTTP service
Sed-i "s/#ServerName www.example.com:80/ServerName controller/"/etc/httpd/conf/httpd.conf cat >/etc/httpd/conf.d /wsgi-keystone.conf <<off Listen 10.0.0.1x:5000 Listen 10.0.0.1x35357 <virtualhost 10.0.0.1x:5000> WSGIDa Emonprocess keystone-public processes=5 threads=1 user=keystone group=keystone Display-name=%{group} WSGIProcessGroup Keystone-public Wsgiscriptalias//usr/bin/keystone-wsgi-public wsgiapplicationgroup%{GLOBAL} WSGIPassAuthor ization on Errorlogformat "%{cu}t%m" Errorlog/var/log/httpd/keystone-error.log Customlog/var/log/httpd/keys Tone-access.log combined <Directory/usr/bin> Require all granted </Directory> </virtualho st> <virtualhost 10.0.0.1x:35357> wsgidaemonprocess keystone-admin processes=5 threads=1 user=keystone Group
=keystone Display-name=%{group} wsgiprocessgroup keystone-admin Wsgiscriptalias//usr/bin/keystone-wsgi-admin Wsgiapplicationgroup%{globAL} wsgipassauthorization on Errorlogformat "%{cu}t%m" Errorlog/var/log/httpd/keystone-error.log CustomL Og/var/log/httpd/keystone-access.log combined <Directory/usr/bin> Require all granted </direct Ory> </VirtualHost> off
Complete the installation
Systemctl Enable Httpd.service
systemctl start Httpd.service
Creating service Entities and API terminals
at the Controller1 node:
Import Environment Variables
Export Os_token=swpucs406token
export os_url=http://controller:35357/v3
export os_identity_api_version=3
Create Keystone Service
OpenStack Service Create--name Keystone--description "OpenStack Identity" identity
Create Endpoint
OpenStack Endpoint Create--region regionone identity public http://controller:5000/v3 OpenStack endpoint
Create-- Region Regionone Identity Internal Http://controller:5000/v3
OpenStack endpoint Create--region regionone identity Admin Http://controller:35357/v3
Create a default field
OpenStack domain Create--description "Default Domain" default
Creating User Roles
OpenStack role Create admin
openstack role Create user
Create Admin user
OpenStack Project Create--domain default--description "Admin project" admin
OpenStack User Create--domain Default- -password-prompt admin swpucs406admin
openstack Role Add--project admin--user admin Admin
Create a service project
OpenStack Project Create--domain default--description service project Service
Create demo User
OpenStack Project Create--domain default--description "Demo Project" demo
OpenStack user Create--domain default--p Assword-prompt demo Swpucs406demo
openstack role Add--project demo--user Demo user
Verifying Keystone
Delete the admin_ in the [Pipeline:public_api], [Pipeline:admin_api], [Pipeline:api_v3] area of the/etc/keystone/keystone-paste.ini file Token_auth
unset os_token os_url
openstack--os-auth-url http://controller:35357/v3 \
--os-project-domain-name Default- -os-user-domain-name default \
--os-project-name Admin--os-username Admin token issue
+------------+-------------------------------------------------------------------------+ | Field |
Value | +------------+-------------------------------------------------------------------------+
| Expires | 2016-05-17t05:53:37.208304z | | ID | GAAAAABXOQPRLF4FDXAELV-1_BXESKNDJVGN91QER1WXLSMAUTSZ9FEGJHVEWJQQ8HGFKCF | | | b0sznm0mook9quf4jeypay2ufzxuueml2avstn-cpguxbc09sm7moskh1hwdncv3e7oxe8n | | | Ge8yd0a2_rhfwv5wwj2ubxqmf2qccbk7iltsabft4 | | project_id | 6636db93659e43189b5428151b63f5e8 | | user_id |
7a63ba1a8fb84014a413f435742f2583 | +------------+-------------------------------------------------------------------------+
openstack--os-auth-url http://controller:5000/v3 \--os-project-domain-name Default-- Os-user-domain-name default \--os-project-name Demo--os-username Demo token issue
+------------+-------------------------------------------------------------------------+
| Field | Value |
+------------+-------------------------------------------------------------------------+
| expires | 2016-05-17t05:54:20.743858z |
| ID | Gaaaaabxoqp8lajo3borpbvkleeihk1xgkvaiylkborxmum2cfoxi0zjbfrfqqrhvx4ozwh | | | n6e9dtjj5rxkofzbm_6wiak6rul18g8t6amdnx0izv-| | | Ngadctlb2zo0fumjuvjryjcijzppbzuckfmjjwjvck3gioekjrabh7vu5yk_r8sywprfi |
| project_id | 64DA450222C74FFCAE213FE29A7EA9A6 |
| user_id | 5da76ac5669c4afd95ce411a75d23461
| +------------+-------------------------------------------------------------------------+
All controller Nodes
Admin user environment variable
Cat > ADMIN-OPENRC << off
export os_project_domain_name=default
export Os_user_domain_name=default
Export os_project_name=admin
export os_username=admin
export os_password=swpucs406admin
export OS _auth_url=http://controller:35357/v3
export os_identity_api_version=3
export os_image_api_version=2
Off
Demo User Environment variables
Cat > DEMO-OPENRC << off
export os_project_domain_name=default
export Os_user_domain_name=default
Export Os_project_name=demo
export Os_username=demo
export Os_password=swpucs406demo
Export Os_auth_url=http://controller:5000/v3
export os_identity_api_version=3
export os_image_api_version=2 Off
Verify
. ADMIN-OPENRC
OpenStack Token issue
+------------+-------------------------------------------------------------------------+ | Field |
Value | +------------+-------------------------------------------------------------------------+
| Expires | 2016-05-24t10:56:18.447602z | | ID | Gaaaaabxrcvcpwwtz-w_oe0pgvi_97clytwfdlfeuwgwzwzrz8x0eir9nxomdjchcgadfg4 | | | W4EPILZA0NTKZISSYLKOMP_TW43OUESFXIZ3DRJT1JZDJYAYUN59XD80MMMS528QPKDGTNH | | | Qgzdpeoaaop-bpun_qg5jplj0kn8x-fpybgro1kma | | project_id | 6636db93659e43189b5428151b63f5e8 | | user_id |
7a63ba1a8fb84014a413f435742f2583 | +------------+-------------------------------------------------------------------------+
Reference article:
http://docs.openstack.org/ha-guide/controller-ha-identity.html
Http://docs.openstack.org/mitaka /install-guide-rdo/keystone.html