Matika version OpenStack pseudo production environment deployment-keystone__openstack

Source: Internet
Author: User
Tags auth ldap
Identity Services Overview

The OpenStack Authentication Management Service provides a single point of integration authentication, authorization, and service directory service. Other OpenStack services use authentication services as a common, unified API. In addition, services provide user information, but not included in OpenStack (such as LDAP services) can be integrated into an existing infrastructure. To benefit from the certification service, other OpenStack services need to work in conjunction with the Identity authentication service. When a OpenStack service receives a request from the user, it checks to see if the Identity Authentication Service user is authorized to request it. The identity service contains these components: Server

A centralized server uses the RESTful interface to provide authentication and authorization services. Drivers

The driver or service backend is integrated into a centralized server. They are external openstack in the identity repository used for access, and there may already be infrastructure deployed in OpenStack (for example, SQL databases or LDAP servers). Modules

The middleware module runs in the address space of the OpenStack component using the Identity authentication service. These modules intercept service requests, extract user credentials, and send them to a central server for authorization. Integration between the middleware module and the OpenStack component uses the Python Web Server Gateway Interface. Pre-demand

Mysql-uroot-pswpucs406mariadb-e "CREATE DATABASE Keystone;"
Mysql-uroot-pswpucs406mariadb-e "GRANT all privileges on keystone.* to ' Keystone ' @ ' localhost ' identified by ' swpucs406d Bkeystone ';
' Mysql-uroot-pswpucs406mariadb-e "GRANT all privileges on keystone.* to ' Keystone ' @ '% ' identified by ' Swpucs406dbkeyston E '; '
Mysql-uroot-pswpucs406mariadb-e "GRANT all privileges on keystone.* to ' Keystone ' @ ' controller ' identified by ' SWPUcs406 Dbkeystone ';
' Mysql-uroot-pswpucs406mariadb-e "FLUSH privileges;"
Installing Configuration Components All controller nodes:
Yum install-y openstack-keystone httpd mod_wsgi openstack-utils

Edit/etc/keystone/keystone.conf File

Openstack-config--set/etc/keystone/keystone.conf DEFAULT admin_token swpucs406token
openstack-config--set/etc /keystone/keystone.conf Database Connection Mysql+pymysql://keystone:swpucs406dbkeystone@controller/keystone
Openstack-config--set/etc/keystone/keystone.conf token provider Fernet Openstack-config
keystone.conf default Public_bind_host 10.0.0.1X
    openstack-config--set/etc/keystone/keystone.conf Default admin _bind_host 10.0.0.1X
Controller1 node:
Su-s/bin/sh-c "Keystone-manage db_sync" Keystone Keystone-manage fernet_setup--keystone-user Keystone 
-- Keystone-group Keystone
Scp/etc/keystone/fernet-keys controller2:/etc/keystone/fernet-keys/
Controller2 node:
Mkdir-p/etc/keystone/fernet-keys
chown-r Keystone:keystone/etc/keystone/fernet-keys
all controller nodes, configuring the HTTP service
Sed-i "s/#ServerName www.example.com:80/ServerName controller/"/etc/httpd/conf/httpd.conf cat >/etc/httpd/conf.d /wsgi-keystone.conf <<off Listen 10.0.0.1x:5000 Listen 10.0.0.1x35357 <virtualhost 10.0.0.1x:5000> WSGIDa  Emonprocess keystone-public processes=5 threads=1 user=keystone group=keystone Display-name=%{group} WSGIProcessGroup Keystone-public Wsgiscriptalias//usr/bin/keystone-wsgi-public wsgiapplicationgroup%{GLOBAL} WSGIPassAuthor ization on Errorlogformat "%{cu}t%m" Errorlog/var/log/httpd/keystone-error.log Customlog/var/log/httpd/keys Tone-access.log combined <Directory/usr/bin> Require all granted </Directory> </virtualho st> <virtualhost 10.0.0.1x:35357> wsgidaemonprocess keystone-admin processes=5 threads=1 user=keystone Group
    =keystone Display-name=%{group} wsgiprocessgroup keystone-admin Wsgiscriptalias//usr/bin/keystone-wsgi-admin Wsgiapplicationgroup%{globAL} wsgipassauthorization on Errorlogformat "%{cu}t%m" Errorlog/var/log/httpd/keystone-error.log CustomL Og/var/log/httpd/keystone-access.log combined <Directory/usr/bin> Require all granted </direct Ory> </VirtualHost> off
Complete the installation
Systemctl Enable Httpd.service
systemctl start Httpd.service
Creating service Entities and API terminals at the Controller1 node: Import Environment Variables
Export Os_token=swpucs406token
export os_url=http://controller:35357/v3
export os_identity_api_version=3
Create Keystone Service
OpenStack Service Create--name Keystone--description "OpenStack Identity" identity
Create Endpoint
OpenStack Endpoint Create--region regionone identity public http://controller:5000/v3 OpenStack endpoint
Create-- Region Regionone Identity Internal Http://controller:5000/v3
OpenStack endpoint Create--region regionone identity Admin Http://controller:35357/v3
Create a default field
OpenStack domain Create--description "Default Domain" default
Creating User Roles
OpenStack role Create admin
openstack role Create user
Create Admin user
OpenStack Project Create--domain default--description "Admin project" admin
OpenStack User Create--domain Default- -password-prompt admin swpucs406admin
openstack Role Add--project admin--user admin Admin
Create a service project
OpenStack Project Create--domain default--description service project Service
Create demo User
OpenStack Project Create--domain default--description "Demo Project" demo
OpenStack user Create--domain default--p Assword-prompt demo  Swpucs406demo
openstack role Add--project demo--user Demo user
Verifying Keystone

Delete the admin_ in the [Pipeline:public_api], [Pipeline:admin_api], [Pipeline:api_v3] area of the/etc/keystone/keystone-paste.ini file Token_auth

unset os_token os_url
openstack--os-auth-url http://controller:35357/v3 \
  --os-project-domain-name Default- -os-user-domain-name default \
  --os-project-name Admin--os-username Admin token issue
 +------------+-------------------------------------------------------------------------+ | Field |
Value | +------------+-------------------------------------------------------------------------+
| Expires | 2016-05-17t05:53:37.208304z | | ID |            GAAAAABXOQPRLF4FDXAELV-1_BXESKNDJVGN91QER1WXLSMAUTSZ9FEGJHVEWJQQ8HGFKCF | | |            b0sznm0mook9quf4jeypay2ufzxuueml2avstn-cpguxbc09sm7moskh1hwdncv3e7oxe8n | | | Ge8yd0a2_rhfwv5wwj2ubxqmf2qccbk7iltsabft4 | | project_id | 6636db93659e43189b5428151b63f5e8 | | user_id |
7a63ba1a8fb84014a413f435742f2583 | +------------+-------------------------------------------------------------------------+
openstack--os-auth-url http://controller:5000/v3 \--os-project-domain-name Default-- Os-user-domain-name default \--os-project-name Demo--os-username Demo token issue 
 
+------------+-------------------------------------------------------------------------+
| Field      | Value                                                                   |
+------------+-------------------------------------------------------------------------+
| expires    | 2016-05-17t05:54:20.743858z                                             |
| ID         | Gaaaaabxoqp8lajo3borpbvkleeihk1xgkvaiylkborxmum2cfoxi0zjbfrfqqrhvx4ozwh | | |            n6e9dtjj5rxkofzbm_6wiak6rul18g8t6amdnx0izv-| | |            Ngadctlb2zo0fumjuvjryjcijzppbzuckfmjjwjvck3gioekjrabh7vu5yk_r8sywprfi   |
| project_id | 64DA450222C74FFCAE213FE29A7EA9A6                                        |
| user_id |    5da76ac5669c4afd95ce411a75d23461
| +------------+-------------------------------------------------------------------------+
All controller Nodes

Admin user environment variable

Cat > ADMIN-OPENRC << off
export os_project_domain_name=default
export Os_user_domain_name=default
Export os_project_name=admin
export os_username=admin
export os_password=swpucs406admin
export OS _auth_url=http://controller:35357/v3
export os_identity_api_version=3
export os_image_api_version=2
Off

Demo User Environment variables

Cat > DEMO-OPENRC << off
export os_project_domain_name=default
export Os_user_domain_name=default
Export Os_project_name=demo
export Os_username=demo
export Os_password=swpucs406demo
Export Os_auth_url=http://controller:5000/v3
export os_identity_api_version=3
export os_image_api_version=2 Off

Verify

. ADMIN-OPENRC
OpenStack Token issue
 +------------+-------------------------------------------------------------------------+ | Field |
Value | +------------+-------------------------------------------------------------------------+
| Expires | 2016-05-24t10:56:18.447602z | | ID |            Gaaaaabxrcvcpwwtz-w_oe0pgvi_97clytwfdlfeuwgwzwzrz8x0eir9nxomdjchcgadfg4 | | |            W4EPILZA0NTKZISSYLKOMP_TW43OUESFXIZ3DRJT1JZDJYAYUN59XD80MMMS528QPKDGTNH | | | Qgzdpeoaaop-bpun_qg5jplj0kn8x-fpybgro1kma | | project_id | 6636db93659e43189b5428151b63f5e8 | | user_id |
7a63ba1a8fb84014a413f435742f2583 | +------------+-------------------------------------------------------------------------+

Reference article:
http://docs.openstack.org/ha-guide/controller-ha-identity.html
Http://docs.openstack.org/mitaka /install-guide-rdo/keystone.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.