Step-by-step Follow official documentation installation OpenStack (Icehouse) II

Following the installation of OpenStack (i)

Iii. Configuring the Identity Recognition Service (Keystone) control node

The identification service performs the following functions:

User management, tracking users and their permissions

As a directory of other services, provides a directory of available services and their API endpoints

To understand the identity service, you need to understand the following concepts:

A number of users (user) represents the person, system, service, and identity service that uses the Openstackyun service to authenticate a user's incoming request and, after passing, assigns a token that allows the user to access the container in which he is located by token

Proof material (Credentials) user name, password, or token in identification

Verify (authentication) One action of the user

A string of arbitrary text used to access a resource by token (tokens)

Container (Tenant) a container for isolating resources or objects

Services (service) an OpenStack service, such as Compute Service (NOVA), Object Storage Service (SWIFT), Mirroring Service (glance), and so on.

Endpoint (Endpoint) a network access address, often called a URL, used to access the service's address

Role a role is a collection of permissions that give a user this role, and the user has the permissions within the role

Install the Identity Service (Keystone)

In the Control node installation

# yum Install openstack-keystone python-keystoneclient #修改配置文件中的mysql连接 # openstack-config--set/etc/keystone/keystone . conf database connection Mysql://keystone:[email protected] Keystone

Note: Keystone_dbpass changes to your authentication service password, this command can also be done as follows

#或

#vim/etc/keystone/keystone.conf Modify the database connection Mysql://keystone:[email Protected]/keystone

The above parameter specifies a connection with the syntax format "mysql://[user]:[pass]@[primary ip]/[db name]".

The following commands are used Openstack-config to modify the configuration file, you can understand! 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0028.gif "alt=" J_0028.gif "/>

Log in to MySQL using root, create a database, give Keystone user permissions

$ mysql-u root-pmysql> CREATE DATABASE keystone;mysql> GRANT all privileges on keystone.* to ' Keystone ' @ ' localhost ' Identified by ' Keystone_dbpass ';mysql> GRANT all privileges on keystone.* to ' KEYSTONE ' @ '% ' identified by ' keystone_d Bpass ';mysql> exit

Create a table for Keystone

Su-s/bin/sh-c "Keystone-manage Db_sync" Keystone

Note: The warning message may be reported here, but is not an error, you can ignore it. (because the debug level is the default)

Define a validated token for use by Keystone and other services

# admin_token=$ (OpenSSL rand-hex) # echo $ADMIN _token# openstack-config--set/etc/keystone/keystone.conf DEFAULT admi N_token $ADMIN _token

By default, Keystone uses PKI tokens, so creating signatures and certificates

# keystone-manage Pki_setup--keystone-user Keystone--keystone-groupkeystone# chown-r keystone:keystone/etc/keystone /ssl# Chmod-r O-rwx/etc/keystone/ssl

Start the Keystone Service and join the startup list

# service Openstack-keystone start# chkconfig Openstack-keystone on

Define users, containers, roles

Defining environment variables

$ Export os_service_token=admin_token$ Export os_service_endpoint=http://controller:35357/v2.0

Note: Admin_token is the random number generated above

Create Admin user

$ Keystone User-create--name=admin--pass=admin_pass--email=admin_email

Change Password and mailbox

Create Admin Role

$ Keystone Role-create--name=admin

Create admin Container

$ Keystone Tenant-create--name=admin--description= "admin tenant"

Give Admin user Admin role and admin container

$ Keystone User-role-add--user=admin--tenant=admin--role=admin

The system has the _member_ role by default, giving Admin

$keystone user-role-add--user=admin--role=_member_--tenant=admin

Create a demo user, demo role, demo container, same way

Create a service container to host other OpenStack services, each of which requires users, roles, and containers to access other services, but the container can be shared, where a service container is shared, Users and roles can be created later when creating a service.

$ Keystone Tenant-create--name=service--description= "service Tenant"

After you create it, look under

# keystone user-list+----------------------------------+--------+---------+------------------+|                 id                 |  name   | enabled |      email        |+----------------------------------+--------+---------+------------------+|  2ff603a4178e449c9517be5ee33eebc3 | admin  |   true  |   [email protected]  | |  e725d18231f646fbb30a5410f3f4024e |  demo  |   true  |   [email protected]  | |  d8702a1bd0264dc7a55ffaebc0c3e58e | glance |   true  | [ email protected] | |  afd793ac961b47feb42ce799f69c6b08 |  nova  |   true  |  [email protected]  |+- ---------------------------------+--------+---------+------------------+

 #keystone  role-list+----------------------------------+----------+|                 id                 |   name    |+----------------------------------+----------+| 9fe2ff9ee4384b1894a90878d3e92bab  | _member_ | |  bc312302997b468788ac91ae1faf9a5c |  admin   |+---------------------------- ------+----------+

# Keystone Tenant-list+----------------------------------+---------+---------+|   ID | name | Enabled |+----------------------------------+---------+---------+|  Dc42d1e0d4fd4661bab1c4b8b55aaea5 |   admin | True | |   f3241e14bd6d4afebd4ef154f967b038 |   Demo | True | | CAEE860FA57A4C44BAFDEEE2974148B1 |   Service | True |+----------------------------------+---------+---------+

Defining Services and API endpoints

Create a service entry in Keystone

Keystone Service-create--name=keystone--type=identity--description= "OpenStack identity" +-------------+---------- ------------------------+| Property | Value |+-------------+----------------------------------+| Description | OpenStack Identity | | ID | 15C11A23667E427E91BC31335B45F4BD | | name | Keystone | | Type | Identity |+-------------+----------------------------------+

Add an API endpoint for the Keystone service

Keystone Endpoint-create--service-id=$ (Keystone Service-list | awk '/identity/{print $} ') \ Note: Here Service-id can use the above view life order to get pasted over--publicurl=http://controller:5000/v2.0--internalurl=http://controller:5000/v2.0--adminurl=+--------- ----+-----------------------------------+| Property | Value |+-------------+-----------------------------------+| Adminurl | http://controller:35357/v2.0 | | ID | 11f9c625a3b94a3f8e66bf4e5de2679f | | InternalUrl | http://controller:5000/v2.0 | | Publicurl | http://controller:5000/v2.0 | | Region | Regionone | | service_id | 15C11A23667E427E91BC31335B45F4BD |+-------------+-----------------------------------+

Verifying the installation of the Keystone Service

Canceling environment variables

$ unset Os_service_token Os_service_endpoint

Use authentication based on user name, password

$ Keystone--os-username=admin--os-password=admin_pass--os-auth-url=http://controller:35357/v2.0 token-get

When you see your user ID and token, the Keystone service is working properly

Save the variable to a file, using the source is the variable in effect

Vim admin-openrc.shexport os_username=adminexport os_password=admin_passexport os_tenant_name=adminexport OS_AUTH_ Url= $ source Admin-openrc.sh

This allows you to use the Keystone command directly, without the need to provide a username, password

This is the Authentication Service installation completed 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0028.gif "alt=" J_0028.gif "/>

This article is from the "Linux is belong to You" blog, make sure to keep this source http://jwh5566.blog.51cto.com/7394620/1669922

Step-by-step Follow official documentation installation OpenStack (Icehouse) II