2016-03-09 13:08:13
来 源
中存储
Openstack
OpenStack安装手册 - KEYSTONE身份认证服务配置安装.,建立KEYSTONE服务数据库,建立KEYSTONE服务配置文件存放目录

目录   上一篇   下一篇

3.13 KEYSTONE身份认证服务配置

·         建立KEYSTONE服务数据库

mysql -uroot -popenstack -e 'create database keystone'

·         建立KEYSTONE服务配置文件存放目录

mkdir /etc/keystone

·         建立KEYSTONE服务启动用户

useradd -s /sbin/nologin -m -d /var/log/keystone keystone

·         /etc/keystone建立default_catalog.templates作为KEYSTONE服务服务点配置文件,内容如下:

catalog.RegionOne.identity.publicURL = http://60.12.206.105:$(public_port)s/v2.0

catalog.RegionOne.identity.adminURL = http://60.12.206.105:$(admin_port)s/v2.0

catalog.RegionOne.identity.internalURL = http://60.12.206.105:$(public_port)s/v2.0

catalog.RegionOne.identity.name = Identity Service

 

catalog.RegionOne.compute.publicURL = http://60.12.206.105:8774/v2/$(tenant_id)s

catalog.RegionOne.compute.adminURL = http://60.12.206.105:8774/v2/$(tenant_id)s

catalog.RegionOne.compute.internalURL = http://60.12.206.105:8774/v2/$(tenant_id)s

catalog.RegionOne.compute.name = Compute Service

 

catalog.RegionOne.volume.publicURL = http://60.12.206.105:8776/v1/$(tenant_id)s

catalog.RegionOne.volume.adminURL = http://60.12.206.105:8776/v1/$(tenant_id)s

catalog.RegionOne.volume.internalURL = http://60.12.206.105:8776/v1/$(tenant_id)s

catalog.RegionOne.volume.name = Volume Service

 

catalog.RegionOne.ec2.publicURL = http://60.12.206.105:8773/services/Cloud

catalog.RegionOne.ec2.adminURL = http://60.12.206.105:8773/services/Admin

catalog.RegionOne.ec2.internalURL = http://60.12.206.105:8773/services/Cloud

catalog.RegionOne.ec2.name = EC2 Service

 

catalog.RegionOne.s3.publicURL = http://60.12.206.105:3333

catalog.RegionOne.s3.adminURL = http://60.12.206.105:3333

catalog.RegionOne.s3.internalURL = http://60.12.206.105:3333

catalog.RegionOne.s3.name = S3 Service

 

catalog.RegionOne.image.publicURL = http://60.12.206.105:9292/v1

catalog.RegionOne.image.adminURL = http://60.12.206.105:9292/v1

catalog.RegionOne.image.internalURL = http://60.12.206.105:9292/v1

catalog.RegionOne.image.name = Image Service

 

catalog.RegionOne.object_store.publicURL = http://60.12.206.105:8080/v1/AUTH_$(tenant_id)s

catalog.RegionOne.object_store.adminURL = http://60.12.206.105:8080/

catalog.RegionOne.object_store.internalURL = http://60.12.206.105:8080/v1/AUTH_$(tenant_id)s

catalog.RegionOne.object_store.name = Swift Service

·         /etc/keystone建立policy.json作为KEYSTONE服务策略文件,内容如下:

{

    "admin_required": [["role:admin"], ["is_admin:1"]]

}

·         /etc/keystone建立keystone.conf作为KEYSTONE服务配置文件,内容如下:

[DEFAULT]

public_port = 5000

admin_port = 35357

admin_token = ADMIN

compute_port = 8774

verbose = True

debug = True

log_file = /var/log/keystone/keystone.log

use_syslog = False

syslog_log_facility = LOG_LOCAL0

 

[sql]

connection = mysql://root:openstack@localhost/keystone

idle_timeout = 30

min_pool_size = 5

max_pool_size = 10

pool_timeout = 200

 

[identity]

driver = keystone.identity.backends.sql.Identity

 

[catalog]

driver = keystone.catalog.backends.templated.TemplatedCatalog

template_file = /etc/keystone/default_catalog.templates

 

[token]

driver = keystone.token.backends.kvs.Token

 

[policy]

driver = keystone.policy.backends.simple.SimpleMatch

 

[ec2]

driver = keystone.contrib.ec2.backends.sql.Ec2

 

[filter:debug]

paste.filter_factory = keystone.common.wsgi:Debug.factory

 

[filter:token_auth]

paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

 

[filter:admin_token_auth]

paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

 

[filter:xml_body]

paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

 

[filter:json_body]

paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

 

[filter:crud_extension]

paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

 

[filter:ec2_extension]

paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

 

[filter:s3_extension]

paste.filter_factory = keystone.contrib.s3:S3Extension.factory

 

[app:public_service]

paste.app_factory = keystone.service:public_app_factory

 

[app:admin_service]

paste.app_factory = keystone.service:admin_app_factory

 

[pipeline:public_api]

pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension s3_extension public_service

 

[pipeline:admin_api]

pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension crud_extension admin_service

 

[app:public_version_service]

paste.app_factory = keystone.service:public_version_app_factory

 

[app:admin_version_service]

paste.app_factory = keystone.service:admin_version_app_factory

 

[pipeline:public_version_api]

pipeline = xml_body public_version_service

 

[pipeline:admin_version_api]

pipeline = xml_body admin_version_service

 

[composite:main]

use = egg:Paste#urlmap

/v2.0 = public_api

/ = public_version_api

 

[composite:admin]

use = egg:Paste#urlmap

/v2.0 = admin_api

/ = admin_version_api

·         /etc/init.d/下建立名为keystoneKEYSTONE服务启动脚本,内容如下:

#!/bin/sh

#

# keystone  OpenStack Identity Service

#

# chkconfig:   - 20 80

# description: keystone works provide apis to 

#               * Authenticate users and provide a token

#               * Validate tokens

### END INIT INFO

 

. /etc/rc.d/init.d/functions

 

prog=keystone

prog_exec=keystone-all

exec="/usr/bin/$prog_exec"

config="/etc/$prog/$prog.conf"

pidfile="/var/run/$prog/$prog.pid"

 

[ -e /etc/sysconfig/$prog ] && . /etc/sysconfig/$prog

 

lockfile=/var/lock/subsys/$prog

 

start() {

    [ -x $exec ] || exit 5

    [ -f $config ] || exit 6

    echo -n $"Starting $prog: "

    daemon --user keystone --pidfile $pidfile "$exec --config-file=$config &>/dev/null & echo $! > $pidfile"

    retval=$?

    echo

    [ $retval -eq 0 ] && touch $lockfile

    return $retval

}

 

stop() {

    echo -n $"Stopping $prog: "

    killproc -p $pidfile $prog

    retval=$?

    echo

    [ $retval -eq 0 ] && rm -f $lockfile

    return $retval

}

 

restart() {

    stop

    start

}

 

reload() {

    restart

}

 

force_reload() {

    restart

}

 

rh_status() {

    status -p $pidfile $prog

}

 

rh_status_q() {

    rh_status >/dev/null 2>&1

}

 

case "$1" in

    start)

        rh_status_q && exit 0

        $1

        ;;

    stop)

        rh_status_q || exit 0

        $1

        ;;

    restart)

        $1

        ;;

    reload)

        rh_status_q || exit 7

        $1

        ;;

    force-reload)

        force_reload

        ;;

    status)

        rh_status

        ;;

    condrestart|try-restart)

        rh_status_q || exit 0

        restart

        ;;

    *)

        echo $"Usage: $0 {start|stop|status|restart|condrestart|try-restart|reload|force-reload}"

        exit 2

esac

exit $?

·         配置启动脚本:

chmod 755 /etc/init.d/keystone

mkdir /var/run/keystone

mkdir /var/lock/keystone

chown keystone:root /var/run/keystone

chown keystone:root /var/lock/keystone

·         启动KEYSTONE服务

/etc/init.d/keystone start

·         检测服务是否正常启动

通过netstat -ltunp查看是否有tcp 5000tcp 35357端口监听
如果没有正常启动请查看/var/log/keystone/keystone.log文件排错

·         建立KEYSTONE服务初始化数据脚本keystone_data.sh,内容如下:

#!/bin/bash

# Variables set before calling this script:

# SERVICE_TOKEN - aka admin_token in keystone.conf

# SERVICE_ENDPOINT - local Keystone admin endpoint

# SERVICE_TENANT_NAME - name of tenant containing service accounts

# ENABLED_SERVICES - stack.sh's list of services to start

# DEVSTACK_DIR - Top-level DevStack directory

 

ADMIN_PASSWORD=${ADMIN_PASSWORD:-secrete}

SERVICE_PASSWORD=${SERVICE_PASSWORD:-service}

export SERVICE_TOKEN=ADMIN

export SERVICE_ENDPOINT=http://localhost:35357/v2.0

SERVICE_TENANT_NAME=${SERVICE_TENANT_NAME:-tenant}

 

function get_id () {

    echo `$@ | awk '/ id / { print $4 }'`

}

 

# Tenants

ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)

SERVICE_TENANT=$(get_id keystone tenant-create --name=$SERVICE_TENANT_NAME)

DEMO_TENANT=$(get_id keystone tenant-create --name=demo)

INVIS_TENANT=$(get_id keystone tenant-create --name=invisible_to_admin)

 

# Users

ADMIN_USER=$(get_id keystone user-create --name=admin

                                         --pass="$ADMIN_PASSWORD"

                                         --email=admin@example.com)

DEMO_USER=$(get_id keystone user-create --name=demo

                                        --pass="$ADMIN_PASSWORD"

                                        --email=demo@example.com)

 

# Roles

ADMIN_ROLE=$(get_id keystone role-create --name=admin)

KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)

KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)

ANOTHER_ROLE=$(get_id keystone role-create --name=anotherrole)

 

# Add Roles to Users in Tenants

keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT

keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT

keystone user-role-add --user $DEMO_USER --role $ANOTHER_ROLE --tenant_id $DEMO_TENANT

 

# TODO(termie): these two might be dubious

keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT

keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT

 

# The Member role is used by Horizon and Swift so we need to keep it:

MEMBER_ROLE=$(get_id keystone role-create --name=Member)

keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT

keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $INVIS_TENANT

 

NOVA_USER=$(get_id keystone user-create --name=nova

                                        --pass="$SERVICE_PASSWORD"

                                        --tenant_id $SERVICE_TENANT

                                        --email=nova@example.com)

keystone user-role-add --tenant_id $SERVICE_TENANT

                       --user $NOVA_USER

                       --role $ADMIN_ROLE

 

GLANCE_USER=$(get_id keystone user-create --name=glance

                                          --pass="$SERVICE_PASSWORD"

                                          --tenant_id $SERVICE_TENANT

                                          --email=glance@example.com)

keystone user-role-add --tenant_id $SERVICE_TENANT

                       --user $GLANCE_USER

                       --role $ADMIN_ROLE

 

SWIFT_USER=$(get_id keystone user-create --name=swift

                                         --pass="$SERVICE_PASSWORD"

                                         --tenant_id $SERVICE_TENANT

                                         --email=swift@example.com)

keystone user-role-add --tenant_id $SERVICE_TENANT

                       --user $SWIFT_USER

                       --role $ADMIN_ROLE

 

RESELLER_ROLE=$(get_id keystone role-create --name=ResellerAdmin)

keystone user-role-add --tenant_id $SERVICE_TENANT

                       --user $NOVA_USER

                       --role $RESELLER_ROLE

·         建立KEYSTONE服务数据库结构

keystone-manage db_sync

·         执行初始化数据脚本

bash keystone_data.sh

声明: 此文观点不代表本站立场;转载须要保留原文链接;版权疑问请联系我们。