2014-08-17

在Windows上的VMWare CentOS Linux上安裝OpenStack IceHouse 步驟3 KeyStone安裝

OpenStack Keystone 是負責User 與Service的管理的,所以是第一個要裝的Package. Keystone 沒裝好 後面所有的Package都不能裝.
Identity Service concepts

 Identity Service concepts

The Identity Service performs the following functions:
  • User management. Tracks users and their permissions.
  • Service catalog. Provides a catalog of available services with their API endpoints.


 Install the Identity Service

  1. Install the OpenStack Identity Service on the controller node, together with python-keystoneclient (which is a dependency):
    # yum install openstack-keystone python-keystoneclient
  2. The Identity Service uses a database to store information. Specify the location of the database in the configuration file. In this guide, we use a MySQL database on the controller node with the username keystone. Replace KEYSTONE_DBPASS with a suitable password for the database user.
    # openstack-config --set /etc/keystone/keystone.conf \
       database connection mysql://keystone:KEYSTONE_DBPASS@controller/keystone
  3. Use the password that you set previously to log in as root. Create a keystone database user:
    $ mysql -u root -p
    mysql> CREATE DATABASE keystone;
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
      IDENTIFIED BY 'KEYSTONE_DBPASS';
    mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
      IDENTIFIED BY 'KEYSTONE_DBPASS';
    mysql> exit
  4. Create the database tables for the Identity Service:
    # su -s /bin/sh -c "keystone-manage db_sync" keystone
  5. Define an authorization token to use as a shared secret between the Identity Service and other OpenStack services. Use openssl to generate a random token and store it in the configuration file:
    # ADMIN_TOKEN=$(openssl rand -hex 10)
    # echo $ADMIN_TOKEN
    # openstack-config --set /etc/keystone/keystone.conf DEFAULT \
       admin_token $ADMIN_TOKEN
直接設andim_token 為 ADMIN_TOKEN 就可以, 後面範例也都用ADMIN_TOKEN.
  1. By default, Keystone uses PKI tokens. Create the signing keys and certificates and restrict access to the generated data:
    # keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
    # chown -R keystone:keystone /etc/keystone/ssl
    # chmod -R o-rwx /etc/keystone/ssl
  2. Start the Identity Service and enable it to start when the system boots:
    # service openstack-keystone start
    # chkconfig openstack-keystone on
  3. By default, the Identity Service stores expired tokens in the database indefinitely. While potentially useful for auditing in production environments, the accumulation of expired tokens will considerably increase database size and may decrease service performance, particularly in test environments with limited resources. We recommend configuring a periodic task using cron to purge expired tokens hourly.
    1. Run the following command to purge expired tokens every hour and log the output to /var/log/keystone/keystone-tokenflush.log:
      # (crontab -l 2>&1 | grep -q token_flush) || \
      echo '@hourly /usr/bin/keystone-manage token_flush >/var/log/keystone/keystone-tokenflush.log 2>&1' >> /var/spool/cron/root

 Define users, tenants, and roles

After you install the Identity Service, set up users, tenants, and roles to authenticate against. These are used to allow access to services and endpoints, described in the next section.
Typically, you would indicate a user and password to authenticate with the Identity Service. At this point, however, you have not created any users, so you have to use the authorization token created in an earlier step, see the section called “Install the Identity Service” for further details. You can pass this with the --os-token option to the keystone command or set the OS_SERVICE_TOKEN environment variable. Set OS_SERVICE_TOKEN, as well as OS_SERVICE_ENDPOINT to specify where the Identity Service is running. Replace ADMIN_TOKEN with your authorization token.
$ export OS_SERVICE_TOKEN=ADMIN_TOKEN
$ export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
 
Create an administrative user
Follow these steps to create an administrative user, role, and tenant. You will use this account for administrative interaction with the OpenStack cloud.
By default, the Identity Service creates a special _member_ role. The OpenStack dashboard automatically grants access to users with this role. You will give the admin user access to this role in addition to the admin role.
[Note] Note
Any role that you create must map to roles specified in the policy.json file included with each OpenStack service. The default policy file for most services grants administrative access to the admin role.
  1. Create the admin user:
    $ keystone user-create --name=admin --pass=ADMIN_PASS --email=ADMIN_EMAIL
    Replace ADMIN_PASS with a secure password and replace ADMIN_EMAIL with an email address to associate with the account.
直接用ADMIN_PASS就可以,記住這密碼.
  1. Create the admin role:
    $ keystone role-create --name=admin
  2. Create the admin tenant:
    $ keystone tenant-create --name=admin --description="Admin Tenant"
  3. You must now link the admin user, admin role, and admin tenant together using the user-role-add option:
    $ keystone user-role-add --user=admin --tenant=admin --role=admin
  4. Link the admin user, _member_ role, and admin tenant:
    $ keystone user-role-add --user=admin --role=_member_ --tenant=admin
 
Create a normal user
Follow these steps to create a normal user and tenant, and link them to the special _member_ role. You will use this account for daily non-administrative interaction with the OpenStack cloud. You can also repeat this procedure to create additional cloud users with different usernames and passwords. Skip the tenant creation step when creating these users.
  1. Create the demo user:
    $ keystone user-create --name=demo --pass=DEMO_PASS --email=DEMO_EMAIL
    Replace DEMO_PASS with a secure password and replace DEMO_EMAIL with an email address to associate with the account.
直接用DEMO_PASS就可以,記住這密碼.
  1. Create the demo tenant:
    $ keystone tenant-create --name=demo --description="Demo Tenant"
    [Note] Note
    Do not repeat this step when adding additional users.
  2. Link the demo user, _member_ role, and demo tenant:
    $ keystone user-role-add --user=demo --role=_member_ --tenant=demo
 
Create a service tenant
OpenStack services also require a username, tenant, and role to access other OpenStack services. In a basic installation, OpenStack services typically share a single tenant named service.
You will create additional usernames and roles under this tenant as you install and configure each service.
  • Create the service tenant:
    $ keystone tenant-create --name=service --description="Service Tenant"

Define services and API endpoints

So that the Identity Service can track which OpenStack services are installed and where they are located on the network, you must register each service in your OpenStack installation. To register a service, run these commands:
  • keystone service-create. Describes the service.
  • keystone endpoint-create. Associates API endpoints with the service.
You must also register the Identity Service itself. Use the OS_SERVICE_TOKEN environment variable, as set previously, for authentication.
  1. Create a service entry for the Identity Service:
    $ keystone service-create --name=keystone --type=identity \
      --description="OpenStack Identity"
    +-------------+----------------------------------+
    |   Property  |              Value               |
    +-------------+----------------------------------+
    | description | OpenStack Identity               |
    | id          | 15c11a23667e427e91bc31335b45f4bd |
    | name        | keystone                         |
    | type        | identity                         |
    +-------------+----------------------------------+
    The service ID is randomly generated and is different from the one shown here.
  2. Specify an API endpoint for the Identity Service by using the returned service ID. When you specify an endpoint, you provide URLs for the public API, internal API, and admin API. In this guide, the controller host name is used. Note that the Identity Service uses a different port for the admin API.
    $ keystone endpoint-create \
      --service-id=$(keystone service-list | awk '/ identity / {print $2}') \
      --publicurl=http://controller:5000/v2.0 \
      --internalurl=http://controller:5000/v2.0 \
      --adminurl=http://controller:35357/v2.0
    +-------------+-----------------------------------+
    |   Property  |             Value                 |
    +-------------+-----------------------------------+
    | adminurl    | http://controller:35357/v2.0      |
    | id          | 11f9c625a3b94a3f8e66bf4e5de2679f  |
    | internalurl | http://controller:5000/v2.0       |
    | publicurl   | http://controller:5000/v2.0       |
    | region      | regionOne                         |
    | service_id  | 15c11a23667e427e91bc31335b45f4bd  |
    +-------------+-----------------------------------+
[Note] Note
You will need to create an additional endpoint for each service added to your OpenStack environment. The sections of this guide associated with the installation of each service include the endpoint creation step specific to the service.

Verify the Identity Service installation

  1. To verify that the Identity Service is installed and configured correctly, clear the values in the OS_SERVICE_TOKEN and OS_SERVICE_ENDPOINT environment variables:
    $ unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
    These variables, which were used to bootstrap the administrative user and register the Identity Service, are no longer needed.
  2. You can now use regular user name-based authentication.
    Request a authentication token by using the admin user and the password you chose for that user:
    $ keystone --os-username=admin --os-password=ADMIN_PASS \
      --os-auth-url=http://controller:35357/v2.0 token-get
    In response, you receive a token paired with your user ID. This verifies that the Identity Service is running on the expected endpoint and that your user account is established with the expected credentials.
  3. Verify that authorization behaves as expected. To do so, request authorization on a tenant:
    $ keystone --os-username=admin --os-password=ADMIN_PASS \
      --os-tenant-name=admin --os-auth-url=http://controller:35357/v2.0 \
      token-get
    In response, you receive a token that includes the ID of the tenant that you specified. This verifies that your user account has an explicitly defined role on the specified tenant and the tenant exists as expected.
  4. You can also set your --os-* variables in your environment to simplify command-line usage. Set up a admin-openrc.sh file with the admin credentials and admin endpoint:
    Select Text
    1
    2
    3
    4
    export OS_USERNAME=admin
    export OS_PASSWORD=ADMIN_PASS
    export OS_TENANT_NAME=admin
    export OS_AUTH_URL=http://controller:35357/v2.0
  5. Source this file to read in the environment variables:
    $ source admin-openrc.sh
  6. Verify that your admin-openrc.sh file is configured correctly. Run the same command without the --os-* arguments:
    $ keystone token-get
    The command returns a token and the ID of the specified tenant. This verifies that you have configured your environment variables correctly.
  7. Verify that your admin account has authorization to perform administrative commands:
    $ keystone user-list
    +----------------------------------+-------+---------+-------------------+
    |                id                |  name | enabled |    email          |
    +----------------------------------+-------+---------+-------------------+
    | afea5bde3be9413dbd60e479fddf9228 | admin |   True  | admin@example.com |
    | 32aca1f9a47540c29d6988091f76c934 |  demo |   True  | demo@example.com  |
    +----------------------------------+-------+---------+-------------------+
    
    $ keystone user-role-list --user admin --tenant admin
    +----------------------------------+----------+----------------------------------+----------------------------------+
    |                id                |   name   |             user_id              |            tenant_id             |
    +----------------------------------+----------+----------------------------------+----------------------------------+
    | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 |
    | 5d3b60b66f1f438b80eaae41a77b5951 |  admin   | afea5bde3be9413dbd60e479fddf9228 | e519b772cb43474582fa303da62559e5 |
    +----------------------------------+----------+----------------------------------+----------------------------------+
    Seeing that the id in the output from the keystone user-list command matches the user_id in the keystone user-role-list command, and that the admin role is listed for that user, for the related tenant, this verifies that your user account has the admin role, which matches the role used in the Identity Service policy.json file.

No comments:

Post a Comment