Shulou(Shulou.com)06/01 Report--

Catalogue

One version information

Second, deploy keystone

Three keystone operation

Four verifications

5. Create script

Summary of keystone usage routines

I. version information

The official website http://docs.openstack.org/newton/install-guide-rdo/keystone.html

We deploy according to this version of Newton. In fact, we tell you that openstack basically updates a version every six months. In the face of such a rapid change of version, we have in fact targeted a version for in-depth study, to what level, to submit the code for the community.

II. Deploy keystone

Refer to the official website http://docs.openstack.org/newton/install-guide-rdo/

System information

[root@localhost ~] # cat / etc/redhat-release

CentOS Linux release 7.0.1406 (Core)

[root@localhost ~] # uname-r

3.10.0-123.el7.x86_64

Step 1: preparation Pha

Yum-y install centos-release-openstack-newton # install the official yum source

Yum-y upgrade # update

Yum-y install python-openstackclient # installation tool

Yum-y install openstack-selinux # install the openstack-selinux package to automatically manage the security policy for openstack components

Step 2: deploy mariadb

Installation

''

Keystone supports ldap and mysql as back-end Driver to store user-related information, catalog, etc. Here we choose mariadb

''

Yum-y install mariadb mariadb-server python2-PyMySQL

Configuration: / etc/my.cnf.d/openstack.cnf

[mysqld]

Bind-address = 192.168.31.57 # Native management network ip

Default-storage-engine = innodb

Innodb_file_per_table

Max_connections = 4096

Collation-server = utf8_general_ci

Character-set-server = utf8

Start the service and set it to boot

Systemctl start mariadb.service

Systemctl enable mariadb.service

Initialize the database (optional)

Mysql_secure_installation

Step 3: deploy keystone

Keystone's operation about the database

Mysql-u root-p # log in to the database

CREATE DATABASE keystone; # New Library keystone

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost'\

IDENTIFIED BY '123customers; # create a new account that accesses the keystone library locally

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%'\

IDENTIFIED BY '123customers; # create a new account for remote access to the keystone library

Install the package

# keystone package name openstack-keystone

# the reason for installing httpd and mod_wsgi is that apache+keystone is the main push in the community

# openstack-keystone is essentially a web app based on wsgi protocol, and httpd is essentially a web server compatible with wsgi protocol, so we need to install mod_wsgi module for httpd

Yum-y install openstack-keystone httpd mod_wsgi

Configuration: / etc/keystone/keystone.conf

# Let openstack-keystone know how to connect to the backend database keystone

# mysql+pymysql:pymysql is a python library, and you can use python to manipulate mysql native sql

[database]

Connection = mysql+pymysql://keystone:123@192.168.31.57/keystone

[token]

Provider = fernet # fernet is the way to generate token

Initialize the database keystone

# initialization is required because python's orm object-relational mapping requires initialization to generate database table structure

Su-s / bin/sh-c "keystone-manage db_sync" keystone

An error may be reported during initialization

Initialize the Fernet key repository

Keystone-manage fernet_setup-- keystone-user keystone--keystone-group keystone

Keystone-manage credential_setup-- keystone-user keystone--keystone-group keystone

Step 4: configure web server to integrate keystone

Modify the host name of the host

Hostnamectl set-hostname controller

Configuration / etc/hosts

192.168.31.57 controller

Configuration / etc/httpd/conf/httpd.conf

ServerName controller

Add a profile for the mod_wsgi module

# you can copy module files directly or make soft connections

Ln-s / usr/share/keystone/wsgi-keystone.conf / etc/httpd/conf.d/

Start the httpd service and set self-boot

Systemctl start httpd.service

Systemctl enable httpd.service

3. Keystone operation

Part 1: create catalog for keystone

Configuration / etc/keystone/keystone.conf

[DEFAULT]

Admin_token = 123

Set environment variabl

# admin_token in OS_TOKEN= configuration file

# is_admin=True will be set by admin_token_auth during filter filtering

# whoever has this admin_token will be the administrator.

Export OS_TOKEN=123 # equals the value of admin_token in keystone.conf

Export OS_URL= http://192.168.31.57:35357/v3

Export OS_IDENTITY_API_VERSION=3

Create a catalog for keystone

# create an authentication service entity based on the permissions given in the previous step

Openstack service create\

-name keystone-description "OpenStack Identity" identity

# create three api endpoints that access the service entity established in the previous step

Openstack endpoint create-- region RegionOne\

Identity public http://192.168.31.57:5000/v3

Openstack endpoint create-- region RegionOne\

Identity internal http://192.168.31.57:5000/v3

Openstack endpoint create-- region RegionOne\

Identity admin http://192.168.31.57:35357/v3

Part 2: create domains, tenants, users, roles, and associate the four elements together

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects, users, and roles.

Create a public domain name:

Openstack domain create-description "Default Domain" default

Create administrator information:

# create an admin project

Openstack project create-- domain default\

Description "Admin Project" admin

# create an admin user

Openstack user create-- domain default\

-- password-prompt admin

# create an admin role

Openstack role create admin

# create an association among the above three

Openstack role add-project admin-user admin admin

Part 3: use Bootstrap to do both part1 and part2 work

Bootstrap the Identity service:

# essentially creating a catalog for keystone

Keystone-manage bootstrap--bootstrap-password 123\

-- bootstrap-admin-url http://192.168.31.57:35357/v3/\

-- bootstrap-internal-url http://192.168.31.57:35357/v3/\

-- bootstrap-public-url http://192.168.31.57:5000/v3/\

-- bootstrap-region-id RegionOne

Set the environment variable (is_admin will not be set to True,admin users will get a Token)

Export OS_USERNAME=admin

Export OS_PASSWORD=123 # is set in keystone-manage-- bootstrap-password

Export OS_PROJECT_NAME=admin

Export OS_USER_DOMAIN_NAME=Default

Export OS_PROJECT_DOMAIN_NAME=Default

Export OS_AUTH_URL= http://192.168.31.57:35357/v3

Export OS_IDENTITY_API_VERSION=3

Part 4: create projects, users, tenants, and associations for post-testing

Create a project named demo

Openstack project create-- domain default\

Description "Demo Project" demo

Create a normal user demo

Openstack user create-- domain default\

-- password-prompt demo

Create the role of an ordinary user, namely user

Openstack role create user

Establish an association

Openstack role add-project demo-user demo user

Part 5: create a unified tenant service for subsequent services

Explanation: for each new service built later, you need to perform four operations in keystone: 1. Construction project 2. Build user 3. Build character 4. Make a connection

# all subsequent services share a project service, which is the administrator role admin

# so in fact, the subsequent service installation operation on keysotne is only 2J4.

Openstack project create-- domain default\

Description "Service Project" service

Four verifications

Part 1: prepare

For security reasons, the temporary token authentication mechanism needs to be turned off (both admin_token and keystone-manage in the configuration file-- bootstrap-password are based on this mechanism)

This mechanism sets the user's request to is_admin=True, which will be described in the source code analysis. Let's stop here for the time being.

Edit / etc/keystone/keystone-paste.ini

Set

[pipeline:public_api]

[pipeline:admin_api]

[pipeline:api_v3]

Remove all the admin_token_auth from the

Cancel all set environment variables, such as

Unset OS_AUTH_URL OS_PASSWORD

Part 2: verify operation method 1

Administrator user admin applies for token

Openstack-- os-auth-url http://controller:35357/v3\

-- os-identity-api-version 3\

-- os-project-domain-name default\

-- os-user-domain-name default\

-- os-project-name admin\

-- os-username admin\

Token issue

Note: be sure to add-- os-identity-api-version 3

Ordinary user demo applies for token

Openstack-- os-auth-url http://controller:5000/v3\

-- os-identity-api-version 3\

-- os-project-domain-name default\

-- os-user-domain-name default\

-- os-project-name demo\

-- os-username demo\

Token issue

Part 3: verification operation method 2

Curl-I\

-H "Content-Type: application/json"\

-d'

{

"auth": {

"identity": {

"methods": [

"password"

]

"password": {

"user": {

"domain": {

"name": "default"

}

"name": "admin"

Password: 123,

}

}

}

"scope": {

"project": {

"domain": {

"name": "default"

}

"name": "admin"

}

}

}

}'\

Http://127.0.0.1:5000/v3/auth/tokens

5. Create script

In order not to write a long list of user information, you can define them as a script.

Admin-openrc

Export OS_PROJECT_DOMAIN_NAME=Default

Export OS_USER_DOMAIN_NAME=Default

Export OS_PROJECT_NAME=admin

Export OS_USERNAME=admin

Export OS_PASSWORD=123

Export OS_AUTH_URL= http://192.168.31.57:35357/v3

Export OS_IDENTITY_API_VERSION=3

Export OS_IMAGE_API_VERSION=2

Demo-openrc

Export OS_PROJECT_DOMAIN_NAME=Default

Export OS_USER_DOMAIN_NAME=Default

Export OS_PROJECT_NAME=demo

Export OS_USERNAME=demo

Export OS_PASSWORD=123

Export OS_AUTH_URL= http://192.168.31.57:35357/v3

Export OS_IDENTITY_API_VERSION=3

Export OS_IMAGE_API_VERSION=2

There should be different user information for different businesses, and all of them should be defined in script form to facilitate management.

Our application token operation is simplified to

Source admin-openrc

Openstack token issue

Summary of keystone usage routines

(1) user belongs to one or more Project and plays a role in each project. So we need to create Project, create User, create Role, and associate User with Project and Role

Create domains, tenants, users, roles, and associate the four elements together

Create a public domain name:

Openstack domain create-description "Default Domain" default

Administrator: admin

Openstack project create-- domain default\

Description "Admin Project" admin

Openstack user create-- domain default\

-- password-prompt admin

Openstack role create admin

Openstack role add-project admin-user admin admin

Ordinary user: demo

Openstack project create-- domain default\

Description "Demo Project" demo

Openstack user create-- domain default\

-- password-prompt demo

Openstack role create user

Openstack role add-project demo-user demo user

(2) Keystone essentially provides Identity services, so its implementation or mechanism is also designed based on users. To provide a service catalog, a special ServiceProject is created when Keystone is configured, and corresponding users (Nova, Swift, cinder...) are created for each service, and all belong to ServiceProject. Then configure and set the corresponding Endpoint.

Create a unified tenant service for subsequent services, and all services share a tenant service

Openstack project create-- domain default\

Description "Service Project" service

Establish a service entity service

Openstack service create-- name glance\

Description "OpenStack Image" p_w_picpath

Build endpoint endpoint

Openstack endpoint create-- region RegionOne\

P_w_picpath public http://controller01:9292

Openstack endpoint create-- region RegionOne\

P_w_picpath internal http://controller01:9292

Openstack endpoint create-- region RegionOne\

P_w_picpath admin http://controller01:9292

6. Create script

In order not to write a long list of user information, you can define them as a script.

Admin-openrc

Export OS_PROJECT_DOMAIN_NAME=Default

Export OS_USER_DOMAIN_NAME=Default

Export OS_PROJECT_NAME=admin

Export OS_USERNAME=admin

Export OS_PASSWORD=123

Export OS_AUTH_URL= http://192.168.31.57:35357/v3

Export OS_IDENTITY_API_VERSION=3

Export OS_IMAGE_API_VERSION=2

Demo-openrc

Export OS_PROJECT_DOMAIN_NAME=Default

Export OS_USER_DOMAIN_NAME=Default

Export OS_PROJECT_NAME=demo

Export OS_USERNAME=demo

Export OS_PASSWORD=123

Export OS_AUTH_URL= http://192.168.31.57:35357/v3

Export OS_IDENTITY_API_VERSION=3

Export OS_IMAGE_API_VERSION=2

There should be different user information for different businesses, and all of them should be defined in script form to facilitate management.

Our application token operation is simplified to

Source admin-openrc

Openstack token issue

7 Summary of keystone usage routines

(1) user belongs to one or more Project and plays a role in each project. So we need to create Project, create User, create Role, and associate User with Project and Role

(2) Keystone essentially provides Identity services, so its implementation or mechanism is also designed based on users. To provide a service catalog, a special ServiceProject is created when Keystone is configured, and corresponding users (Nova, Swift, cinder...) are created for each service, and all belong to ServiceProject. Then configure and set the corresponding Endpoint.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.