安装和配置¶

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

先决条件¶

Before you install and configure the Identity service, you must create a database.

注解

Before you begin, ensure you have the most recent version of python-pyasn1 installed.

用数据库连接客户端以 root 用户连接到数据库服务器：
```
$ mysql -u root -p
```

创建 keystone 数据库：

MariaDB [(none)]> CREATE DATABASE keystone;

对``keystone``数据库授予恰当的权限：

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';

用合适的密码替换 KEYSTONE_DBPASS 。

退出数据库客户端。

安全并配置组件¶

注解

默认配置文件在各发行版本中可能不同。你可能需要添加这些部分，选项而不是修改已经存在的部分和选项。另外，在配置片段中的省略号(...)表示默认的配置选项你应该保留。

注解

教程使用带有``mod_wsgi``的Apache HTTP服务器来服务认证服务请求，端口为5000和35357。缺省情况下，Kestone服务仍然监听这些端口。然而，本教程手动禁用keystone服务。

注解

Starting with the Newton release, SUSE OpenStack packages are shipping with the upstream default configuration files. For example /etc/keystone/keystone.conf, with customizations in /etc/keystone/keystone.conf.d/010-keystone.conf. While the following instructions modify the default configuration file, adding a new file in /etc/keystone/keystone.conf.d achieves the same result.

运行以下命令来安装包。

# zypper install openstack-keystone apache2-mod_wsgi

编辑文件 /etc/keystone/keystone.conf 并完成如下动作：
- 在 [database] 部分，配置数据库访问：
```
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
```
  将``KEYSTONE_DBPASS``替换为你为数据库选择的密码。
  
  注解
  
  注释或删除``[database]``部分除``connection`以外的所有内容
- 在``[token]``部分，配置Fernet UUID令牌的提供者。
```
[token]
# ...
provider = fernet
```

初始化身份认证服务的数据库：

# su -s /bin/sh -c "keystone-manage db_sync" keystone

初始化Fernet key：

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap the Identity service:

# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
  --bootstrap-admin-url http://controller:35357/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

Replace ADMIN_PASS with a suitable password for an administrative user.

配置 Apache HTTP 服务器¶

编辑 /etc/sysconfig/apache2 并将``APACHE_SERVERNAME``选项配置为控制节点：
```
APACHE_SERVERNAME="controller"
```

用下面的内容创建`/etc/apache2/conf.d/wsgi-keystone.conf``文件：

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/apache2/keystone.log
    CustomLog /var/log/apache2/keystone_access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

递归更改 /etc/keystone 目录属组：

# chown -R keystone:keystone /etc/keystone

完成安装¶

启动 Apache HTTP 服务并配置其随系统启动：

# systemctl enable apache2.service
# systemctl start apache2.service

配置admin账户

$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3

Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure.