安装和配置

安装和配置

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

先决条件

Before you install and configure the Identity service, you must create a database.

  1. 用数据库连接客户端以 root 用户连接到数据库服务器:

    $ mysql -u root -p
    
  1. 创建 keystone 数据库:

    MariaDB [(none)]> CREATE DATABASE keystone;
    
  2. 对``keystone``数据库授予恰当的权限:

    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
    IDENTIFIED BY 'KEYSTONE_DBPASS';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
    IDENTIFIED BY 'KEYSTONE_DBPASS';
    

    用合适的密码替换 KEYSTONE_DBPASS

  3. 退出数据库客户端。

安全并配置组件

注解

默认配置文件在各发行版本中可能不同。你可能需要添加这些部分,选项而不是修改已经存在的部分和选项。另外,在配置片段中的省略号(...)表示默认的配置选项你应该保留。

注解

教程使用带有``mod_wsgi``的Apache HTTP服务器来服务认证服务请求,端口为5000和35357。缺省情况下,Kestone服务仍然监听这些端口。然而,本教程手动禁用keystone服务。

  1. 运行以下命令来安装包。

    # yum install openstack-keystone httpd mod_wsgi
    
  1. 编辑文件 /etc/keystone/keystone.conf 并完成如下动作:

    • [database] 部分,配置数据库访问:

      [database]
      # ...
      connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
      

      将``KEYSTONE_DBPASS``替换为你为数据库选择的密码。

      注解

      注释或删除``[database]``部分除``connection`以外的所有内容

    • 在``[token]``部分,配置Fernet UUID令牌的提供者。

      [token]
      # ...
      provider = fernet
      
  2. 初始化身份认证服务的数据库:

    # su -s /bin/sh -c "keystone-manage db_sync" keystone
    
  3. 初始化Fernet key:

    # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
    # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
    
  4. Bootstrap the Identity service:

    # keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
      --bootstrap-admin-url http://controller:35357/v3/ \
      --bootstrap-internal-url http://controller:5000/v3/ \
      --bootstrap-public-url http://controller:5000/v3/ \
      --bootstrap-region-id RegionOne
    

    Replace ADMIN_PASS with a suitable password for an administrative user.

配置 Apache HTTP 服务器

  1. 编辑``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 选项为控制节点:

    ServerName controller
    
  2. 创建一个链接到``/usr/share/keystone/wsgi-keystone.conf``文件

    # ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
    

完成安装

  1. 启动 Apache HTTP 服务并配置其随系统启动:

    # systemctl enable httpd.service
    # systemctl start httpd.service
    
  1. 配置admin账户

    $ export OS_USERNAME=admin
    $ export OS_PASSWORD=ADMIN_PASS
    $ export OS_PROJECT_NAME=admin
    $ export OS_USER_DOMAIN_NAME=Default
    $ export OS_PROJECT_DOMAIN_NAME=Default
    $ export OS_AUTH_URL=http://controller:35357/v3
    $ export OS_IDENTITY_API_VERSION=3
    

    Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure.

Creative Commons Attribution 3.0 License

Except where otherwise noted, this document is licensed under Creative Commons Attribution 3.0 License. See all OpenStack Legal Documents.