安装和配置¶

This section describes how to install and configure the OpenStack Identity service, code-named keystone, on the controller node. For scalability purposes, this configuration deploys Fernet tokens and the Apache HTTP server to handle requests.

先决条件¶

Before you install and configure the Identity service, you must create a database.

用数据库连接客户端以 root 用户连接到数据库服务器：
```
# mysql
```

创建 keystone 数据库：

MariaDB [(none)]> CREATE DATABASE keystone;

对``keystone``数据库授予恰当的权限：

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';

用合适的密码替换 KEYSTONE_DBPASS 。

退出数据库客户端。

安全并配置组件¶

注解

默认配置文件在各发行版本中可能不同。你可能需要添加这些部分，选项而不是修改已经存在的部分和选项。另外，在配置片段中的省略号(...)表示默认的配置选项你应该保留。

注解

This guide uses the Apache HTTP server with mod_wsgi to serve Identity service requests on ports 5000 and 35357. By default, the keystone service still listens on these ports. The package handles all of the Apache configuration for you (including the activation of the mod_wsgi apache2 module and keystone configuration in Apache).

运行以下命令来安装包。
```
# apt install keystone
```

编辑文件 /etc/keystone/keystone.conf 并完成如下动作：
- 在 [database] 部分，配置数据库访问：
```
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
```
  将``KEYSTONE_DBPASS``替换为你为数据库选择的密码。
  
  注解
  
  注释或删除``[database]``部分除``connection`以外的所有内容
- 在``[token]``部分，配置Fernet UUID令牌的提供者。
```
[token]
# ...
provider = fernet
```

初始化身份认证服务的数据库：

# su -s /bin/sh -c "keystone-manage db_sync" keystone

初始化Fernet key：

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

Bootstrap the Identity service:

# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
  --bootstrap-admin-url http://controller:35357/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

Replace ADMIN_PASS with a suitable password for an administrative user.

配置 Apache HTTP 服务器¶

编辑``/etc/apache2/apache2.conf``文件，为控制节点配置``ServerName``选项：
```
ServerName controller
```

完成安装¶

重启Apache服务并且删除默认的SQLite数据库

# service apache2 restart
# rm -f /var/lib/keystone/keystone.db

配置admin账户

$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3

Replace ADMIN_PASS with the password used in the keystone-manage bootstrap command in keystone-install-configure.