文档
Rate This Document
Findability
Accuracy
Completeness
Readability
SubmitClose

Installing, Configuring, and Verifying Keystone

Keystone provides identity authentication and authorization for other service components in the OpenStack project.

Install, configure, and verify Keystone on controller nodes.

Creating the Keystone Database

  1. Access the MySQL database.
    1
    		 
    mysql -u root -p
  2. Create a database for Keystone.
    1
    		 
    CREATE DATABASE keystone;
  3. Authorize the local and remote servers to access MySQL. PASSWORD indicates the password of the root database user.
    1
2
    		 
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '<PASSWORD>';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '<PASSWORD>';

    Change the value of <PASSWORD> to the actual password.

    The OpenStack user passwords do not support a number sign (#). OpenStack has no requirements on password complexity. You can set a password without special characters.

    OpenStack supports only the special characters &=$-_.+!*()

  4. Exit the database.
    1
    		 
    exit

Installing Keystone

  1. Install the Keystone package.
    1
    		 
    yum -y install openstack-keystone httpd mod_wsgi

  2. Edit the /etc/keystone/keystone.conf file.

    Add the following to the [database] section:

    1
    		 
    connection = mysql+pymysql://keystone:<PASSWORD>@controller/keystone

    Add the following to the [token] section:

    1
    		 
    provider = fernet

    PASSWORD indicates the password set for the database.

  3. Populate the Identity service database.
    1
    		 
    su -s /bin/sh -c "keystone-manage db_sync" keystone
  4. Initialize Fernet key repositories.
    1
2
    		 
    keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
  5. Bootstrap the Identity service.
    1
2
3
4
5
    		 
    keystone-manage bootstrap --bootstrap-password <PASSWORD> \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne

    Change the value of PASSWORD to the password of the admin user.

Configuring the Apache HTTP Service

  1. Edit the /etc/httpd/conf/httpd.conf file and configure ServerName to reference the controller node.

    This option is commented out by default. You need to locate and modify it.

  2. Create a link to the /usr/share/keystone/wsgi-keystone.conf file.
    1
    		 
    ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
  3. Enable the Apache HTTP service and configure it to start as the system boots.
    1
2
    		 
    systemctl enable httpd.service
systemctl start httpd.service
  4. Configure the administrator account.
    1
2
3
4
5
6
7
    		 
    export OS_USERNAME=admin
export OS_PASSWORD=<PASSWORD>
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3

    Change the value of PASSWORD to the password of the admin user.

Creating Domains, Projects, Users, and Roles

  1. Create a domain.
    1
    		 
    openstack domain create --description "An Example Domain" example

    This section describes how to create a domain. The default domain has been created in step 5 in Installing Keystone.

  2. Create the service project.
    1
    		 
    openstack project create --domain default --description "Service Project" service

  3. Create a common project myproject for common tasks.
    1
    		 
    openstack project create --domain default --description "Demo Project" myproject

  4. Create a common user myuser.
    1
    		 
    openstack user create --domain default --password-prompt myuser

    Set the password for the myuser user.

  5. Create a role.
    1
    		 
    openstack role create myrole

  6. Add the myrole role to the myproject project and myuser user.
    1
    		 
    openstack role add --project myproject --user myuser myrole

Verifying Keystone

  1. Cancel environment variables.
    1
    		 
    unset OS_AUTH_URL OS_PASSWORD
  2. Request an authentication token as the admin user.
    1
2
3
    		 
    openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue

    Enter the password: PASSWORD

    The password is user-defined. To ease description, this document uses PASSWORD. Here, PASSWORD is the password of the admin user.

  3. Request an authentication token as user myuser.
    1
2
3
    		 
    openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue

    Enter the password: PASSWORD

  4. Create an OpenStack client environment script.
    1. Create and edit the admin-openrc file. 
      1
      		 
      vim /etc/keystone/admin-openrc

      Add the following to the file:

      1
2
3
4
5
6
7
8
      		 
      export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=<PASSWORD>
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
    2. Create and edit the demo-openrc file. 
      1
      		 
      vim /etc/keystone/demo-openrc

      Add the following to the file:

      1
2
3
4
5
6
7
8
      		 
      export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=<PASSWORD>
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

      admin-openrc is the login credential of user admin.

  5. Run the script.
    1
2
    		 
    source /etc/keystone/admin-openrc
openstack token issue