keystone 代码库 git clone https://git.openstack.org/openstack/keystone.git
cd keystone
keystone配置文件
etc/keystone.conf.sample etc/keystone-paste.ini etc/logging.conf.sample etc/default_catalog.templates etc/sso_callback_template.html
keystone主配置文件说明 keystone.conf
[DEFAULT] - General configuration [assignment] - Assignment system driver configuration [auth] - Authentication plugin configuration [cache] - Caching layer configuration [catalog] - Service catalog driver configuration [credential] - Credential system driver configuration [domain_config] - Domain configuration [endpoint_filter] - Endpoint filtering configuration [endpoint_policy] - Endpoint policy configuration [federation] - Federation driver configuration [fernet_tokens] - Fernet token configuration [identity] - Identity system driver configuration [identity_mapping] - Identity mapping system driver configuration [kvs] - KVS storage backend configuration [ldap] - LDAP configuration options [memcache] - Memcache configuration options [oauth1] - OAuth 1.0a system driver configuration [paste_deploy] - Pointer to the PasteDeploy configuration file [policy] - Policy system driver configuration for RBAC [resource] - Resource system driver configuration [revoke] - Revocation system driver configuration [role] - Role system driver configuration [saml] - SAML configuration options [security_compliance] - Security compliance configuration [shadow_users] - Shadow user configuration [signing] - Cryptographic signatures for PKI based tokens [token] - Token driver & token provider configuration [tokenless_auth] - Tokenless authentication configuration [trust] - Trust configuration
keystone标准配置文件位置及优先规则
~/.keystone/ ~/ /etc/keystone/ /etc/
也可以通过指定参数 --config-file 形式指定配置文件位置来配置keystone
安装依赖包,yum源先配置好
yum install -y python2-pip python-devel openssl-devel mariadb-server mariadb-devel libxslt-devel libudev-devel libffi-devel libvirt qemu-kvm virt-install python-numdisplay rabbitmq-server memcached python-memcached
安装keystone依赖包
1 升级pip 2 pip install --upgrade pip 3 安装包分发工具 4 pip install pbr 5 升级安装six,newton要求six>=1.10.0,默认的系统six模块不满足 6 pip install six --upgrade 7 安装keystone依赖 8 pip install . 9 安装keystone服务 10 python setup.py install
安装其它依赖
pip install Mysql-python pip install uwsgi pip install pymysql
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
设置项目,用户,和角色
keystone-manage bootstrap命令通过指定对应的参数 创建用户 --bootstrap-username 创建项目 --bootstrap-project-name 创建角色 --bootstrap-role-name 同样的,也可以预定义系统环境变量 对应的变量名 OS_BOOTSTRAP_USERNAME OS_BOOTSTRAP_PROJECT_NAME OS_BOOTSTRAP_ROLE_NAME 对于创建用户是必须提供一个密码参数的,通过 --bootstrap-password 指定用户密码 同样也支持系统预定义变量 OS_BOOTSTRAP_PASSWORD 可选的参数 --bootstrap-public-url --bootstrap-admin-url --bootstrap-internal-url 以上参数通过指定不同的端点创建一个身份认证服务,同样如果有需要可以配置 --bootstrap-region-id --bootstrap-service-name
执行命令至少需要指定的参数
keystone-manage bootstrap --bootstrap-password s3cr3t
完整的命令参数
keystone-manage bootstrap --bootstrap-password s3cr3t --bootstrap-username admin --bootstrap-project-name admin --bootstrap-role-name admin --bootstrap-service-name keystone --bootstrap-region-id RegionOne --bootstrap-admin-url http://localhost:35357 --bootstrap-public-url http://localhost:5000 --bootstrap-internal-url http://localhost:5000
以上命令将会创建一个admin用户,角色为admin,在admin项目上,这个用户指定了一个认证密码,
⚠️ 这个用户和这个项目将被创建到default 域
通过命令验证
openstack project list --os-username admin --os-project-name admin --os-user-domain-id default --os-project-domain-id default --os-identity-api-version 3 --os-auth-url http://localhost:5000 --os-password s3cr3t