Openstack Folsom KeyStone Install(版本日期2013.1)
使用non-root用户操作
1.将本地源更新到最新版本
[quote]sudo vi /etc/apt/sources.list
sudo apt-get update
sudo apt-get upgrade[/quote]
2.下载pip,git工具
[quote]sudo apt-get install python-pip
sudo apt-get install git[/quote]
3.下载相关工具
[quote]sudo apt-get install python-dev libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev[/quote]
4.下载keystone最新源码
[quote]git clone https://github.com/openstack/keystone.git[/quote]
cd keystone/
5.根据需要安装依赖
# Install the dependencies for running keystone
[quote]sudo pip install -r tools/pip-requires[/quote]
# Install the dependencies for developing, testing, and running keystone
[quote]sudo pip install -r tools/test-requires[/quote]
6.安装keystone
# Use python setup.py to link Keystone into python's site-packages
[quote]sudo python setup.py develop[/quote]
7.修改配置文件
[quote]vi etc/keystone.conf [/quote]
我现在使用的配置
[b][DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token =Lee
# The IP address of the network interface to listen on
bind_host = 192.168.88.77
# The port number which the public service listens on
public_port = 5000
# The port number which the public admin listens on
admin_port = 35357
# The base endpoint URLs for keystone that are advertised to clients
# (NOTE: this does NOT affect how keystone listens for connections)
public_endpoint = http://192.168.88.77:5000/
admin_endpoint = http://192.168.88.77:35357/
# The port number which the OpenStack Compute service listens on
compute_port = 8774
# Path to your policy definition containing identity actions
# TODO(dolph): This config method will probably be deprecated during grizzly
policy_file = policy.json
# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
# policy_default_rule = admin_required
# Role for migrating membership relationships
# During a SQL upgrade, the following values will be used to create a new role
# that will replace records in the user_tenant_membership table with explicit
# role grants. After migration, the member_role_id will be used in the API
# add_user_to_project, and member_role_name will be ignored.
# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# member_role_name = _member_
# === Logging Options ===
# Print debugging output
# (includes plaintext request logging, potentially including passwords)
debug = true
# Print more verbose output
verbose = true
# Name of log file to output to. If not set, logging will go to stdout.
#log_file = keystone.log
# The directory to keep log files in (will be prepended to --logfile)
# log_dir = /var/log/keystone
# Use syslog for logging.
use_syslog = false
# syslog facility to receive log lines
# syslog_log_facility = LOG_USER
# If this option is specified, the logging configuration file specified is
# used and overrides any other logging options specified. Please see the
# Python logging module documentation for details on logging configuration
# files.
#log_config = logging.conf
# A logging.Formatter log message format string which may use any of the
# available logging.LogRecord attributes.
#log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
# Format string for %(asctime)s in log records.
#log_date_format = %Y-%m-%d %H:%M:%S
# onready allows you to send a notification when the process is ready to serve
# For example, to have it notify using systemd, one could set shell command:
# onready = systemd-notify --ready
# or a module with notify() method:
onready = keystone.common.systemd
[sql]
# The SQLAlchemy connection string used to connect to the database
connection = sqlite:///keystone.db
# the timeout before idle sql connections are reaped
idle_timeout = 200
[identity]
driver = keystone.identity.backends.sql.Identity
# This references the domain to use for all Identity API v2 requests (which are
# not aware of domains). A domain with this ID will be created for you by
# keystone-manage db_sync in migration 008. The domain referenced by this ID
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
# There is nothing special about this domain, other than the fact that it must
# exist to order to maintain support for your v2 clients.
#default_domain_id =default
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
driver = keystone.catalog.backends.sql.Catalog
# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog
template_file = default_catalog.templates
[token]
driver = keystone.token.backends.kvs.Token
# Amount of time a token should remain valid (in seconds)
# expiration = 86400
[policy]
driver = keystone.policy.backends.sql.Policy
[ec2]
driver = keystone.contrib.ec2.backends.kvs.Ec2
[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#cert_required = True
[signing]
token_format = PKI
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
key_size = 1024
valid_days = 3650
ca_password = None
[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com
# page_size = 0
# The LDAP scope for queries, this can be either 'one'
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
# query_scope = one
# user_tree_dn = ou=Users,dc=example,dc=com
# user_filter =
# user_objectclass = inetOrgPerson
# user_domain_id_attribute = businessCategory
# user_id_attribute = cn
# user_name_attribute = sn
# user_mail_attribute = email
# user_pass_attribute = userPassword
# user_enabled_attribute = enabled
# user_enabled_mask = 0
# user_enabled_default = True
# user_attribute_ignore = tenant_id,tenants
# user_allow_create = True
# user_allow_update = True
# user_allow_delete = True
# user_enabled_emulation = False
# user_enabled_emulation_dn =
# tenant_tree_dn = ou=Groups,dc=example,dc=com
# tenant_filter =
# tenant_objectclass = groupOfNames
# tenant_domain_id_attribute = businessCategory
# tenant_id_attribute = cn
# tenant_member_attribute = member
# tenant_name_attribute = ou
# tenant_desc_attribute = desc
# tenant_enabled_attribute = enabled
# tenant_attribute_ignore =
# tenant_allow_create = True
# tenant_allow_update = True
# tenant_allow_delete = True
# tenant_enabled_emulation = False
# tenant_enabled_emulation_dn =
# role_tree_dn = ou=Roles,dc=example,dc=com
# role_filter =
# role_objectclass = organizationalRole
# role_id_attribute = cn
# role_name_attribute = ou
# role_member_attribute = roleOccupant
# role_attribute_ignore =
# role_allow_create = True
# role_allow_update = True
# role_allow_delete = True
# group_tree_dn =
# group_filter =
# group_objectclass = groupOfNames
# group_id_attribute = cn
# group_name_attribute = ou
# group_member_attribute = member
# group_desc_attribute = desc
# group_attribute_ignore =
# group_allow_create = True
# group_allow_update = True
# group_allow_delete = True
[auth]
methods = password,token
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[filter:url_normalize]
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
[filter:sizelimit]
paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
[filter:stats_monitoring]
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
[filter:stats_reporting]
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
[filter:access_log]
paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:service_v3]
paste.app_factory = keystone.service:v3_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
[pipeline:admin_api]
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service
[pipeline:admin_version_api]
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api[/b]
8.初始化并且同步数据库(命令在哪个目录执行,keystone.db就保存在哪里)
[quote]keystone-manage db_sync[/quote]
9.初始化证书到/etc/keystone/ssl
[quote]keystone-manage pki_setup[/quote]
10.启动服务([color=red][b]使用Root启动[/b][/color])
*****
使用non-root用户启动遇到测试请求后台会抛出异常:
Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
前台会给出500的错误返回 Internal Server Error ,message : Unable to sign token
******
[quote]sudo su
keystone-all[/quote]
11.插入测试数据([color=red][b]使用non-root[/b][/color])测试
[quote]export SERVICE_TOKEN=Lee[/quote] [这里的Lee是keystone.conf设置的admin_token]
[quote]export SERVICE_ENDPOINT=http://192.168.88.77:35357/v2.0[/quote]
这里演示简单的数据:
(1)插入租户
[quote]keystone tenant-create --name boventech --description 'LiSi Tenant'[/quote]
+----------------------------------+-------------+---------+
| id | name | enabled |
+----------------------------------+-------------+---------+
| 90cef39a936b416c91054fc555f1a29d | boventech | True |
+----------------------------------+-------------+---------+
(2)插入权限
[quote]keystone role-create --name ADMIN[/quote]
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | bd7b8266304746a9b066310b3ba51fba |
| name | ADMIN |
+----------+----------------------------------+
(3)插入用户
[quote]keystone user-create --name lisi --tenant-id 90cef39a936b416c91054fc555f1a29d --pass lee --email si.li@boventech.com[/quote]
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | si.li@boventech.com |
| enabled | True |
| id | b7116f190d1145bd9faddf7513d1abe5 |
| name | lisi |
| tenantId | 90cef39a936b416c91054fc555f1a29d |
+----------+----------------------------------+
(4)插入服务
[quote]keystone service-create --name keystone --type identity --description 'Openstack Folsom KeyStone'[/quote]
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Openstack Folsom KeyStone |
| id | d58dc871ca7d4773a834d462ba2bc09d |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
(5)为用户附加权限
[quote]keystone user-role-add --user-id b7116f190d1145bd9faddf7513d1abe5 --role-id bd7b8266304746a9b066310b3ba51fba --tenant-id 90cef39a936b416c91054fc555f1a29d[/quote]
未提示错误就表示添加成功
也可以通过命令查询
[quote]keystone user-role-list --tenant-id 90cef39a936b416c91054fc555f1a29d --user-id b7116f190d1145bd9faddf7513d1abe5[/quote]
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | ADMIN | b7116f190d1145bd9faddf7513d1abe5 | 90cef39a936b416c91054fc555f1a29d |
+----------------------------------+----------+----------------------------------+----------------------------------+
(6)添加endpoint
[quote]keystone endpoint-create --region RegionOne --service-id d58dc871ca7d4773a834d462ba2bc09d --publicurl 'http://192.168.88.77:5000/v2.0' --adminurl 'http://192.168.88.77:35357/v2.0' --internalurl 'http://192.168.88.77:5000/v2.0'[/quote]
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
| d0d11c518ba846bd9f2f8ff0bd9d8bb3 | RegionOne | http://192.168.88.77:5000/v2.0 | http://192.168.88.77:5000/v2.0 | http://192.168.88.77:35357/v2.0 | 8fa9dbaa448943d0802572dcceaa42b9 |
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
查看所有插入信息
[quote]keystone tenant-list
keystone role-list
keystone user-list
keystone service-list
keystone user-role-list --tenant-id 90cef39a936b416c91054fc555f1a29d --user-id b7116f190d1145bd9faddf7513d1abe5
keystone endpoint-list[/quote]
12.测试
[quote]curl -d '{"auth": {"tenantName": "boventech", "passwordCredentials":{"username": "lisi", "password": "lee"}}}' -H "Content-type: application/json" http://192.168.88.77:35357/v2.0/tokens | python -mjson.tool[/quote]
这里就返回结果说一下:
情况:Unable to sign token,
出现原因:keystone-all 命令是由非root用户执行
[quote]% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 187 100 94 100 93 528 522 --:--:-- --:--:-- --:--:-- 556
{
"error": {
"code": 500,
"message": "Unable to sign token.",
"title": "Internal Server Error"
}
}[/quote]
正常显示:
[quote]% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2423 100 2330 100 93 11060 441 --:--:-- --:--:-- --:--:-- 11148
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"9fe2ff9ee4384b1894a90878d3e92bab",
"395cc0aba7df43c1a45b58b9a07ab4b7" //新版keystone提供的默认角色_member_
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL": "http://192.168.88.77:35357/v2.0",
"id": "d0d11c518ba846bd9f2f8ff0bd9d8bb3",
"internalURL": "http://192.168.88.77:5000/v2.0",
"publicURL": "http://192.168.88.77:5000/v2.0",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "KeyStone",
"type": "identity"
}
],
"token": {
"expires": "2013-03-14T03:36:45Z",
"id": "MIIEbwYJKoZIhvcNAQcCoIIEYDCCBFwCAQExCTAHBgUrDgMCGjCCA0gGCSqGSIb3DQEHAaCCAzkEggM1eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMy0xM1QwMzozNjo0Ni4wMTE0OTciLCAiZXhwaXJlcyI6ICIyMDEzLTAzLTE0VDAzOjM2OjQ1WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogImh1YXNoaSBkZSBjdW5jaHUiLCAiZW5hYmxlZCI6IHRydWUsICJpZCI6ICI5MGNlZjM5YTkzNmI0MTZjOTEwNTRmYzU1NWYxYTI5ZCIsICJuYW1lIjogImhzIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC44OC43NzozNTM1Ny92Mi4wIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguODguNzc6NTAwMC92Mi4wIiwgImlkIjogImIwODhhNWEyZjg5NzQ5ZTliMDA5NzRjY2U2MmRlMmViIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTkyLjE2OC44OC43Nzo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJLZXlTdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImxlZSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNmYyYTc4NzNkZjA4NDAxMDljMGJjNTdkNzZlMTc2ZDgiLCAicm9sZXMiOiBbeyJuYW1lIjogIl9tZW1iZXJfIn0sIHsibmFtZSI6ICJBRE1JTiJ9XSwgIm5hbWUiOiAibGVlIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjlmZTJmZjllZTQzODRiMTg5NGE5MDg3OGQzZTkyYmFiIiwgIjM5NWNjMGFiYTdkZjQzYzFhNDViNThiOWEwN2FiNGI3Il19fX0xgf8wgfwCAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVW5zZXQxDjAMBgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAa0XcVfa2wO1PhsK3J+VtFJHjS-xOg0LZSFJoKPCqmPR34DTngKglVp7UY-oR8IP83OtlhbULRh2ijOHBNQSfokWVWFiRkgqAcqZc7Kb13wfVewn9LrbRUubUmHUS6Vaycbu9XV27XRBs7xi2kSNfQf3wSikYCGOmJMKJk2FxwBQ=",
"issued_at": "2013-03-13T03:36:46.011497",
"tenant": {
"description": "LiSi Tenant",
"enabled": true,
"id": "90cef39a936b416c91054fc555f1a29d",
"name": "boventech"
}
},
"user": {
"id": "b7116f190d1145bd9faddf7513d1abe5",
"name": "lisi",
"roles": [
{
"name": "_member_"
},
{
"name": "ADMIN"
}
],
"roles_links": [],
"username": "lisi"
}
}
}[/quote]
13.单个keystone正常运行了,后续提供Folsom Swift与Folsom Keystone 结合
Openstack的相关参考资料(为自己mark一下):
[url]http://blog.chinaunix.net/uid-21335514-id-3497996.html[/url]
[url]http://blog.chinaunix.net/uid-22414998-id-3265685.html[/url]
[url]http://blog.youkuaiyun.com/ugyn109/article/details/8146687[/url]
使用non-root用户操作
1.将本地源更新到最新版本
[quote]sudo vi /etc/apt/sources.list
sudo apt-get update
sudo apt-get upgrade[/quote]
2.下载pip,git工具
[quote]sudo apt-get install python-pip
sudo apt-get install git[/quote]
3.下载相关工具
[quote]sudo apt-get install python-dev libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev[/quote]
4.下载keystone最新源码
[quote]git clone https://github.com/openstack/keystone.git[/quote]
cd keystone/
5.根据需要安装依赖
# Install the dependencies for running keystone
[quote]sudo pip install -r tools/pip-requires[/quote]
# Install the dependencies for developing, testing, and running keystone
[quote]sudo pip install -r tools/test-requires[/quote]
6.安装keystone
# Use python setup.py to link Keystone into python's site-packages
[quote]sudo python setup.py develop[/quote]
7.修改配置文件
[quote]vi etc/keystone.conf [/quote]
我现在使用的配置
[b][DEFAULT]
# A "shared secret" between keystone and other openstack services
admin_token =Lee
# The IP address of the network interface to listen on
bind_host = 192.168.88.77
# The port number which the public service listens on
public_port = 5000
# The port number which the public admin listens on
admin_port = 35357
# The base endpoint URLs for keystone that are advertised to clients
# (NOTE: this does NOT affect how keystone listens for connections)
public_endpoint = http://192.168.88.77:5000/
admin_endpoint = http://192.168.88.77:35357/
# The port number which the OpenStack Compute service listens on
compute_port = 8774
# Path to your policy definition containing identity actions
# TODO(dolph): This config method will probably be deprecated during grizzly
policy_file = policy.json
# Rule to check if no matching policy definition is found
# FIXME(dolph): This should really be defined as [policy] default_rule
# policy_default_rule = admin_required
# Role for migrating membership relationships
# During a SQL upgrade, the following values will be used to create a new role
# that will replace records in the user_tenant_membership table with explicit
# role grants. After migration, the member_role_id will be used in the API
# add_user_to_project, and member_role_name will be ignored.
# member_role_id = 9fe2ff9ee4384b1894a90878d3e92bab
# member_role_name = _member_
# === Logging Options ===
# Print debugging output
# (includes plaintext request logging, potentially including passwords)
debug = true
# Print more verbose output
verbose = true
# Name of log file to output to. If not set, logging will go to stdout.
#log_file = keystone.log
# The directory to keep log files in (will be prepended to --logfile)
# log_dir = /var/log/keystone
# Use syslog for logging.
use_syslog = false
# syslog facility to receive log lines
# syslog_log_facility = LOG_USER
# If this option is specified, the logging configuration file specified is
# used and overrides any other logging options specified. Please see the
# Python logging module documentation for details on logging configuration
# files.
#log_config = logging.conf
# A logging.Formatter log message format string which may use any of the
# available logging.LogRecord attributes.
#log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
# Format string for %(asctime)s in log records.
#log_date_format = %Y-%m-%d %H:%M:%S
# onready allows you to send a notification when the process is ready to serve
# For example, to have it notify using systemd, one could set shell command:
# onready = systemd-notify --ready
# or a module with notify() method:
onready = keystone.common.systemd
[sql]
# The SQLAlchemy connection string used to connect to the database
connection = sqlite:///keystone.db
# the timeout before idle sql connections are reaped
idle_timeout = 200
[identity]
driver = keystone.identity.backends.sql.Identity
# This references the domain to use for all Identity API v2 requests (which are
# not aware of domains). A domain with this ID will be created for you by
# keystone-manage db_sync in migration 008. The domain referenced by this ID
# cannot be deleted on the v3 API, to prevent accidentally breaking the v2 API.
# There is nothing special about this domain, other than the fact that it must
# exist to order to maintain support for your v2 clients.
#default_domain_id =default
[catalog]
# dynamic, sql-based backend (supports API/CLI-based management commands)
driver = keystone.catalog.backends.sql.Catalog
# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog
template_file = default_catalog.templates
[token]
driver = keystone.token.backends.kvs.Token
# Amount of time a token should remain valid (in seconds)
# expiration = 86400
[policy]
driver = keystone.policy.backends.sql.Policy
[ec2]
driver = keystone.contrib.ec2.backends.kvs.Ec2
[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#cert_required = True
[signing]
token_format = PKI
certfile = /etc/keystone/ssl/certs/signing_cert.pem
keyfile = /etc/keystone/ssl/private/signing_key.pem
ca_certs = /etc/keystone/ssl/certs/ca.pem
key_size = 1024
valid_days = 3650
ca_password = None
[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None
# suffix = cn=example,cn=com
# use_dumb_member = False
# allow_subtree_delete = False
# dumb_member = cn=dumb,dc=example,dc=com
# page_size = 0
# The LDAP scope for queries, this can be either 'one'
# (onelevel/singleLevel) or 'sub' (subtree/wholeSubtree)
# query_scope = one
# user_tree_dn = ou=Users,dc=example,dc=com
# user_filter =
# user_objectclass = inetOrgPerson
# user_domain_id_attribute = businessCategory
# user_id_attribute = cn
# user_name_attribute = sn
# user_mail_attribute = email
# user_pass_attribute = userPassword
# user_enabled_attribute = enabled
# user_enabled_mask = 0
# user_enabled_default = True
# user_attribute_ignore = tenant_id,tenants
# user_allow_create = True
# user_allow_update = True
# user_allow_delete = True
# user_enabled_emulation = False
# user_enabled_emulation_dn =
# tenant_tree_dn = ou=Groups,dc=example,dc=com
# tenant_filter =
# tenant_objectclass = groupOfNames
# tenant_domain_id_attribute = businessCategory
# tenant_id_attribute = cn
# tenant_member_attribute = member
# tenant_name_attribute = ou
# tenant_desc_attribute = desc
# tenant_enabled_attribute = enabled
# tenant_attribute_ignore =
# tenant_allow_create = True
# tenant_allow_update = True
# tenant_allow_delete = True
# tenant_enabled_emulation = False
# tenant_enabled_emulation_dn =
# role_tree_dn = ou=Roles,dc=example,dc=com
# role_filter =
# role_objectclass = organizationalRole
# role_id_attribute = cn
# role_name_attribute = ou
# role_member_attribute = roleOccupant
# role_attribute_ignore =
# role_allow_create = True
# role_allow_update = True
# role_allow_delete = True
# group_tree_dn =
# group_filter =
# group_objectclass = groupOfNames
# group_id_attribute = cn
# group_name_attribute = ou
# group_member_attribute = member
# group_desc_attribute = desc
# group_attribute_ignore =
# group_allow_create = True
# group_allow_update = True
# group_allow_delete = True
[auth]
methods = password,token
password = keystone.auth.plugins.password.Password
token = keystone.auth.plugins.token.Token
[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[filter:url_normalize]
paste.filter_factory = keystone.middleware:NormalizingFilter.factory
[filter:sizelimit]
paste.filter_factory = keystone.middleware:RequestBodySizeLimiter.factory
[filter:stats_monitoring]
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
[filter:stats_reporting]
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
[filter:access_log]
paste.filter_factory = keystone.contrib.access:AccessLogMiddleware.factory
[app:public_service]
paste.app_factory = keystone.service:public_app_factory
[app:service_v3]
paste.app_factory = keystone.service:v3_app_factory
[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api]
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
[pipeline:admin_api]
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3]
pipeline = access_log sizelimit stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3
[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api]
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body public_version_service
[pipeline:admin_version_api]
pipeline = access_log sizelimit stats_monitoring url_normalize xml_body admin_version_service
[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/v3 = api_v3
/ = public_version_api
[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/v3 = api_v3
/ = admin_version_api[/b]
8.初始化并且同步数据库(命令在哪个目录执行,keystone.db就保存在哪里)
[quote]keystone-manage db_sync[/quote]
9.初始化证书到/etc/keystone/ssl
[quote]keystone-manage pki_setup[/quote]
10.启动服务([color=red][b]使用Root启动[/b][/color])
*****
使用non-root用户启动遇到测试请求后台会抛出异常:
Signing error: Unable to load certificate - ensure you've configured PKI with 'keystone-manage pki_setup'
前台会给出500的错误返回 Internal Server Error ,message : Unable to sign token
******
[quote]sudo su
keystone-all[/quote]
11.插入测试数据([color=red][b]使用non-root[/b][/color])测试
[quote]export SERVICE_TOKEN=Lee[/quote] [这里的Lee是keystone.conf设置的admin_token]
[quote]export SERVICE_ENDPOINT=http://192.168.88.77:35357/v2.0[/quote]
这里演示简单的数据:
(1)插入租户
[quote]keystone tenant-create --name boventech --description 'LiSi Tenant'[/quote]
+----------------------------------+-------------+---------+
| id | name | enabled |
+----------------------------------+-------------+---------+
| 90cef39a936b416c91054fc555f1a29d | boventech | True |
+----------------------------------+-------------+---------+
(2)插入权限
[quote]keystone role-create --name ADMIN[/quote]
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | bd7b8266304746a9b066310b3ba51fba |
| name | ADMIN |
+----------+----------------------------------+
(3)插入用户
[quote]keystone user-create --name lisi --tenant-id 90cef39a936b416c91054fc555f1a29d --pass lee --email si.li@boventech.com[/quote]
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | si.li@boventech.com |
| enabled | True |
| id | b7116f190d1145bd9faddf7513d1abe5 |
| name | lisi |
| tenantId | 90cef39a936b416c91054fc555f1a29d |
+----------+----------------------------------+
(4)插入服务
[quote]keystone service-create --name keystone --type identity --description 'Openstack Folsom KeyStone'[/quote]
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Openstack Folsom KeyStone |
| id | d58dc871ca7d4773a834d462ba2bc09d |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
(5)为用户附加权限
[quote]keystone user-role-add --user-id b7116f190d1145bd9faddf7513d1abe5 --role-id bd7b8266304746a9b066310b3ba51fba --tenant-id 90cef39a936b416c91054fc555f1a29d[/quote]
未提示错误就表示添加成功
也可以通过命令查询
[quote]keystone user-role-list --tenant-id 90cef39a936b416c91054fc555f1a29d --user-id b7116f190d1145bd9faddf7513d1abe5[/quote]
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | ADMIN | b7116f190d1145bd9faddf7513d1abe5 | 90cef39a936b416c91054fc555f1a29d |
+----------------------------------+----------+----------------------------------+----------------------------------+
(6)添加endpoint
[quote]keystone endpoint-create --region RegionOne --service-id d58dc871ca7d4773a834d462ba2bc09d --publicurl 'http://192.168.88.77:5000/v2.0' --adminurl 'http://192.168.88.77:35357/v2.0' --internalurl 'http://192.168.88.77:5000/v2.0'[/quote]
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
| id | region | publicurl | internalurl | adminurl | service_id |
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
| d0d11c518ba846bd9f2f8ff0bd9d8bb3 | RegionOne | http://192.168.88.77:5000/v2.0 | http://192.168.88.77:5000/v2.0 | http://192.168.88.77:35357/v2.0 | 8fa9dbaa448943d0802572dcceaa42b9 |
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
查看所有插入信息
[quote]keystone tenant-list
keystone role-list
keystone user-list
keystone service-list
keystone user-role-list --tenant-id 90cef39a936b416c91054fc555f1a29d --user-id b7116f190d1145bd9faddf7513d1abe5
keystone endpoint-list[/quote]
12.测试
[quote]curl -d '{"auth": {"tenantName": "boventech", "passwordCredentials":{"username": "lisi", "password": "lee"}}}' -H "Content-type: application/json" http://192.168.88.77:35357/v2.0/tokens | python -mjson.tool[/quote]
这里就返回结果说一下:
情况:Unable to sign token,
出现原因:keystone-all 命令是由非root用户执行
[quote]% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 187 100 94 100 93 528 522 --:--:-- --:--:-- --:--:-- 556
{
"error": {
"code": 500,
"message": "Unable to sign token.",
"title": "Internal Server Error"
}
}[/quote]
正常显示:
[quote]% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 2423 100 2330 100 93 11060 441 --:--:-- --:--:-- --:--:-- 11148
{
"access": {
"metadata": {
"is_admin": 0,
"roles": [
"9fe2ff9ee4384b1894a90878d3e92bab",
"395cc0aba7df43c1a45b58b9a07ab4b7" //新版keystone提供的默认角色_member_
]
},
"serviceCatalog": [
{
"endpoints": [
{
"adminURL": "http://192.168.88.77:35357/v2.0",
"id": "d0d11c518ba846bd9f2f8ff0bd9d8bb3",
"internalURL": "http://192.168.88.77:5000/v2.0",
"publicURL": "http://192.168.88.77:5000/v2.0",
"region": "RegionOne"
}
],
"endpoints_links": [],
"name": "KeyStone",
"type": "identity"
}
],
"token": {
"expires": "2013-03-14T03:36:45Z",
"id": "MIIEbwYJKoZIhvcNAQcCoIIEYDCCBFwCAQExCTAHBgUrDgMCGjCCA0gGCSqGSIb3DQEHAaCCAzkEggM1eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxMy0wMy0xM1QwMzozNjo0Ni4wMTE0OTciLCAiZXhwaXJlcyI6ICIyMDEzLTAzLTE0VDAzOjM2OjQ1WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogImh1YXNoaSBkZSBjdW5jaHUiLCAiZW5hYmxlZCI6IHRydWUsICJpZCI6ICI5MGNlZjM5YTkzNmI0MTZjOTEwNTRmYzU1NWYxYTI5ZCIsICJuYW1lIjogImhzIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTkyLjE2OC44OC43NzozNTM1Ny92Mi4wIiwgInJlZ2lvbiI6ICJSZWdpb25PbmUiLCAiaW50ZXJuYWxVUkwiOiAiaHR0cDovLzE5Mi4xNjguODguNzc6NTAwMC92Mi4wIiwgImlkIjogImIwODhhNWEyZjg5NzQ5ZTliMDA5NzRjY2U2MmRlMmViIiwgInB1YmxpY1VSTCI6ICJodHRwOi8vMTkyLjE2OC44OC43Nzo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJLZXlTdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImxlZSIsICJyb2xlc19saW5rcyI6IFtdLCAiaWQiOiAiNmYyYTc4NzNkZjA4NDAxMDljMGJjNTdkNzZlMTc2ZDgiLCAicm9sZXMiOiBbeyJuYW1lIjogIl9tZW1iZXJfIn0sIHsibmFtZSI6ICJBRE1JTiJ9XSwgIm5hbWUiOiAibGVlIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjlmZTJmZjllZTQzODRiMTg5NGE5MDg3OGQzZTkyYmFiIiwgIjM5NWNjMGFiYTdkZjQzYzFhNDViNThiOWEwN2FiNGI3Il19fX0xgf8wgfwCAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECBMFVW5zZXQxDjAMBgNVBAcTBVVuc2V0MQ4wDAYDVQQKEwVVbnNldDEYMBYGA1UEAxMPd3d3LmV4YW1wbGUuY29tAgEBMAcGBSsOAwIaMA0GCSqGSIb3DQEBAQUABIGAa0XcVfa2wO1PhsK3J+VtFJHjS-xOg0LZSFJoKPCqmPR34DTngKglVp7UY-oR8IP83OtlhbULRh2ijOHBNQSfokWVWFiRkgqAcqZc7Kb13wfVewn9LrbRUubUmHUS6Vaycbu9XV27XRBs7xi2kSNfQf3wSikYCGOmJMKJk2FxwBQ=",
"issued_at": "2013-03-13T03:36:46.011497",
"tenant": {
"description": "LiSi Tenant",
"enabled": true,
"id": "90cef39a936b416c91054fc555f1a29d",
"name": "boventech"
}
},
"user": {
"id": "b7116f190d1145bd9faddf7513d1abe5",
"name": "lisi",
"roles": [
{
"name": "_member_"
},
{
"name": "ADMIN"
}
],
"roles_links": [],
"username": "lisi"
}
}
}[/quote]
13.单个keystone正常运行了,后续提供Folsom Swift与Folsom Keystone 结合
Openstack的相关参考资料(为自己mark一下):
[url]http://blog.chinaunix.net/uid-21335514-id-3497996.html[/url]
[url]http://blog.chinaunix.net/uid-22414998-id-3265685.html[/url]
[url]http://blog.youkuaiyun.com/ugyn109/article/details/8146687[/url]
扫一扫
1826
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
