Previous Article: Build an OpenStack cloud platform based on openEuler2209 (1)
2 Install and configure the Identity service
The OpenStack Identity (codenamed keystone) service provides a single point of integration for managing authentication, authorization, and service catalogs. Provide API client authentication, service discovery and distributed multi-tenant authorization through Identity API.
For scalability purposes, it is also necessary to configure and deploy both Fernet token and Apache HTTP server to handle requests.
The Identity service is usually the first service that users interact with OpenStack. Once authenticated, users can use their identity to access other OpenStack services. Likewise, other OpenStack services leverage the Identity service to ensure users are who they say they are and to discover where other services are in a deployment.
2.1 Create a keystone database and grant permissions
On the control node, use the root account to connect to the mariadb database, create a keystone database, and then authorize user keystone to access. KEYSTONE_DBPASS is the password for the keystone user to access the keystone database.
[root@xgk-ctl ~]# mysql -u root -p Enter password: #Enter the database root user password set earlier here CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS'; flush privileges; exit;
2.2 Install the package
[root@xgk-ctl ~]# dnf -y install openstack-keystone httpd mod_wsgi
2.3 Configure /etc/keystone/keystone.conf file
[root@xgk-ctl ~]# cp -a /etc/keystone/keystone.conf{,.bak}
[root@xgk-ctl ~]# grep -Ev '^$|#' /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
[root@xgk-ctl ~]# vim /etc/keystone/keystone.conf
[database]
......The original content of the file is omitted here...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@xgk-ctl/keystone
#The content behind pymysql:// indicates the database user name in turn: password@hostname/database name
......The original content of the file is omitted here...
[token]
provider = fernet
......The original content of the file is omitted here...2.4 Synchronize database
[root@xgk-ctl ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
2.5 Initialize the Fernet key repository
[root@xgk-ctl ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@xgk-ctl ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
Note: The --keystone-user and keystone --keystone-group flags are used to specify the user/group under which keystone will run.
2.6 Start the service
[root@xgk-ctl ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://xgk-ctl:5000/v3/ \ --bootstrap-internal-url http://xgk-ctl:5000/v3/ \ --bootstrap-public-url http://xgk-ctl:5000/v3/ \ --bootstrap-region-id RegionOne
Note: ADMIN_PASS is the password of the administrator admin
2.7 Configure the Apache server
2.7.1 Configure /etc/httpd/conf/httpd.conf file
Add a line at the end of the configuration file: ServerName xgk-ctl
Or find the ServerName option, delete the previous comment, and change the latter value to the host name of the control node.
[root@xgk-ctl ~]# echo "ServerName xgk-ctl" >> /etc/httpd/conf/httpd.conf
2.7.2 Create soft link
Create a soft link to /usr/share/keystone/wsgi-keystone.conf
[root@xgk-ctl ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
2.7.3 Start the httpd service and set it to start automatically at boot
[root@xgk-ctl ~]# systemctl enable httpd.service [root@xgk-ctl ~]# systemctl start httpd.service
2.8 Create domain, projects, users and roles
The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domain, project, user, and role.
2.8.1 Create environment variable configuration
[root@xgk-ctl ~]# cat << EOF >> /etc/keystone/admin-openrc export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://xgk-ctl:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 EOF
2.8.2 Installing packages
Create domain, projects, users and roles must first install the python3-openstackclient package
[root@xgk-ctl ~]# dnf -y install python3-openstackclient
2.8.3 Create domain
In fact, a default domain has been created when the Identity service is started. Here, an example domain is used as an example to demonstrate the formal method of creating a domain.
[root@xgk-ctl ~]# source /etc/keystone/admin-openrc
[root@xgk-ctl ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | a0f1abb3c02448719c1079323d3ac64e |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
2.8.4 Create a project
Create a project called service in the default domain.
[root@xgk-ctl ~]# openstack project create --domain default --description "Service Project" service
Next, create a non-administrator project myproject, user myuser and role myrole, and add role myrol to myproject and myuser.
1,Create the myproject project
[root@xgk-ctl ~]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | a9a1630648c34468be5d540e7fd65523 |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
2,Create the myuser user
[root@xgk-ctl ~]# openstack user create --domain default --password-prompt myuser
User Password:#Set the password of myuser here, such as DEMO_PASS, please remember this password, it will be used later
Repeat User Password:#Please re-enter password
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | f8472742c25a43319ebbd5e0732f8214 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
3,Create the myrole role
[root@xgk-ctl ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 0c3111c9e8e848b3b60373fd8c33d0c9 |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
4. Add the myrole role to the myproject project and the myuser user
[root@xgk-ctl ~]# openstack role add --project myproject --user myuser myrole
2.9 Verify operation
It is recommended to authenticate the Identity service before installing other services.
Before authentication, you can cancel the setting values of the environment variables OS_AUTH_URL and OS_PASSWORD, and then request authentication.
[root@xgk-ctl ~]# source /etc/keystone/admin-openrc [root@xgk-ctl ~]# unset OS_AUTH_URL OS_PASSWORD
2.9.1 Admin user requests authentication
[root@xgk-ctl ~]# openstack --os-auth-url http://xgk-ctl:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue Password: #Enter the password of the administrator admin here +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2022-12-16T03:12:08+0000 | | id | gAAAAABjm9P4rqSNKf4jJRj6MNdhVr43F05doACVGkjAe2PbG-t4lKhBtb7DM-fFFftx3jfQHrZAOxhvKBUv1V_39SCntT07lwmbl1EgrDyYdf9TFxfdeiKeRWtLgqFhVf3GFZeKOYlYjZpFXnAzyVebCpl5yeoUBXKzImRJ_sL022lxP1uz2Yw | | project_id | 83c34dc70d18476097211c384d2e435c | | user_id | 028ab68c29e64c5f8911ee36d3d2a497 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2.9.2 Ordinary user myuser requests authentication
[root@xgk-ctl ~]# openstack --os-auth-url http://xgk-ctl:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name myproject --os-username myuser token issue Password: #Enter the password set when creating myuser earlier here +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2022-12-16T03:15:39+0000 | | id | gAAAAABjm9TLQMfwd115ZBCVDdIFhXb7nnj2aisRcOhVhoSw0NTV58EeDJVtrsAq4q_pYyuUVIcDyJt8Q9Bmd3949drapGPtdA0MWFXaAJAjq_GeChtS2__3WWCBWBdlUhruTHgarEEtJUPoEKEh_5GJT_EZnXPj4vaGxOzK6XELkaCOYWjfcGA | | project_id | a9a1630648c34468be5d540e7fd65523 | | user_id | f8472742c25a43319ebbd5e0732f8214 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2.9.3 Create an environment variable configuration file for the non-administrator user myuser
[root@xgk-ctl ~]# cat << EOF >> /etc/keystone/demo-openrc export OS_USERNAME=myuser export OS_PASSWORD=DEMO_PASS export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_AUTH_URL=http://xgk-ctl:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 EOF