四、认证服务

keystone 安装在 controller 节点，为了提高服务性能，使用 apache 提供WEB请求，由 memcached 来保存 Token 信息
1、安装修改软件包

yum install openstack-keystone httpd mod_wsgi memcached python-memcached openstack-utils python-openstackclient

后面许多命令包含在python-openstackclient openstack-utils里面哦
2、配置keystone
修改keystone配置文件 /etc/keystone/keystone.conf，太长了，还是使用命令吧

openssl rand -hex 10  #生成随机数 ee36fc4faf6a3f1f07b1
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ee36fc4faf6a3f1f07b1
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
openstack-config --set /etc/keystone/keystone.conf token driver memcache #设置token存放的位置
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone #初始化Fernet keys
chown -R keystone:keystone /etc/keystone #要不然启动是会报没有存放token的目录

3、创建数据库表
同步数据库：注意权限，所以要用su -s 切换到keystone用户下执行

su -s /bin/sh -c "keystone-manage db_sync" keystone
验证数据是否创建成功
mysql -ukeystone -pkeystone
use keystone;
show tables;

4、使用httpd做代理
必须要配置httpd的ServerName,否则keystone服务不能起来

vim /etc/httpd/conf/httpd.conf
ServerName master

链接keystone配置文件，并用apache来代理它：5000 正常的api来访问 35357 管理访问的端口
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
在用openstack-staus时，keystone服务的状态是inactive。
需要做一下服务链接

ln -s /usr/lib/systemd/system/httpd.service /etc/systemd/system/openstack-keystone.service
systemctl daemon-reload
systemctl restart openstack-keystone
openstack-status

#配置启动memcached
systemctl enable memcached
systemctl start memcached
systemctl enable httpd
systemctl start httpd
#查看是否启动
netstat -lntup|grep httpd

5、Bootstrap the Identity service:

# keystone-manage bootstrap --bootstrap-password admin\
  --bootstrap-admin-url http://controller:35357/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

创建keystone的项目，角色，用户
先配置两个用户的环境(/home目录）

vim admin-openrc.sh 
export OS_TOKEN=ee36fc4faf6a3f1f07b1
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

 vim demo-openrc.sh 
export OS_TOKEN=ee36fc4faf6a3f1f07b1
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
##添加执行权限
chmod +x admin-openrc.sh demo-openrc.sh
source admin-openrc.sh #使环境生效

grep -n '^admin_token' /etc/keystone/keystone.conf#ee36fc4faf6a3f1f07b1
export OS_TOKEN =ee36fc4faf6a3f1f07b1
如果报401,token等错误
unset  OS_TOKEN  OS_AUTH_URL
source admin-openrc.sh #使环境生效

创建keystone的项目，角色，用户

openstack service create --name keystone --description "OpenStack Identity" identity  #创建identity项目
openstack project create --domain default --description "Admin Project" admin #创建admin项目
openstack project create --domain default --description "Service Project" service #创建service项目
openstack user create --domain default --password-prompt admin  #创建admin用户
openstack role create admin       #创建admin角色
openstack role add --project admin --user admin admin   #将admin用户,admin项目，admin角色关联起来
-------下面是创建普通用户"demo"--------
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password=demo demo
openstack role create user
openstack role add --project demo --user demo user

6、验证是否正常
检查是否正常：

openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type admin token issue
查看api接口
openstack endpoint list