##3.Keystone 驗證服務--openstack

##3.Keystone 驗證服務

  openstack pike 安裝 目錄彙總 http://www.cnblogs.com/elvi/p/7613861.html

#SQL上建立數據庫並受權

#Keystone安裝
yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
yum install apr apr-util -y
#memcached啓動和設置
cp /etc/sysconfig/memcached{,.bak}
systemctl enable memcached.service
systemctl start memcached.service
netstat -antp|grep 11211

#Keystone 配置
cp /etc/keystone/keystone.conf{,.bak}  #備份默認配置
Keys=$(openssl rand -hex 10)  #生成隨機密碼
echo $Keys
echo "kestone  $Keys">>~/openstack.log
echo "
[DEFAULT]
admin_token = $Keys
verbose = true
[database]
connection = mysql+pymysql://keystone:keystone@controller/keystone
[token]
provider = fernet
driver = memcache
[memcache]
servers = controller:11211
">/etc/keystone/keystone.conf

#初始化身份認證服務的數據庫
su -s /bin/sh -c "keystone-manage db_sync" keystone
#檢查表是否建立成功
mysql -h controller -ukeystone -pkeystone -e "use keystone;show tables;"
#初始化密鑰存儲庫
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
#設置admin用戶（管理用戶）和密碼
keystone-manage bootstrap --bootstrap-password admin \
  --bootstrap-admin-url http://controller:35357/v3/ \
  --bootstrap-internal-url http://controller:5000/v3/ \
  --bootstrap-public-url http://controller:5000/v3/ \
  --bootstrap-region-id RegionOne

#apache配置
cp /etc/httpd/conf/httpd.conf{,.bak}
echo "ServerName controller">>/etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

#Apache HTTP 啓動並設置開機自啓動
systemctl enable httpd.service
systemctl restart httpd.service
netstat -antp|egrep ':5000|:35357|:80'
# systemctl disable

#建立 OpenStack 客戶端環境腳本
#admin環境腳本
echo "
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default 
export OS_PROJECT_NAME=admin 
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
">./admin-openstack.sh
#測試腳本是否生效
source ./admin-openstack.sh
openstack token issue


#建立service項目,建立glance,nova,neutron用戶，並受權
openstack project create --domain default --description "Service Project" service
openstack user create --domain default --password=glance glance
openstack role add --project service --user glance admin
openstack user create --domain default --password=nova nova
openstack role add --project service --user nova admin
openstack user create --domain default --password=neutron neutron
openstack role add --project service --user neutron admin


#建立demo項目(普通用戶密碼及角色)
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password=demo demo
openstack role create user
openstack role add --project demo --user demo user
#demo環境腳本
echo "
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
">./demo-openstack.sh
#測試腳本是否生效
source ./demo-openstack.sh
openstack token issue