echo deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/grizzly main >> /etc/apt/sources.list.d/grizzly.list
apt-get install -y ubuntu-cloud-keyring

# one way (older scala version will be installed)
# sudo apt-get install scala

#2nd way
sudo apt-get remove scala-library scala
wget http://www.scala-lang.org/files/archive/scala-2.11.4.deb
sudo dpkg -i scala-2.11.4.deb
sudo apt-get update
sudo apt-get install scala

# sbt installation
# remove sbt:> sudo apt-get purge sbt.

wget http://dl.bintray.com/sbt/debian/sbt-0.13.6.deb
sudo dpkg -i sbt-0.13.6.deb 
sudo apt-get update
sudo apt-get install sbt

// ---------------Openstack Cookbook----------------

pre-requisite tool:

sudo apt-get update
sudo apt-get -y install python-software-properties

use a particular release of PPA,

sudo add-apt-repository ppa:openstack-ubuntu-testing/havana-trunk-testing

Installing OpenStack Identity service

MYSQL_ROOT_PASS=openstack
MYSQL_HOST=172.16.0.200

#enable non-interactive installations of MySQL

echo "mysql-server-5.5 mysql-server/root_password password $MYSQL_ROOT_PASS" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password_again password $MYSQL_ROOT_PASS" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password seen true" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password_again seen true" | sudo debconf-set-selections

export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get -q -y install mysql-server
sudo sed -i "^bind\-address.*/bind-address = ${MYSQL_HOST}/g" /etc/mysql/my.cnf
sudo service mysql restart

mysqladmin -uroot password ${MYSQL_ROOT_PASS}

mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"localhost\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"

mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"${MYSQL_HOST}\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"

mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"%\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"

mysqladmin -uroot -p${MYSQL_ROOT_PASS} flush-privileges

vagrant ssh controller

1. Installation of OpenStack Identity service is done by specifying the keystone package in Ubuntu, and we do this as follows:

sudo apt-get update
sudo apt-get -y install keystone python-keyring

2. create the keystone database in MySQL

MYSQL_ROOT_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "CREATE DATABASE keystone;"

3. create a user specific to OpenStack Identity service

MYSQL_ROOT_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%';"
mysql -uroot -p$MYSQL_ROOT_PASS -e "SET PASSWORD FOR 'keystone'@'%' = PASSWORD('$MYSQL_ROOT_PASS')"

4. edit /etc/keystone/keystone.conf to configure OpenStack Identity service to use the database, change the sql_connection line to match the database credentials.

MYSQL_HOST=172.16.0.200
sudo sed -i "s#^connection.*#connection = mysql://keystone:openstack@172.16.0.200/keystone#" /etc/keystone/keystone.conf

5. let a super-user admin token resides in the /etc/keystone/keystone.conf file.

sudo sed -i "s/^# admin_token.*/admin_token = ADMIN" /etc/keystone/keystone.conf

6. disable the PKI infrastructure to cryptographically sign the tokens.

sudo sed -i "s/^#token_format.*/token_format = UUID" /etc/keystone/keystone.conf

7. restart the keystone service

sudo stop keystone
sudo start keystone

8. populate the keystone database with the required tables

sudo keystone-manage db_sync

Creating tenants

Getting ready

install keystoneclient toll on an Ubuntu client, to manage our OpenStack Identity service

vagrant ssh controller

sudo apt-get update
sudo apt-get -y install python-keystoneclient

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export ENDPOINT=172.16.172.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

1. create a tenant called cookbook

keystone tenant-create --name cookbook --description "Default Cookbook Tenant --enable true

2. create an admin tenant

keystone tenant-create --name cookbooc --description "Admin Tenant" --enabled true

Configuring roles

1. create the admin role

keystone role-create --name admin

2. create the member role

keystone role-create --name Member

Adding users

1. get the cookbook tenant ID

TENANT_ID=$(keystone tenant-list | awk '/\ cookbook \ / {print $2}')

2. create the admin user in the cookbook tenant

PASSWORD=openstack

keystone user-create --name admin --tenant_id $TENANT_ID --pass $PASSWORD --email root@localhost --enabled true

3. get the admin role id

ROLE_ID=$(keystone role-list | awk '/\ admin\ / {print $2}')

4. get the user id

USER_ID=$(keystone user-list | awk '/\ admin\ / {print $2}')

5. assign role to uer

keystone user-role-add --user $USER_ID --role $ROLE_ID --tenant_id $TENANT_ID

Defineing service endpoints

Each of the services in our cloud environment runs on a particular URL and port-these are the endpoint address of our services. When a client communicates with our OpenStack environment that runs OpenStack Identity service, it is this service that returns the endpoint URLs, which the user can then use in an OpenStack environment. To enable this feature, we must define these endpoints. In a cloud environment though, we can define multiple regions. Regions can be thought of as different datacenters, which would imply that they would have different URLs or IP addresses. Under OpenStack Identiry service, we can define these URL endpoints separately for each region. As we only have a single environment, we will reference this as RegionOne.

Getting ready

vagrant ssh controller

sudo apt-get update
sudo apt-get -y install python-keystoneclient

export ENDPOINT=172.16.0.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

steps:

1. define the actual services that OpenStack Identity service needs to know about in our environment

# OpenStack Compute Nova API Endpoint
keystone service-create --name nova --type compute --description 'OpenStack Compute Service'

# OpenStack Compute EC2 API Endpoint
keystone service-create --name ec2 --type ec2 --description 'EC2 Service'

# Glance Image Service Endpoint
keystone service-create --name glance --type image --description 'OpenStack Image Service'

# Keystone Identity Service Endpoint
keystone service-create --name keystone --type identity --description 'OpenStack Identity Service'

# Cinder Block Storage Endpoint
keystone service-create --name volume --type volume --description 'Volume Service'

2. add service endpoint URLs services run on.

# OpenStack Compute Nova API

NOVA_SERVICE_ID=$(keystone service-list | awk '/\ nova\ / {print $2}')

PUBLIC="http://$ENDPOINT:8774/v2/\$(tenant_id)s"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $NOVA_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

3. define the rest of our service endpoints

# OpenStack Compute EC2 API

EC2_SERVICE_ID=$(keystone service-list | awk '/\ ec2\ / {print $2}')

PUBLIC="http://$ENDPOINT:8773/services/Cloud"
ADMIN="http://$ENDPOINT:8773/services/Admin"
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $EC2_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

# Glance Image Service

GLANCE_SERVICE_ID=$(keystone service-list | awk '/\ glance\ / {print $2}')

PUBLIC="http://$ENDPOINT:9292/v1"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $GLANCE_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

# Keystone OpenStack Identity Service

KEYSTONE_SERVICE_ID=$(keystone service-list | awk '/\ keystone\ / {print $2}')

PUBLIC="http://$ENDPOINT:5000/v2.0"
ADMIN="http://$ENDPOINT:35357/v2.0"
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $KEYSTONE_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

#Cinder Block Storage ServiceService

CINDER_SERVICE_ID=$(keystone service-list | awk '/\ volume\ / {print $2}')

PUBLIC="http://$ENDPOINT:8776/v1/%(tenant_id)s"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $CINDER_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

Creating the service tenant and service users

With the service endpoints created, we can now configure them so that our OpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. Configuring each service to have their own username and password allows for greater security, troubleshooting and, auditing within our environment. For each service that uses OpenStack Identity service for authentication and authorization, we then specify these details in their relevant configuration file, when setting up that service. Each service itself has to authenticate with keystone in order for it to be available within OpenStack. Configuration of that service is then done using these credentials. For example, for glance we specify the following in /etc/glance/glance-registry-api.ini, when used with OpenStack Identity service, which matches what we created previously:

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 172.16.0.200
service_port = 5000
auth_host = 172.16.0.200
auth_port = 35357
auth_protocol = http
auth_uri = http://172.16.0.200:5000/
admin_tenant_name = service
admin_user = glance
admin_password = glance

Getting ready

vagrant ssh controller

sudo apt-get update
sudo apt-get -y install python-keystoneclient

export ENDPOINT=172.16.0.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

Configure an appropriate service tenant:

1. create the tenant service

keystone tenant-create --name service --description "Service Tenant" --enabled true

2. record the ID of the service tenant

SERVICE_TENANT_ID=$(keystone tenant-list | awk '/\ service\ / {print $2}')

3. create the user account

keystone user-create --name nova --pass nova --tenant_id $SERVICE_TENANT_ID --email nova@localhost --enable true

4. create other user accounts

keystone user-create --name glance --pass glance --tenant_id $SERVICE_TENANT_ID --email glance@localhost --enable true
keystone user-create --name keystone --pass keystone --tenant_id $SERVICE_TENANT_ID --email keystone@localhost --enable true
keystone user-create --name cinder --pass cinder --tenant_id $SERVICE_TENANT_ID --email cinder@localhost --enable true

5. assign users and admin role in the service tenant.

NOVA_USER_ID=$(keystone user-list | awk '/\ nova\ / {print $2}')
ADMIN_ROLE_ID=$(keystone role-list | awk '/\ admin\ / {print $2}')
keystone user-role-add --user $NOVA_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

6. repeat step 5 for other service users

GLANCE_USER_ID=$(keystone user-list | awk '/\ glance\ / {print $2}')
keystone user-role-add --user $GLANCE_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

KEYSTONE_USER_ID=$(keystone user-list | awk '/\ keystone\ / {print $2}')
keystone user-role-add --user $KEYSTONE_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

CINDER_USER_ID=$(keystone user-list | awk '/\ cinder \ / {print $2}')
keystone user-role-add --user $CINDER_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

OpenStack (1) - Keystone OpenStack Identity Service的更多相关文章

  1. openstack setup demo Identity service

    openstack Identity service 名叫keystone.它提供了用户校验,以及服务目录查询(即列出所有的服务以及相关信息)等功能. keystone 主要包含以下几个部分 Serv ...

  2. Openstack组件部署 — 将一个自定义 Service 添加到 Keystone

    目录 目录 Keystone 认证流程 让 Keystone 为一个新的项目 Service 提供验证功能 最后 Keystone 认证流程 User 使用凭证(username/password) ...

  3. Openstack组件部署 — Keystone Install & Create service entity and API endpoints

    目录 目录 前文列表 Install and configure Prerequisites 先决条件 Create the database for identity service 生成一个随机数 ...

  4. OpenStack中Keystone的基本概念理解

    原文http://www.kankanews.com/ICkengine/archives/10788.shtml Keystone简介 Keystone(OpenStack Identity Ser ...

  5. OpenStack:安装Keystone

    >安装Keystone1. 安装# apt-get install keystone2. 创建dbcreate database keystone;grant all privileges on ...

  6. Openstack中keystone与外部LDAP Server的集成

    openstack中keystone鉴权的用户user和password信息,通常保存在mysql数据库的keystone库: 表local_user和表password: keystone也支持外部 ...

  7. openstack 之~keystone部署

    第一:版本信息 官网http://docs.openstack.org/newton/install-guide-rdo/keystone.html 我们按照Newton这个版本来部署,opensta ...

  8. openstack 之~keystone基础

    第一:keystone是什么? keystone是 OpenStack Identity Service 的项目名称,是一个负责身份管理验证.服务规则管理和服务令牌功能.它实现了openstack的i ...

  9. openstack学习-KeyStone安装(二)

    一.安装keystone # yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached 二.设置Memca ...

随机推荐

  1. 服务接口API限流 Rate Limit

    一.场景描述 很多做服务接口的人或多或少的遇到这样的场景,由于业务应用系统的负载能力有限,为了防止非预期的请求对系统压力过大而拖垮业务应用系统. 也就是面对大流量时,如何进行流量控制? 服务接口的流量 ...

  2. vc++ 获取当前用户名

    #include<afxwin.h> #include <stdio.h> int main(void) { char userName[MAX_PATH]; unsigned ...

  3. POJ 3978 Primes(素数筛选法)

    题目 简单的计算A,B之间有多少个素数 只是测试数据有是负的 //AC //A和B之间有多少个素数 //数据可能有负的!!! #include<string.h> #include< ...

  4. Javascript nextElementSibling和nextSibling

    function next(ele) { if (typeof ele.nextElementSibling == 'object') { return ele.nextElementSibling; ...

  5. 【转】SQL Server T-SQL写文本文件

    原文:http://www.nigelrivett.net/SQLTsql/WriteTextFile.html The are several methods of creating text fi ...

  6. centOS学习part1:操作系统安装

    0 linux作为服务器的主要操作系统,在处理速度以及安全性上都要优于windows,虽然需要很多命令要记,但是一般常用的命令不多,用多了就熟悉了,而且现在很多都要图形界面,也降低了学习成本. cen ...

  7. 51Nod 算法马拉松15 记一次悲壮而又开心的骗分比赛

    OwO 故事的起源大概是zcg前天发现51Nod晚上有场马拉松,然后他就很开心的过去打了 神奇的故事就开始了: 晚上的时候我当时貌似正在写线段树?然后看见zcg一脸激动告诉我第一题有九个点直接输出B就 ...

  8. Tomcat日志问题

    [Tomcat日志设定][tomcat控制台日志][log4j日志] 1 Tomcat 日志概述 Tomcat 日志信息分 为 两 类 : 一是运行中的日志,它主要 记录 运行的一些信息,尤其是一些异 ...

  9. NoSQL数据库有哪些

    NoSQL太火,冒出太多产品了,保守估计也成百上千了. 互联网公司常用的基本集中在以下几种,每种只举一个比较常见或者应用比较成功的例子吧. 1. In-Memory KV Store : Redis ...

  10. React事件属性

    一.简介 二.滚动例子,滚动改变颜色 <!DOCTYPE html> <html lang="zh-cn"> <head> <meta c ...