echo deb http://ubuntu-cloud.archive.canonical.com/ubuntu precise-updates/grizzly main >> /etc/apt/sources.list.d/grizzly.list
apt-get install -y ubuntu-cloud-keyring

# one way (older scala version will be installed)
# sudo apt-get install scala

#2nd way
sudo apt-get remove scala-library scala
wget http://www.scala-lang.org/files/archive/scala-2.11.4.deb
sudo dpkg -i scala-2.11.4.deb
sudo apt-get update
sudo apt-get install scala

# sbt installation
# remove sbt:> sudo apt-get purge sbt.

wget http://dl.bintray.com/sbt/debian/sbt-0.13.6.deb
sudo dpkg -i sbt-0.13.6.deb 
sudo apt-get update
sudo apt-get install sbt

// ---------------Openstack Cookbook----------------

pre-requisite tool:

sudo apt-get update
sudo apt-get -y install python-software-properties

use a particular release of PPA,

sudo add-apt-repository ppa:openstack-ubuntu-testing/havana-trunk-testing

Installing OpenStack Identity service

MYSQL_ROOT_PASS=openstack
MYSQL_HOST=172.16.0.200

#enable non-interactive installations of MySQL

echo "mysql-server-5.5 mysql-server/root_password password $MYSQL_ROOT_PASS" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password_again password $MYSQL_ROOT_PASS" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password seen true" | sudo debconf-set-selections
echo "mysql-server-5.5 mysql-server/root_password_again seen true" | sudo debconf-set-selections

export DEBIAN_FRONTEND=noninteractive
sudo apt-get update
sudo apt-get -q -y install mysql-server
sudo sed -i "^bind\-address.*/bind-address = ${MYSQL_HOST}/g" /etc/mysql/my.cnf
sudo service mysql restart

mysqladmin -uroot password ${MYSQL_ROOT_PASS}

mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"localhost\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"

mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"${MYSQL_HOST}\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"

mysql -u root --password=${MYSQL_ROOT_PASS} -h localhost -e "GRANT ALL ON *.* to root@\"%\" IDENTIFIED BY \"${MYSQL_ROOT_PASS}\" WITH GRANT OPTION;"

mysqladmin -uroot -p${MYSQL_ROOT_PASS} flush-privileges

vagrant ssh controller

1. Installation of OpenStack Identity service is done by specifying the keystone package in Ubuntu, and we do this as follows:

sudo apt-get update
sudo apt-get -y install keystone python-keyring

2. create the keystone database in MySQL

MYSQL_ROOT_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "CREATE DATABASE keystone;"

3. create a user specific to OpenStack Identity service

MYSQL_ROOT_PASS=openstack
mysql -uroot -p$MYSQL_ROOT_PASS -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%';"
mysql -uroot -p$MYSQL_ROOT_PASS -e "SET PASSWORD FOR 'keystone'@'%' = PASSWORD('$MYSQL_ROOT_PASS')"

4. edit /etc/keystone/keystone.conf to configure OpenStack Identity service to use the database, change the sql_connection line to match the database credentials.

MYSQL_HOST=172.16.0.200
sudo sed -i "s#^connection.*#connection = mysql://keystone:openstack@172.16.0.200/keystone#" /etc/keystone/keystone.conf

5. let a super-user admin token resides in the /etc/keystone/keystone.conf file.

sudo sed -i "s/^# admin_token.*/admin_token = ADMIN" /etc/keystone/keystone.conf

6. disable the PKI infrastructure to cryptographically sign the tokens.

sudo sed -i "s/^#token_format.*/token_format = UUID" /etc/keystone/keystone.conf

7. restart the keystone service

sudo stop keystone
sudo start keystone

8. populate the keystone database with the required tables

sudo keystone-manage db_sync

Creating tenants

Getting ready

install keystoneclient toll on an Ubuntu client, to manage our OpenStack Identity service

vagrant ssh controller

sudo apt-get update
sudo apt-get -y install python-keystoneclient

Ensure that we have our environment set correctly to access our OpenStack environment for administrative purposes:

export ENDPOINT=172.16.172.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

1. create a tenant called cookbook

keystone tenant-create --name cookbook --description "Default Cookbook Tenant --enable true

2. create an admin tenant

keystone tenant-create --name cookbooc --description "Admin Tenant" --enabled true

Configuring roles

1. create the admin role

keystone role-create --name admin

2. create the member role

keystone role-create --name Member

Adding users

1. get the cookbook tenant ID

TENANT_ID=$(keystone tenant-list | awk '/\ cookbook \ / {print $2}')

2. create the admin user in the cookbook tenant

PASSWORD=openstack

keystone user-create --name admin --tenant_id $TENANT_ID --pass $PASSWORD --email root@localhost --enabled true

3. get the admin role id

ROLE_ID=$(keystone role-list | awk '/\ admin\ / {print $2}')

4. get the user id

USER_ID=$(keystone user-list | awk '/\ admin\ / {print $2}')

5. assign role to uer

keystone user-role-add --user $USER_ID --role $ROLE_ID --tenant_id $TENANT_ID

Defineing service endpoints

Each of the services in our cloud environment runs on a particular URL and port-these are the endpoint address of our services. When a client communicates with our OpenStack environment that runs OpenStack Identity service, it is this service that returns the endpoint URLs, which the user can then use in an OpenStack environment. To enable this feature, we must define these endpoints. In a cloud environment though, we can define multiple regions. Regions can be thought of as different datacenters, which would imply that they would have different URLs or IP addresses. Under OpenStack Identiry service, we can define these URL endpoints separately for each region. As we only have a single environment, we will reference this as RegionOne.

Getting ready

vagrant ssh controller

sudo apt-get update
sudo apt-get -y install python-keystoneclient

export ENDPOINT=172.16.0.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

steps:

1. define the actual services that OpenStack Identity service needs to know about in our environment

# OpenStack Compute Nova API Endpoint
keystone service-create --name nova --type compute --description 'OpenStack Compute Service'

# OpenStack Compute EC2 API Endpoint
keystone service-create --name ec2 --type ec2 --description 'EC2 Service'

# Glance Image Service Endpoint
keystone service-create --name glance --type image --description 'OpenStack Image Service'

# Keystone Identity Service Endpoint
keystone service-create --name keystone --type identity --description 'OpenStack Identity Service'

# Cinder Block Storage Endpoint
keystone service-create --name volume --type volume --description 'Volume Service'

2. add service endpoint URLs services run on.

# OpenStack Compute Nova API

NOVA_SERVICE_ID=$(keystone service-list | awk '/\ nova\ / {print $2}')

PUBLIC="http://$ENDPOINT:8774/v2/\$(tenant_id)s"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $NOVA_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

3. define the rest of our service endpoints

# OpenStack Compute EC2 API

EC2_SERVICE_ID=$(keystone service-list | awk '/\ ec2\ / {print $2}')

PUBLIC="http://$ENDPOINT:8773/services/Cloud"
ADMIN="http://$ENDPOINT:8773/services/Admin"
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $EC2_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

# Glance Image Service

GLANCE_SERVICE_ID=$(keystone service-list | awk '/\ glance\ / {print $2}')

PUBLIC="http://$ENDPOINT:9292/v1"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $GLANCE_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

# Keystone OpenStack Identity Service

KEYSTONE_SERVICE_ID=$(keystone service-list | awk '/\ keystone\ / {print $2}')

PUBLIC="http://$ENDPOINT:5000/v2.0"
ADMIN="http://$ENDPOINT:35357/v2.0"
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $KEYSTONE_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

#Cinder Block Storage ServiceService

CINDER_SERVICE_ID=$(keystone service-list | awk '/\ volume\ / {print $2}')

PUBLIC="http://$ENDPOINT:8776/v1/%(tenant_id)s"
ADMIN=$PUBLIC
INTERNAL=$PUBLIC

keystone endpoint-create --region RegionOne --service_id $CINDER_SERVICE_ID --publicurl $PUBLIC --adminurl $ADMIN --internalurl $INTERNAL

Creating the service tenant and service users

With the service endpoints created, we can now configure them so that our OpenStack services can utilize them. To do this, each service is configured with a username and password within a special service tenant. Configuring each service to have their own username and password allows for greater security, troubleshooting and, auditing within our environment. For each service that uses OpenStack Identity service for authentication and authorization, we then specify these details in their relevant configuration file, when setting up that service. Each service itself has to authenticate with keystone in order for it to be available within OpenStack. Configuration of that service is then done using these credentials. For example, for glance we specify the following in /etc/glance/glance-registry-api.ini, when used with OpenStack Identity service, which matches what we created previously:

[filter:authtoken]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_protocol = http
service_host = 172.16.0.200
service_port = 5000
auth_host = 172.16.0.200
auth_port = 35357
auth_protocol = http
auth_uri = http://172.16.0.200:5000/
admin_tenant_name = service
admin_user = glance
admin_password = glance

Getting ready

vagrant ssh controller

sudo apt-get update
sudo apt-get -y install python-keystoneclient

export ENDPOINT=172.16.0.200
export SERVICE_TOKEN=ADMIN
export SERVICE_ENDPOINT=http://${ENDPOINT}:35357/v2.0

Configure an appropriate service tenant:

1. create the tenant service

keystone tenant-create --name service --description "Service Tenant" --enabled true

2. record the ID of the service tenant

SERVICE_TENANT_ID=$(keystone tenant-list | awk '/\ service\ / {print $2}')

3. create the user account

keystone user-create --name nova --pass nova --tenant_id $SERVICE_TENANT_ID --email nova@localhost --enable true

4. create other user accounts

keystone user-create --name glance --pass glance --tenant_id $SERVICE_TENANT_ID --email glance@localhost --enable true
keystone user-create --name keystone --pass keystone --tenant_id $SERVICE_TENANT_ID --email keystone@localhost --enable true
keystone user-create --name cinder --pass cinder --tenant_id $SERVICE_TENANT_ID --email cinder@localhost --enable true

5. assign users and admin role in the service tenant.

NOVA_USER_ID=$(keystone user-list | awk '/\ nova\ / {print $2}')
ADMIN_ROLE_ID=$(keystone role-list | awk '/\ admin\ / {print $2}')
keystone user-role-add --user $NOVA_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

6. repeat step 5 for other service users

GLANCE_USER_ID=$(keystone user-list | awk '/\ glance\ / {print $2}')
keystone user-role-add --user $GLANCE_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

KEYSTONE_USER_ID=$(keystone user-list | awk '/\ keystone\ / {print $2}')
keystone user-role-add --user $KEYSTONE_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

CINDER_USER_ID=$(keystone user-list | awk '/\ cinder \ / {print $2}')
keystone user-role-add --user $CINDER_USER_ID --role $ADMIN_ROLE_ID --tenant_id $SERVICE_TENANT_ID

OpenStack (1) - Keystone OpenStack Identity Service的更多相关文章

  1. openstack setup demo Identity service

    openstack Identity service 名叫keystone.它提供了用户校验,以及服务目录查询(即列出所有的服务以及相关信息)等功能. keystone 主要包含以下几个部分 Serv ...

  2. Openstack组件部署 — 将一个自定义 Service 添加到 Keystone

    目录 目录 Keystone 认证流程 让 Keystone 为一个新的项目 Service 提供验证功能 最后 Keystone 认证流程 User 使用凭证(username/password) ...

  3. Openstack组件部署 — Keystone Install & Create service entity and API endpoints

    目录 目录 前文列表 Install and configure Prerequisites 先决条件 Create the database for identity service 生成一个随机数 ...

  4. OpenStack中Keystone的基本概念理解

    原文http://www.kankanews.com/ICkengine/archives/10788.shtml Keystone简介 Keystone(OpenStack Identity Ser ...

  5. OpenStack:安装Keystone

    >安装Keystone1. 安装# apt-get install keystone2. 创建dbcreate database keystone;grant all privileges on ...

  6. Openstack中keystone与外部LDAP Server的集成

    openstack中keystone鉴权的用户user和password信息,通常保存在mysql数据库的keystone库: 表local_user和表password: keystone也支持外部 ...

  7. openstack 之~keystone部署

    第一:版本信息 官网http://docs.openstack.org/newton/install-guide-rdo/keystone.html 我们按照Newton这个版本来部署,opensta ...

  8. openstack 之~keystone基础

    第一:keystone是什么? keystone是 OpenStack Identity Service 的项目名称,是一个负责身份管理验证.服务规则管理和服务令牌功能.它实现了openstack的i ...

  9. openstack学习-KeyStone安装(二)

    一.安装keystone # yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached 二.设置Memca ...

随机推荐

  1. jQuery1.9.1--queue队列源码分析(非动画部分)

    jQuery.extend({ // 显示或操作在匹配元素上执行的函数队列 queue: function (elem, type, data) { var queue; if (elem) { // ...

  2. 输入格式--InputFormat和InputSplit

    1)InputFormat的类图: InputFormat 直接子类有三个:DBInputFormat.DelegatingInputFormat和FileInputFormat,分别表示输入文件的来 ...

  3. 通过Docker配置DNS服务器

    1. 概述 DockerHub中的 sameersbn/bind 镜像提供了搭建DNS服务器的功能,本文给出使用该镜像搭建DNS服务器的例子. 2. 环境 DNS服务器主机 IP:10.11.150. ...

  4. 【五】PHP数组操作函数

    1.输出数组的结构:bool print_r(数组); $arr=array('jack','mike','tom'); print_r($arr);//Array ( [0] => jack ...

  5. LCIS 最长公共上升子序列

    这个博客好久没写了,这几天为了准备清华交叉研究院的夏令营,在复习大一大二ACM训练时的一些基础算法,正好碰到LICS,发现没有写在博客里,那就顺便记录一下好了. 参考链接:http://blog.cs ...

  6. Delphi的时间处理

    这几天因为自己要学习编写一个小程序中要用到一些时间处理.就在网上搜集一些教材学习到一般的应用,做个笔记,加深印象. 用上Delphi中相应的函数,Delphi的时间处理起来还是很容易的. Delphi ...

  7. 程序员必须知道的git托管平台

    http://www.open-open.com/lib/view/open1420704561390.html

  8. C# 获取windows特殊路径

    虽然是古老的问题,最近用到这个,查一下还不少东东呐 一.使用Environment.SpecialFolder 该方法最简单,直接使用即可,只是提供的特殊路径比较少. (1)使用方法:string p ...

  9. Linux搜狗输入法在有道云笔记上输入冗余

    Linux下,在有道云笔记中用搜狗拼音输入法时,会出现输入冗余,类似于输入法的缓冲上屏了.这是有道云笔记Web页面的问题. 暂时的解决办法是按Ctrl + alt + p. 不仅搜狗输入法,凡是用fc ...

  10. list, set操作

    def union_list(l1, l2): result = [] if not l1: result.extend(l2) return result if not l2: result.ext ...