Tags:
,
view all tags
---+!! Installing and Configuring the Identity Service (KEYSTONE) %TOC% <br /> ---+ Installazione keystone *Server designato per l'installazione:* hostname1.domain . Installare keystone tramite il gestore di pacchetti =yum= : <verbatim> # yum install openstack-utils openstack-keystone python-keystoneclient </verbatim> Installare il server mysql: <verbatim> # yum install mysql mysql-server MySQL-python </verbatim> Permettere che il servizio =mysqld= venga avviato di default al riavvio del server: <verbatim> # chkconfig mysqld on # service mysqld start </verbatim> Inserire la password di =root= : <verbatim> # mysqladmin -u root password ******* </verbatim> <br /> ---++ Configurazione keystone * Rimuovere, se esiste, il file =/var/lib/keystone/keystone.db= (cioè il DB sqlite). Verrà utilizzato !MySQL che permette a più keystone di utilizzare lo stesso DB e al DB stesso di essere replicato utilizzando le feature di !MySQL . <pre></pre> * Per inizializzare il db di keystone, cioè creare il db keystone e l'utente keystone che ha completo accesso al db stesso, digitare il comando: <verbatim> openstack-db --init --service keystone </verbatim> * Controllare in =/etc/keystone/keystone.conf= che esista (se necessario modificarla) una riga del tipo: <verbatim> connection = mysql://keystone:<YOUR_KEYSTONEDB_PASSWORD>@hostname1.domain/keystone </verbatim> Dove <YOUR_KEYSTONEDB_PASSWORD> va sostituito con la password scelta per l'utente keystone. Se si e' settata una password diversa di keystone da quella presente in questa linea ricordarsi di modificarla anche qui. * in =/etc/keystone/keystone.conf= <verbatim> admin_token = XXXXXXXXXX </verbatim> va modificato inserendo una stringa casuale ottenuta, per esempio utilizzando il comando: <verbatim> # export ADMIN_TOKEN=$(openssl rand -hex 10) </verbatim> la stringa cosi' ottenuta puo' essere inserita a mano nel file di configurazione o usando il comando: <verbatim> # openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $ADMIN_TOKEN </verbatim> * assicurarsi che il servizio sia attivo al boot ed avviarlo se stoppato <verbatim> chkconfig openstack-keystone on service openstack-keystone restart </verbatim> * sincronizzare la configurazione =keystone-manage db_sync= ---++ Setup iniziale Creare il file =.keystonerc= con le seguenti variabili: <verbatim> export ADMIN_TOKEN= XXXXXXXXXXXXXX export OS_USERNAME=adminUser export OS_PASSWORD=XXXXXXXXXXXXXX export OS_TENANT_NAME=Devel-Tenant export OS_AUTH_URL=http://stack-01.cnaf.infn.it:5000/v2.0/ </verbatim> e farne il source con =. .keystonerc= ---+++ Creazione del tenant *TENANT*: _A container used to group or isolate resources and/or identity objects. Depending on the service operator, a tenant may map to a customer, account, organization, or project._ <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 tenant-create --name Devel-Tenant --description "Devel Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Devel Tenant | | enabled | True | | id | c10d9c9f296b47f8a1212dd7a98357e0 | | name | Devel-Tenant | +-------------+----------------------------------+ </verbatim> ---+++ Creazione dell'utente "adminUser" *USER*: _A digital representation of a person, system, or service who uses OpenStack cloud services. Identity authentication services will validate that incoming request are being made by the user who claims to be making the call. Users have a login and may be assigned tokens to access resources. Users may be directly assigned to a particular tenant and behave as if they are contained in that tenant._ <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $DEVEL_TENANT_ID --name $OS_USERNAME --pass $OS_PASSWORD --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | b0305faa3ace4671bc0399e71a0a1cc1 | | name | adminUser | | password | $6$rounds=40000$FXbQphsGDVj.Qw6B$q2e/hqj/Jnv7l.r3HW9VLTVyHaRbCB7pySvJ9prsWahvQ.GJyELRARXL4apPZAltov6f3FRAwfXu5yE5kAUbg0 | | tenantId | c10d9c9f296b47f8a1212dd7a98357e0 | +----------+-------------------------------------------------------------------------------------------------------------------------+ </verbatim> ---+++ Creazione del ruolo "admin" e "memberRole" *ROLE*: _A personality that a user assumes when performing a specific set of operations. A role includes a set of right and privileges. A user assuming that role inherits those rights and privileges. In the identity service, a token that is issued to a user includes the list of roles that user can assume. Services that are being called by that user determine how they interpret the set of roles a user has and which operations or resources each roles grants access to._ <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 role-create --name admin +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 6d67c71be79643e0bf497571510a6894 | | name | admin | +----------+----------------------------------+ # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 role-create --name memberRole +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | ee2b7e07f35d4927a0f60b54c55fd1a4 | | name | memberRole | +----------+----------------------------------+ </verbatim> ---++++ Assegnazione del ruolo "admin" all'utente "AdminUser" <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user $ADMIN_USER_ID --tenant_id $DEVEL_TENANT_ID --role $ADMIN_ROLE_ID </verbatim> Non viene visualizzato nulla se ha successo il comando ---++ Create a Service Tenant. This tenant contains all the services that we make known to the service catalog. <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 tenant-create --name service --description "Service Tenant" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Service Tenant | | enabled | True | | id | edc5b7a35c644466849123cc937f9a04 | | name | service | +-------------+----------------------------------+ </verbatim> ---+++ Create a Glance Service User in the Service Tenant. You'll do this for any service you add to be in the Keystone service catalog. <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name glance --pass $GLANCE_PASSW --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | f085dd93f0ae42daa1a0623b9ec978f4 | | name | glance | | password | $6$rounds=40000$Jt2pbmLiN4liEImG$BheACef6A.wSgpj5EKn.XrAihLYy41y06rrAs3pEPr4Y/IF2uLSt9ADprzFGlATwfbimn98fp/e35wM2f783W1 | | tenantId | edc5b7a35c644466849123cc937f9a04 | +----------+-------------------------------------------------------------------------------------------------------------------------+ </verbatim> ---+++ Grant the admin role to the glance user in the service tenant. <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user $GLANCE_USER_ID --tenant_id $SERVICE_TENANT_ID --role $ADMIN_ROLE_ID </verbatim> There is no output to this command. ---+++ Create a Nova Service User in the Service Tenant. <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name nova --pass $NOVA_PASSW --enabled true +----------+-------------------------------------------------------------------------------------------------------------------------+ | Property | Value | +----------+-------------------------------------------------------------------------------------------------------------------------+ | email | None | | enabled | True | | id | 6916a161eb55476a8b2615dae7d00f27 | | name | nova | | password | $6$rounds=40000$Fi6fO6FbiWQH./Sg$ICF/qEdojYNNCSGQlicUAoFMntUREVz96DPPM4bOHsRBAB0t6vIOEDxSUh3q0IJXFGeH0YASNgmmVIU6CRklw. | | tenantId | edc5b7a35c644466849123cc937f9a04 | +----------+-------------------------------------------------------------------------------------------------------------------------+ </verbatim> ---++++ Grant the admin role to the nova user in the service tenant. <verbatim> keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user $NOVA_USER_ID --tenant_id $SERVICE_TENANT_ID --role $ADMIN_ROLE_ID </verbatim> There is no output to this command. ---+++ Create an EC2 Service User in the Service Tenant. saltato ---++++ Grant the admin role to the ec2 user in the service tenant. saltato ---+++ Create an Object Storage Service User in the Service Tenant. saltato ---++++ Grant the admin role to the swift user in the service tenant. saltato ---++ Enable Keystone Riguarda S3, comunque il file =/etc/keystone/keystone.conf= è stato modificato seguendo la guida. ---++ Defining services Keystone also acts as a service catalog to let other OpenStack systems know where relevant API endpoints exist for OpenStack Services. The OpenStack Dashboard, in particular, uses the service catalog heavily - and this must be configured for the OpenStack Dashboard to properly function. Il file =/etc/keystone/keystone.conf= deve contenere la seguente riga <verbatim> [catalog] driver = keystone.catalog.backends.sql.Catalog </verbatim> ---+++ Creating keystone services and service endpoints ---++++ Define the Identity service <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=keystone --type=identity --description="Keystone Identity Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Keystone Identity Service | | id | cfda291164a2416f99ddffc137ba14f9 | | name | keystone | | type | identity | +-------------+----------------------------------+ # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=$KEYSTONE_SERVICE_ID --publicurl=$KEYSTONE5000 --internalurl=$KEYSTONE5000 --adminurl=$KEYSTONE35357 +-------------+-----------------------------------+ | Property | Value | +-------------+-----------------------------------+ | adminurl | http://131.154.101.242:35357/v2.0 | | id | e63155b607e1433f9ae8c66bc87c8ebf | | internalurl | http://131.154.101.242:5000/v2.0 | | publicurl | http://131.154.101.242:5000/v2.0 | | region | RegionOne | | service_id | cfda291164a2416f99ddffc137ba14f9 | +-------------+-----------------------------------+ </verbatim> ---+++ Define the Compute service It requires a separate endpoint for each tenant. Here we use the service tenant from the previous section. The =%(tenant_id)s= and single quotes around the publicurl, internalurl, and adminurl must be typed exactly as shown for both the Compute endpoint and the Volume endpoint. <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=nova --type=compute --description="Nova Compute Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Nova Compute Service | | id | 83486ca8422c4cb0aa4be1a231556ee3 | | name | nova | | type | compute | +-------------+----------------------------------+ keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=$NOVA_COMPUTE_SERVICE_ID --publicurl='http://131.154.101.242:8774/v2/%(tenant_id)s' --internalurl='http://131.154.101.242:8774/v2/%(tenant_id)s' --adminurl='http://131.154.101.242:8774/v2/%(tenant_id)s' +-------------+----------------------------------------------+ | Property | Value | +-------------+----------------------------------------------+ | adminurl | http://131.154.101.242:8774/v2/%(tenant_id)s | | id | ef8874ac56b34b538536b053591d440e | | internalurl | http://131.154.101.242:8774/v2/%(tenant_id)s | | publicurl | http://131.154.101.242:8774/v2/%(tenant_id)s | | region | RegionOne | | service_id | 83486ca8422c4cb0aa4be1a231556ee3 | +-------------+----------------------------------------------+ </verbatim> ---+++ Define the Volume service saltato It also requires a separate endpoint for each tenant. ---+++ Define the Image service <verbatim> # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=glance --type=image --description="Glance Image Service" +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Glance Image Service | | id | 4ebfd4612e8145d188140dcbd62bcaff | | name | glance | | type | image | +-------------+----------------------------------+ # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=$GLANCE_SERVICE_ID --publicurl=http://131.154.101.242:9292/v1 --internalurl=http://131.154.101.242:9292/v1 --adminurl=http://131.154.101.242:9292/v1 +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | adminurl | http://131.154.101.242:9292/v1 | | id | 044f6be2f3224b3f96283bb26dcc0949 | | internalurl | http://131.154.101.242:9292/v1 | | publicurl | http://131.154.101.242:9292/v1 | | region | RegionOne | | service_id | 4ebfd4612e8145d188140dcbd62bcaff | +-------------+----------------------------------+ </verbatim> ---+++ Define the EC2 compatibility service saltato ---+++ Define the Object Storage service saltato ---++ Troubleshooting <verbatim> yum install curl openssl curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials": {"username": "adminUser", "password": "********"}}}' -H "Content-type:application/json" http://131.154.101.242:35357/v2.0/tokens | python -mjson.tool % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 183 252 126 252 0 114 4021 1819 --:--:-- --:--:-- --:--:-- 2225 { "access": { "serviceCatalog": {}, "token": { "expires": "2012-08-30T12:22:54Z", "id": "927b3fb9806f494386c8c1e5af62ad21" }, "user": { "id": "b0305faa3ace4671bc0399e71a0a1cc1", "name": "adminUser", "roles": [], "roles_links": [], "username": "adminUser" } } } </verbatim> ---+++ keystone user-list <verbatim> # keystone user-list +----------------------------------+---------+-------+-----------+ | id | enabled | email | name | +----------------------------------+---------+-------+-----------+ | 6916a161eb55476a8b2615dae7d00f27 | True | None | nova | | b0305faa3ace4671bc0399e71a0a1cc1 | True | None | adminUser | | f085dd93f0ae42daa1a0623b9ec978f4 | True | None | glance | +----------------------------------+---------+-------+-----------+ </verbatim> ---+++ keystone service-list <verbatim> # keystone service-list +----------------------------------+----------+----------+---------------------------+ | id | name | type | description | +----------------------------------+----------+----------+---------------------------+ | 83486ca8422c4cb0aa4be1a231556ee3 | nova | compute | Nova Compute Service | | cfda291164a2416f99ddffc137ba14f9 | keystone | identity | Keystone Identity Service | +----------------------------------+----------+----------+---------------------------+ </verbatim> ---+++ keystone endpoint-list <verbatim> # keystone endpoint-list +----------------------------------+-----------+----------------------------------------------+----------------------------------------------+----------------------------------------------+ | id | region | publicurl | internalurl | adminurl | +----------------------------------+-----------+----------------------------------------------+----------------------------------------------+----------------------------------------------+ | e63155b607e1433f9ae8c66bc87c8ebf | RegionOne | http://131.154.101.242:5000/v2.0 | http://131.154.101.242:5000/v2.0 | http://131.154.101.242:35357/v2.0 | | ef8874ac56b34b538536b053591d440e | RegionOne | http://131.154.101.242:8774/v2/%(tenant_id)s | http://131.154.101.242:8774/v2/%(tenant_id)s | http://131.154.101.242:8774/v2/%(tenant_id)s | +----------------------------------+-----------+----------------------------------------------+----------------------------------------------+----------------------------------------------+ </verbatim> -- Main.PaoloVeronesi - 2012-08-30
Edit
|
Attach
|
PDF
|
H
istory
:
r16
|
r4
<
r3
<
r2
<
r1
|
B
acklinks
|
V
iew topic
|
More topic actions...
Topic revision: r2 - 2012-10-09
-
MatteoManzali
Home
Site map
CEMon web
CREAM web
Cloud web
Cyclops web
DGAS web
EgeeJra1It web
Gows web
GridOversight web
IGIPortal web
IGIRelease web
MPI web
Main web
MarcheCloud web
MarcheCloudPilotaCNAF web
Middleware web
Operations web
Sandbox web
Security web
SiteAdminCorner web
TWiki web
Training web
UserSupport web
VOMS web
WMS web
WMSMonitor web
WeNMR web
MarcheCloud Web
Create New Topic
Index
Search
Changes
Notifications
RSS Feed
Statistics
Preferences
P
View
Raw View
Print version
Find backlinks
History
More topic actions
Edit
Raw edit
Attach file or image
Edit topic preference settings
Set new parent
More topic actions
Account
Log In
Edit
Attach
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki?
Send feedback