Tags:
, view all tags

Installing and Configuring the Identity Service (KEYSTONE)


Installazione keystone

Server designato per l'installazione: hostname1.domain .

  • Installare keystone tramite il gestore di pacchetti yum :
    # yum install openstack-utils openstack-keystone python-keystoneclient
    
  • Installare il server mysql:
    # yum install mysql mysql-server MySQL-python
    
  • Permettere che il servizio mysqld venga avviato di default al riavvio del server:
    # chkconfig mysqld on
    # service mysqld start
    
  • Inserire la password di root :
    # mysqladmin -u root password *******
    


Configurazione keystone

  • Rimuovere, se esiste, il file /var/lib/keystone/keystone.db (cioè il DB sqlite). Verrà utilizzato MySQL che permette a più keystone di utilizzare lo stesso DB e al DB stesso di essere replicato utilizzando le feature di MySQL .
    
    
  • Per inizializzare il DB di keystone, cioè creare il DB keystone e l'utente keystone che ha completo accesso al DB stesso, digitare il comando:
    # openstack-db --init --service keystone
    
  • Controllare in /etc/keystone/keystone.conf che esista (se necessario modificarla) una riga del tipo:
    connection = mysql://keystone:keystone@hostname1.domain/keystone
    
    Nota bene: in keystone:keystone il primo keystone è il nome utente, il secondo è la password. Utilizzando il comando openstack-db --init --service keystone per l'inizializzazione del DB keystone verranno utilizzati quei valori di default.
 
  • Inizializzare il parametro admin_token contenuto all'interno del file /etc/keystone/keystone.conf , attraverso il comando:
    # openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token $(openssl rand -hex 10)
    
 
  • Assicurarsi che il servizio sia attivo al boot ed avviarlo attraverso i seguenti comandi:
    # chkconfig openstack-keystone on
    # service openstack-keystone restart
    
  • Infine inizializzare il DB keystone:
    # keystone-manage db_sync
    


Creazione di tenant, utente e ruolo per l'amministratore

Per comodità in questa sezione si utilizzeranno delle variabili d'ambiente settate come segue:
# export ADMIN_TOKEN=<ADMIN_TOKEN_VALUE>
# export KEYSTONE35357=http://hostname1.domain:35357/v2.0
# export KEYSTONE5000=http://hostname1.domain:5000/v2.0
Dove <ADMIN_TOKEN_VALUE> è il valore del parametro admin_token contenuto nel file /etc/keystone/keystone.conf .

Creazione del tenant "Devel-Tenant"

Definizione di tenant: A container used to group or isolate resources and/or identity objects. Depending on the service operator, a tenant may map to a customer, account, organization, or project.

  • Creare il tenant lanciando il comando:
    # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 tenant-create --name Devel-Tenant --description "Devel Tenant" --enabled true
    +-------------+----------------------------------+
    |   Property  |              Value               |
    +-------------+----------------------------------+
    | description | Devel Tenant                     |
    | enabled     | True                             |
    | id          | c10d9c9f296b47f8a1212dd7a98357e0 |
    | name        | Devel-Tenant                     |
    +-------------+----------------------------------+
    

Creazione dell'utente "adminUser"

USER: A digital representation of a person, system, or service who uses OpenStack cloud services. Identity authentication services will validate that incoming request are being made by the user who claims to be making the call. Users have a login and may be assigned tokens to access resources. Users may be directly assigned to a particular tenant and behave as if they are contained in that tenant.

  • Creare l'utente lanciando il seguente comando:
    # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $DEVEL_TENANT_ID --name adminUser --pass < ADMIN_PASSWORD > --enabled true
    
    +----------+-------------------------------------------------------------------------------------------------------------------------+
    | Property |                                                          Value                                                          |
    +----------+-------------------------------------------------------------------------------------------------------------------------+
    | email    | None                                                                                                                    |
    | enabled  | True                                                                                                                    |
    | id       | b0305faa3ace4671bc0399e71a0a1cc1                                                                                        |
    | name     | adminUser                                                                                                               |
    | password | $6$rounds=40000$FXbQphsGDVj.Qw6B$q2e/hqj/Jnv7l.r3HW9VLTVyHaRbCB7pySvJ9prsWahvQ.GJyELRARXL4apPZAltov6f3FRAwfXu5yE5kAUbg0 |
    | tenantId | c10d9c9f296b47f8a1212dd7a98357e0                                                                                        |
    +----------+-------------------------------------------------------------------------------------------------------------------------+
    
    Dove <ADMIN_PASSWORD> è la password scelta per l'amministratore che si desidera creare.

Creazione del ruolo admin

ROLE: A personality that a user assumes when performing a specific set of operations. A role includes a set of right and privileges. A user assuming that role inherits those rights and privileges. In the identity service, a token that is issued to a user includes the list of roles that user can assume. Services that are being called by that user determine how they interpret the set of roles a user has and which operations or resources each roles grants access to.

  • Creare i ruoli lanciando i seguenti comandi:
    # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 role-create --name admin
    
    +----------+----------------------------------+
    | Property |              Value               |
    +----------+----------------------------------+
    | id       | 6d67c71be79643e0bf497571510a6894 |
    | name     | admin                            |
    +----------+----------------------------------+
    

Assegnazione del ruolo "admin" all'utente "AdminUser"

  • Assegnare il ruolo tramite il seguente comando:
    # keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user <ADMIN_USER_ID> --tenant_id <DEVEL_TENANT_ID> --role <ADMIN_ROLE_ID>
    
    Dove <ADMIN_USER_ID> , <DEVEL_TENANT_ID> e <ADMIN_ROLE_ID> sono rispettivamente gli ID di user, tenant e ruolo appena creati. Nota bene: non viene visualizzato nulla se il comando ha successo.


Creazione di tenant, utente e ruolo per GLANCE

SONO ARRIVATO QUIIIII! This tenant contains all the services that we make known to the service catalog.

# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 tenant-create --name service --description "Service Tenant" --enabled true
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description | Service Tenant                   |
| enabled     | True                             |
| id          | edc5b7a35c644466849123cc937f9a04 |
| name        | service                          |
+-------------+----------------------------------+

Create a Glance Service User in the Service Tenant.

You'll do this for any service you add to be in the Keystone service catalog.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name glance --pass $GLANCE_PASSW --enabled true


+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property |                                                          Value                                                          |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email    | None                                                                                                                    |
| enabled  | True                                                                                                                    |
| id       | f085dd93f0ae42daa1a0623b9ec978f4                                                                                        |
| name     | glance                                                                                                                  |
| password | $6$rounds=40000$Jt2pbmLiN4liEImG$BheACef6A.wSgpj5EKn.XrAihLYy41y06rrAs3pEPr4Y/IF2uLSt9ADprzFGlATwfbimn98fp/e35wM2f783W1 |
| tenantId | edc5b7a35c644466849123cc937f9a04                                                                                        |
+----------+-------------------------------------------------------------------------------------------------------------------------+

Grant the admin role to the glance user in the service tenant.

# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user $GLANCE_USER_ID --tenant_id $SERVICE_TENANT_ID --role $ADMIN_ROLE_ID

There is no output to this command.

Create a Nova Service User in the Service Tenant.

# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-create --tenant_id $SERVICE_TENANT_ID --name nova --pass $NOVA_PASSW --enabled true


+----------+-------------------------------------------------------------------------------------------------------------------------+
| Property |                                                          Value                                                          |
+----------+-------------------------------------------------------------------------------------------------------------------------+
| email    | None                                                                                                                    |
| enabled  | True                                                                                                                    |
| id       | 6916a161eb55476a8b2615dae7d00f27                                                                                        |
| name     | nova                                                                                                                    |
| password | $6$rounds=40000$Fi6fO6FbiWQH./Sg$ICF/qEdojYNNCSGQlicUAoFMntUREVz96DPPM4bOHsRBAB0t6vIOEDxSUh3q0IJXFGeH0YASNgmmVIU6CRklw. |
| tenantId | edc5b7a35c644466849123cc937f9a04                                                                                        |
+----------+-------------------------------------------------------------------------------------------------------------------------+

Grant the admin role to the nova user in the service tenant.

keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 user-role-add --user $NOVA_USER_ID --tenant_id  $SERVICE_TENANT_ID --role $ADMIN_ROLE_ID
There is no output to this command.

Create an EC2 Service User in the Service Tenant.

saltato

Grant the admin role to the ec2 user in the service tenant.

saltato

Create an Object Storage Service User in the Service Tenant.

saltato

Grant the admin role to the swift user in the service tenant.

saltato

Enable Keystone

Riguarda S3, comunque il file /etc/keystone/keystone.conf è stato modificato seguendo la guida.

Defining services

Keystone also acts as a service catalog to let other OpenStack systems know where relevant API endpoints exist for OpenStack Services. The OpenStack Dashboard, in particular, uses the service catalog heavily - and this must be configured for the OpenStack Dashboard to properly function.

Il file /etc/keystone/keystone.conf deve contenere la seguente riga

[catalog]
driver = keystone.catalog.backends.sql.Catalog

Creating keystone services and service endpoints

Define the Identity service

# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=keystone --type=identity --description="Keystone Identity Service"

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description | Keystone Identity Service        |
| id          | cfda291164a2416f99ddffc137ba14f9 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+



# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=$KEYSTONE_SERVICE_ID --publicurl=$KEYSTONE5000 --internalurl=$KEYSTONE5000 --adminurl=$KEYSTONE35357

+-------------+-----------------------------------+
|   Property  |               Value               |
+-------------+-----------------------------------+
| adminurl    | http://131.154.101.242:35357/v2.0 |
| id          | e63155b607e1433f9ae8c66bc87c8ebf  |
| internalurl | http://131.154.101.242:5000/v2.0  |
| publicurl   | http://131.154.101.242:5000/v2.0  |
| region      | RegionOne                         |
| service_id  | cfda291164a2416f99ddffc137ba14f9  |
+-------------+-----------------------------------+

Define the Compute service

It requires a separate endpoint for each tenant. Here we use the service tenant from the previous section. The %(tenant_id)s and single quotes around the publicurl, internalurl, and adminurl must be typed exactly as shown for both the Compute endpoint and the Volume endpoint.
# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=nova --type=compute --description="Nova Compute Service"

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description | Nova Compute Service             |
| id          | 83486ca8422c4cb0aa4be1a231556ee3 |
| name        | nova                             |
| type        | compute                          |
+-------------+----------------------------------+

keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=$NOVA_COMPUTE_SERVICE_ID --publicurl='http://131.154.101.242:8774/v2/%(tenant_id)s'  --internalurl='http://131.154.101.242:8774/v2/%(tenant_id)s' --adminurl='http://131.154.101.242:8774/v2/%(tenant_id)s'

+-------------+----------------------------------------------+
|   Property  |                    Value                     |
+-------------+----------------------------------------------+
| adminurl    | http://131.154.101.242:8774/v2/%(tenant_id)s |
| id          | ef8874ac56b34b538536b053591d440e             |
| internalurl | http://131.154.101.242:8774/v2/%(tenant_id)s |
| publicurl   | http://131.154.101.242:8774/v2/%(tenant_id)s |
| region      | RegionOne                                    |
| service_id  | 83486ca8422c4cb0aa4be1a231556ee3             |
+-------------+----------------------------------------------+

Define the Volume service

saltato It also requires a separate endpoint for each tenant.

Define the Image service

# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 service-create --name=glance --type=image --description="Glance Image Service"

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description | Glance Image Service             |
| id          | 4ebfd4612e8145d188140dcbd62bcaff |
| name        | glance                           |
| type        | image                            |
+-------------+----------------------------------+

# keystone --token $ADMIN_TOKEN --endpoint $KEYSTONE35357 endpoint-create --region RegionOne --service_id=$GLANCE_SERVICE_ID --publicurl=http://131.154.101.242:9292/v1 --internalurl=http://131.154.101.242:9292/v1 --adminurl=http://131.154.101.242:9292/v1

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| adminurl    | http://131.154.101.242:9292/v1   |
| id          | 044f6be2f3224b3f96283bb26dcc0949 |
| internalurl | http://131.154.101.242:9292/v1   |
| publicurl   | http://131.154.101.242:9292/v1   |
| region      | RegionOne                        |
| service_id  | 4ebfd4612e8145d188140dcbd62bcaff |
+-------------+----------------------------------+

Define the EC2 compatibility service

saltato

Define the Object Storage service

saltato

Troubleshooting

yum install curl openssl

 curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":
{"username": "adminUser", "password": "********"}}}' -H "Content-type:application/json" http://131.154.101.242:35357/v2.0/tokens | python -mjson.tool
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
183   252  126   252    0   114   4021   1819 --:--:-- --:--:-- --:--:--  2225
{
    "access": {
        "serviceCatalog": {},
        "token": {
            "expires": "2012-08-30T12:22:54Z",
            "id": "927b3fb9806f494386c8c1e5af62ad21"
        },
        "user": {
            "id": "b0305faa3ace4671bc0399e71a0a1cc1",
            "name": "adminUser",
            "roles": [],
            "roles_links": [],
            "username": "adminUser"
        }
    }
}

keystone user-list

# keystone user-list
+----------------------------------+---------+-------+-----------+
|                id                | enabled | email |    name   |
+----------------------------------+---------+-------+-----------+
| 6916a161eb55476a8b2615dae7d00f27 | True    | None  | nova      |
| b0305faa3ace4671bc0399e71a0a1cc1 | True    | None  | adminUser |
| f085dd93f0ae42daa1a0623b9ec978f4 | True    | None  | glance    |
+----------------------------------+---------+-------+-----------+

keystone service-list

# keystone  service-list
+----------------------------------+----------+----------+---------------------------+
|                id                |   name   |   type   |        description        |
+----------------------------------+----------+----------+---------------------------+
| 83486ca8422c4cb0aa4be1a231556ee3 | nova     | compute  | Nova Compute Service      |
| cfda291164a2416f99ddffc137ba14f9 | keystone | identity | Keystone Identity Service |
+----------------------------------+----------+----------+---------------------------+

keystone endpoint-list

# keystone   endpoint-list
+----------------------------------+-----------+----------------------------------------------+----------------------------------------------+----------------------------------------------+
|                id                |   region  |                  publicurl                   |                 internalurl                  |                   adminurl                   |
+----------------------------------+-----------+----------------------------------------------+----------------------------------------------+----------------------------------------------+
| e63155b607e1433f9ae8c66bc87c8ebf | RegionOne | http://131.154.101.242:5000/v2.0             | http://131.154.101.242:5000/v2.0             | http://131.154.101.242:35357/v2.0            |
| ef8874ac56b34b538536b053591d440e | RegionOne | http://131.154.101.242:8774/v2/%(tenant_id)s | http://131.154.101.242:8774/v2/%(tenant_id)s | http://131.154.101.242:8774/v2/%(tenant_id)s |
+----------------------------------+-----------+----------------------------------------------+----------------------------------------------+----------------------------------------------+

-- PaoloVeronesi - 2012-08-30

Edit | Attach | PDF | History: r16 | r7 < r6 < r5 < r4 | Backlinks | Raw View | More topic actions...
Topic revision: r5 - 2012-10-09 - MatteoManzali
 
  • Edit
  • Attach
This site is powered by the TWiki collaboration platformCopyright © 2008-2019 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback