Esta guía lo lleva a la segunda parte de la configuración del servicio de identidad de OpenStack en el nodo del controlador; también puede leer el artículo anterior sobre la configuración de KeyStone #1. Aquí cubriremos las creaciones de entidades de servicio y puntos finales de API.
Cree la entidad de servicio y el extremo de la API:
Para crear la entidad de servicio y el punto final de la API, tenemos que exportar las siguientes variables para pasar el valor del token de autenticación.
# export OS_TOKEN=43405b090eda983ddde2 ## Replace this token (43405b090eda983ddde2 ) with OS_TOEKEN value from keystone.conf file.
# export OS_URL=http://controller:35357/v3 ## Replace controller with your controller ip.
Configure la versión de la API de identidad.
# export OS_IDENTITY_API_VERSION=3
Cree la entidad de servicio para el servicio de identidad.
# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | ced1e3e2bfe449eeba6a0f19bad90caf | | name | keystone | | type | identity | +-------------+----------------------------------+
Verificar el servicio.
# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | ced1e3e2bfe449eeba6a0f19bad90caf | keystone | identity | +----------------------------------+----------+----------+
Cree el punto final de la API del servicio de identidad.
# openstack endpoint create --region RegionOne identity public http://controller:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 0fdd1aa5fe414213b3b3b616157debfc | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | ced1e3e2bfe449eeba6a0f19bad90caf | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v2.0 | +--------------+----------------------------------+ # openstack endpoint create --region RegionOne identity internal http://controller:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | f825a8526c2c4924a74f3e6acfd199c0 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | ced1e3e2bfe449eeba6a0f19bad90caf | | service_name | keystone | | service_type | identity | | url | http://controller:5000/v2.0 | +--------------+----------------------------------+ # openstack endpoint create --region RegionOne identity admin http://controller:35357/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 35496d62fddd4fe188f384a61bf36d24 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | ced1e3e2bfe449eeba6a0f19bad90caf | | service_name | keystone | | service_type | identity | | url | http://controller:35357/v2.0 | +--------------+----------------------------------+
Verifique los detalles del punto final.
# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+ | 0fdd1aa5fe414213b3b3b616157debfc | RegionOne | keystone | identity | True | public | http://controller:5000/v2.0 | | 35496d62fddd4fe188f384a61bf36d24 | RegionOne | keystone | identity | True | admin | http://controller:35357/v2.0 | | f825a8526c2c4924a74f3e6acfd199c0 | RegionOne | keystone | identity | True | internal | http://controller:5000/v2.0 | +----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------+
Crear proyectos, usuarios y roles:
Cree un proyecto de administrador, un usuario y un rol para la administración; usaremos el dominio predeterminado para simplificar.
Cree el proyecto de administración.
# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | default | | enabled | True | | id | fe858f6a43f84c26b994f0be74c928e6 | | is_domain | False | | name | admin | | parent_id | None | +-------------+----------------------------------+
Cree el usuario administrador.
# openstack user create --domain default --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | 19be37de9db146f8a6b282eb1dbbee14 | | name | admin | +-----------+----------------------------------+
Cree el rol de administrador.
# openstack role create admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 6741bf6d8cb94ddbb45de71ad6c2a07a | | name | admin | +-------+----------------------------------+
Agregue el rol de administrador al proyecto y al usuario de administrador.
# openstack role add --project admin --user admin admin
Cree el proyecto de servicio.
# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 3745819894644e95b72c2693ff4ea34f | | is_domain | False | | name | service | | parent_id | None | +-------------+----------------------------------+
Cree el proyecto de demostración para usar con el usuario normal.
# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | b558b39292b247b7a346678b80ed71e0 | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+
Cree el usuario de demostración.
# openstack user create --domain default --password-prompt demo User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | 69f8896c14a940619839443271aa9d05 | | name | demo | +-----------+----------------------------------+
Cree el rol de usuario.
# openstack role create user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | db27eefc8e8047c499fb822d9ad6f630 | | name | user | +-------+----------------------------------+
Agregue el rol de usuario al proyecto de demostración y al usuario.
# openstack role add --project demo --user demo user
Verificar operación:
# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 3745819894644e95b72c2693ff4ea34f | service | | b558b39292b247b7a346678b80ed71e0 | demo | | fe858f6a43f84c26b994f0be74c928e6 | admin | +----------------------------------+---------+
# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 19be37de9db146f8a6b282eb1dbbee14 | admin | | 69f8896c14a940619839443271aa9d05 | demo | +----------------------------------+-------+
# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 6741bf6d8cb94ddbb45de71ad6c2a07a | admin | | db27eefc8e8047c499fb822d9ad6f630 | user | +----------------------------------+-------+
Por razones de seguridad, deshabilite el mecanismo de token de autenticación temporal:
Edite el /etc/keystone/keystone-paste.ini archivo y eliminar admin_token_auth de [pipeline:public_api] , [canalización:admin_api] y [canalización:api_v3] secciones.
Verifique la operación con acceso basado en roles, para hacerlo desactive las variables exportadas.
# unset OS_TOKEN OS_URL
Ejecute el siguiente comando para enumerar los roles como usuario administrador.
# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name admin --os-username admin --os-auth-type password token issue Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-11-02T11:25:53.930932Z | | id | 7b614d616e964ab7880e82643c0b1659 | | project_id | fe858f6a43f84c26b994f0be74c928e6 | | user_id | 19be37de9db146f8a6b282eb1dbbee14 | +------------+----------------------------------+
Como usuario de demostración, solicite un token de autenticación.
# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-id default --os-user-domain-id default --os-project-name demo --os-username demo --os-auth-type password token issue Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2015-11-02T11:29:28.174824Z | | id | d42d40e47fe84f64a6bd9ecdf1ff240e | | project_id | b558b39292b247b7a346678b80ed71e0 | | user_id | 69f8896c14a940619839443271aa9d05 | +------------+----------------------------------+
Eso es todo, ha configurado correctamente KeyStone en Ubuntu 14.04.