このエントリーをはてなブックマークに追加

1.4.3. OpenstackのSwiftの構築(認証の変更(Keystone連携)

Swiftの構築自体は終了しているものとします。

ここでは、認証を tempauth から Keystone に変更する作業を行います。Keystoneを利用することによってNovaとSwiftを連携した利用方法を行うことが可能になります。 NovaKeystone にプロキシサーバを設定すれば終わりなのですが、うまく行かなかったことでまた何が原因かわからんくなるので Swift 単体で先に作業をおこなってみます。

そして、どうやっても KeystoneDiablo だと認証が通らないので Essex-4Keystone を利用します。

1.4.3.1. (プロキシサーバ)Keystoneの利用に必要なパッケージのインストール

プロキシサーバに Keystone のインストールを行います

$ sudo git clone git://github.com/openstack/keystone /opt/keystone
$ cd /opt/keystone ; sudo git checkout essex-4
$ MYSQL_PASS=nova
$ NOVA_PASS=password
$ cat <<MYSQL_DEBCONF | sudo debconf-set-selections
mysql-server-5.1 mysql-server/root_password password $MYSQL_PASS
mysql-server-5.1 mysql-server/root_password_again password $MYSQL_PASS
mysql-server-5.1 mysql-server/start_on_boot boolean true
MYSQL_DEBCONF
$ sudo apt-get -y install mysql-server python-dev python-mysqldb python-pip python-lxml python-ldap
$ sudo pip install -r /opt/keystone/tools/pip-requires
$ sudo pip install -r /opt/keystone/tools/test-requires
$ cd /opt/keystone && sudo python setup.py develop

1.4.3.1.1. ディレクトリ、オーナーなどの設定

$ sudo mkdir /etc/keystone
$ sudo mkdir -p /opt/stack/keystone
$ sudo chown stack:stack /opt/stack /opt/keystone -R
$ sudo chmod 775 /opt/stack/keystone

1.4.3.1.2. コンフィグの配置

$ sudo cp -a /opt/keystone/etc/* /etc/keystone
$ sudo sed -i 's#sqlite:///bla.db#mysql://keystone:password@storage01/keystone#' /etc/keystone/keystone.conf
$ sudo sed -i 's#ADMIN#999888777666#' /etc/keystone/keystone.conf
$ sudo sed -i 's#./etc/default_catalog.templates#/etc/keystone/default_catalog.templates#' /etc/keystone/keystone.conf
$ sudo sed -i 's#driver = keystone.identity.backends.kvs.Identity#driver = keystone.identity.backends.sql.Identity#' /etc/keystone/keystone.conf
$ sudo sed -i 's#driver = keystone.contrib.ec2.backends.kvs.Ec2#driver = keystone.contrib.ec2.backends.sql.Ec2#' /etc/keystone/keystone.conf
$ sudo sed -i '8a\log_file = /opt/stack/keystone/keystone.log' /etc/keystone/keystone.conf
$ cat << 'KEYSTONE_TEMPLATE' | sudo tee /etc/keystone/default_catalog.templates > /dev/null
catalog.RegionOne.identity.publicURL = http://storage01:$(public_port)s/v2.0
catalog.RegionOne.identity.adminURL = http://storage01:$(admin_port)s/v2.0
catalog.RegionOne.identity.internalURL = http://storage01:$(public_port)s/v2.0
catalog.RegionOne.identity.name = 'Identity Service'

catalog.RegionOne.object_store.publicURL = http://storage01:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.adminURL = http://storage01:8080/
catalog.RegionOne.object_store.internalURL = http://storage0:8080/v1/AUTH_$(tenant_id)s
catalog.RegionOne.object_store.name = 'Swift Service'
KEYSTONE_TEMPLATE

1.4.3.1.3. データベースの作成

$ sudo sed -i 's#127.0.0.1#0.0.0.0#g' /etc/mysql/my.cnf
$ sudo restart mysql
$ sudo mysql -u root -pnova -e "create database keystone;"
$ sudo mysql -u root -pnova -e "grant all privileges on keystone.* to 'keystone'@'%' identified by 'password';"
$ sudo keystone-manage db_sync

1.4.3.1.4. 起動スクリプトの作成

起動ユーザも先に作成します。

$ sudo useradd keystone -m -d /var/lib/keystone
$ sudo usermod -G stack keystone
$ cat << 'KEYSTONE_INIT' | sudo tee /etc/init/keystone.conf > /dev/null
description "Keystone API server"
author "Soren Hansen <soren@linux2go.dk>"

start on (local-filesystems and net-device-up IFACE!=lo)
stop on runlevel [016]

chdir /var/run

pre-start script
    mkdir -p /var/run/keystone
    chown keystone:root /var/run/keystone/
    chmod 775 /var/run/keystone/


    mkdir -p /var/lock/keystone
    chown keystone:root /var/lock/keystone/
    chmod 775 /var/lock/keystone/
end script

respawn

#exec su -c "keystone --log-dir=/opt/stack/keystone --log-file=api.log" keystone
#exec su -c "keystone-control all start" keystone
exec su -c "keystone-all --config-file /etc/keystone/keystone.conf /etc/keystone/logging.conf.sample -d --debug &" keystone
KEYSTONE_INIT

1.4.3.1.5. Keystoneの起動

1.4.3.1.6. Keystoneの設定

#sudo pkill keystone-all
#sudo mysql -u root -pnova -e "drop database keystone;"
#sudo mysql -u root -pnova -e "create database keystone;"
#sudo keystone-manage db_sync
#sudo start keystone

export SERVICE_ENDPOINT=http://storage01:35357/v2.0/
export SERVICE_TOKEN=999888777666

keystone tenant-create --name=admin
keystone tenant-create --name=demo
keystone tenant-create --name=invisible_to_admin

#keystone user-list
keystone user-create --name=admin --pass=password --email=admin@example.com
keystone user-create --name=demo  --pass=password --email=admin@example.com

# keystone role-list
keystone role-create --name=admin
keystone role-create --name=Member
keystone role-create --name=KeystoneAdmin
keystone role-create --name=KeystoneServiceAdmin
keystone role-create --name=sysadmin
keystone role-create --name=netadmin

ADMIN_USER_ID=$( keystone user-list | grep admin | grep -v demo | awk '{print $2}' )
DEMO_USER_ID=$( keystone user-list | grep demo | awk '{print $2}' )
ADMIN_ROLE_ID=$( keystone role-list | grep " admin"    | awk '{print $2}' )
MEMBER_ROLE_ID=$( keystone role-list | grep " Member"   | awk '{print $2}' )
SYSADMIN_ROLE_ID=$(keystone role-list | grep " sysadmin" | awk '{print $2}' )
NETADMIN_ROLE_ID=$(keystone role-list | grep " netadmin" | awk '{print $2}' )
KEYSTONEADMIN_ROLE_ID=$(keystone role-list | grep " KeystoneAdmin" | awk '{print $2}' )
KEYSTONESERVICE_ROLE_ID=$(keystone role-list | grep " KeystoneServiceAdmin" | awk '{print $2}' )
ADMIN_TENANT_ID=$(mysql -u root -pnova -e "select * from tenant" keystone | grep "admin" | grep -v "invi" | awk '{print $1}' )
DEMO_TENANT_ID=$(mysql -u root  -pnova -e "select * from tenant" keystone | grep "demo"  | grep -v "invi" | awk '{print $1}' )
INVIS_TENANT_ID=$(mysql -u root -pnova -e "select * from tenant" keystone | grep "invi"  | awk '{print $1}')

keystone user-role-add --user $ADMIN_USER_ID --role $ADMIN_ROLE_ID --tenant_id $ADMIN_TENANT_ID
keystone user-role-add --user $DEMO_USER_ID --role $MEMBER_ROLE_ID --tenant_id $DEMO_TENANT_ID
keystone user-role-add --user $DEMO_USER_ID --role $SYSADMIN_ROLE_ID --tenant_id $DEMO_TENANT_ID
keystone user-role-add --user $DEMO_USER_ID --role $NETADMIN_ROLE_ID --tenant_id $DEMO_TENANT_ID
keystone user-role-add --user $DEMO_USER_ID --role $MEMBER_ROLE_ID --tenant_id $INVIS_TENANT_ID
keystone user-role-add --user $ADMIN_USER_ID --role $ADMIN_ROLE_ID --tenant_id $DEMO_TENANT_ID

keystone service-create --name=keystone --type=identity     --description="Keystone Identity Service"
keystone service-create --name=swift    --type=object-store --description="Swift Service"

ADMIN_TENANT_ID=$(mysql -u root -pnova -e "select * from tenant" keystone | grep "admin" | grep -v "invi" | awk '{print $1}')
ADMIN_USER_ID=$(keystone user-list | grep admin | grep -v demo | awk '{print $2}')
ADMIN_ACCESS=$(keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT_ID --user=$ADMIN_USER_ID | grep access | awk '{print $4}')
ADMIN_SECRET=$(keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT_ID --user=$ADMIN_USER_ID | grep secret | awk '{print $4}')
DEMO_TENANT_ID=$(mysql -u root -pnova -e "select * from tenant" keystone | grep "demo" | awk '{print $1}')
DEMO_USER_ID=$(keystone user-list | grep demo | awk '{print $2}')
DEMO_ACCESS=$(keystone ec2-credentials-create --tenant_id=$DEMO_TENANT_ID --user=$DEMO_USER_ID | grep access | awk '{print $4}')
DEMO_SECRET=$(keystone ec2-credentials-create --tenant_id=$DEMO_TENANT_ID --user=$DEMO_USER_ID | grep secret | awk '{print $4}')
ADMIN_ACCESS=$ADMIN_ACCESS
ADMIN_SECRET=$ADMIN_SECRET
DEMO_ACCESS=$DEMO_ACCESS
DEMO_SECRET=$DEMO_SECRET

1.4.3.2. プロキシサーバの設定

tempauthで認証していたものをKeystoneへ切り替えます。

$ cat << 'EOF' | sudo tee /etc/swift/proxy-server.conf > /dev/null
[DEFAULT]
bind_port = 8080
user = swift
swift_dir = /etc/swift
workers = 1
log_name = swift
log_facility = LOG_LOCAL1
log_level = DEBUG

[pipeline:main]
#pipeline = healthcheck cache swift3 s3token tokenauth tempauth proxy-server
pipeline = healthcheck cache swift3 s3token tokenauth keystone proxy-server

[app:proxy-server]
use = egg:swift#proxy
allow_account_management = true
account_autocreate = true

[filter:keystone]
paste.filter_factory = keystone.middleware.swift_auth:filter_factory
operator_roles = Member,admin

[filter:s3token]
paste.filter_factory = keystone.middleware.s3_token:filter_factory
service_port = 5000
service_host = 192.168.10.40
auth_port = 35357
auth_host = 192.168.10.40
auth_protocol = http
auth_token = 999888777666
admin_token = 999888777666

[filter:tokenauth]
paste.filter_factory = keystone.middleware.auth_token:filter_factory
service_port = 5000
service_host = 192.168.10.40
auth_port = 35357
auth_host = 192.168.10.40
auth_protocol = http
auth_token = 999888777666
admin_token = 999888777666
admin_tenant_name = service
admin_user = admin
admin_password = password
cache = swift.cache

[filter:swift3]
use = egg:swift#swift3

[filter:tempauth]
use = egg:swift#tempauth
user_admin_admin = admin .admin .reseller_admin
user_test_tester = testing .admin
user_test2_tester2 = testing2 .admin
user_test_tester3 = testing3
bind_ip = 0.0.0.0

[filter:healthcheck]
use = egg:swift#healthcheck

[filter:cache]
use = egg:swift#memcache
memcache_servers = 192.168.10.40:11211
EOF

1.4.3.2.1. プロキシサーバの再起動

$ sudo swift-init proxy restart

1.4.3.3. 設定確認

環境変数を設定して確認します。ポートは5000でも35357でも接続出来ました。

$ export ST_AUTH=http://192.168.10.40:5000/v2.0
$ export ST_USER=admin
$ export ST_KEY=password
$ export ST_AUTH_VERSION=2

1.4.3.3.1. ファイルのアップロード

テスト用のテキストを作成してアップロードします。

$ cd /tmp
$ echo "SWIFT TEST" > test.txt
$ swift upload container1 test.txt

1.4.3.3.2. ファイルリストの一覧を表示

$ swift list

1.4.3.3.3. 統計情報の表示

$ swift stat

1.4.3.3.4. コンテナを作成

$ swift post container2

1.4.3.3.5. ファイルのダウンロード

$ cd /tmp
$ swift download container1 test.txt
$ ls -l test.txt

1.4.3.3.6. コンテナの削除

$ swift delete container1

これで、後は Nova と連携するだけです。