このエントリーをはてなブックマークに追加

7.2.3. Identity Service(Keystone)のインストール

OpenStack Identity Serviceのコード名はKeystoneです。
Keystoneはユーザ、テナント(プロジェクト)などOpenStackのコンポーネント全ての共通認証・認可を一括管理するコンポーネントです。
Keystoneをインストールすることによって各々のコンポーネントで認証・認可を行う必要がなくなります。

7.2.3.1. Keystoneのインストール

Keystoneのインストールはパッケージで行う場合は全て依存関係を解消してくれます。
# yum install -y openstack-keystone

7.2.3.2. Keystoneのコンフィグ

keystoneのコンフィグを行います。
バックアップをディレクトリごととっておきましょう。
# cp -a /etc/keystone /etc/keystone_bak
SQLの接続先、ユーザ名、パスワードは適切なものを設定するようにして下さい。
ほとんどコメントを外すだけの作業です。 log_config の部分はフルパスのほうがいいと思いますので変更しています。
# cat /etc/keystone/keystone.conf
[DEFAULT]
log_file = /var/log/keystone/keystone.log
# A "shared secret" between keystone and other openstack services
admin_token = ADMIN

# The IP address of the network interface to listen on
bind_host = 0.0.0.0

# The port number which the public service listens on
public_port = 5000

# The port number which the public admin listens on
admin_port = 35357

# The port number which the OpenStack Compute service listens on
compute_port = 8774

# === Logging Options ===
# Print debugging output
verbose = True

# Print more verbose output
# (includes plaintext request logging, potentially including passwords)
debug = True

# Name of log file to output to. If not set, logging will go to stdout.
# log_file = keystone.log

# The directory to keep log files in (will be prepended to --logfile)
log_dir = /var/log/keystone

# Use syslog for logging.
# use_syslog = False

# syslog facility to receive log lines
# syslog_log_facility = LOG_USER

# If this option is specified, the logging configuration file specified is
# used and overrides any other logging options specified. Please see the
# Python logging module documentation for details on logging configuration
# files.
# log_config = logging.conf

# A logging.Formatter log message format string which may use any of the
# available logging.LogRecord attributes.
# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s

# Format string for %(asctime)s in log records.
# log_date_format = %Y-%m-%d %H:%M:%S

# onready allows you to send a notification when the process is ready to serve
# For example, to have it notify using systemd, one could set shell command:
# onready = systemd-notify --ready
# or a module with notify() method:
# onready = keystone.common.systemd

[sql]
connection = mysql://keystone:keystone@localhost/keystone
# The SQLAlchemy connection string used to connect to the database
# connection = sqlite:///keystone.db
connection = mysql://keystone:password@stack01/keystone?charset=utf8

# the timeout before idle sql connections are reaped
# idle_timeout = 200

[identity]
driver = keystone.identity.backends.sql.Identity
# driver = keystone.identity.backends.sql.Identity

[catalog]
template_file = /etc/keystone/default_catalog.templates
driver = keystone.catalog.backends.sql.Catalog
# dynamic, sql-based backend (supports API/CLI-based management commands)
# driver = keystone.catalog.backends.sql.Catalog

# static, file-based backend (does *NOT* support any management commands)
# driver = keystone.catalog.backends.templated.TemplatedCatalog

# template_file = default_catalog.templates

[token]
driver = keystone.token.backends.sql.Token
# driver = keystone.token.backends.kvs.Token

# Amount of time a token should remain valid (in seconds)
# expiration = 86400

[policy]
driver = keystone.policy.backends.rules.Policy

[ec2]
driver = keystone.contrib.ec2.backends.sql.Ec2
# driver = keystone.contrib.ec2.backends.kvs.Ec2

[ssl]
#enable = True
#certfile = /etc/keystone/ssl/certs/keystone.pem
#keyfile = /etc/keystone/ssl/private/keystonekey.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#cert_required = True

[signing]
#token_format = UUID
#certfile = /etc/keystone/ssl/certs/signing_cert.pem
#keyfile = /etc/keystone/ssl/private/signing_key.pem
#ca_certs = /etc/keystone/ssl/certs/ca.pem
#key_size = 1024
#valid_days = 3650
#ca_password = None
#token_format = PKI

[ldap]
# url = ldap://localhost
# user = dc=Manager,dc=example,dc=com
# password = None
# suffix = cn=example,cn=com
# use_dumb_member = False

# user_tree_dn = ou=Users,dc=example,dc=com
# user_objectclass = inetOrgPerson
# user_id_attribute = cn
# user_name_attribute = sn

# tenant_tree_dn = ou=Groups,dc=example,dc=com
# tenant_objectclass = groupOfNames
# tenant_id_attribute = cn
# tenant_member_attribute = member
# tenant_name_attribute = ou

# role_tree_dn = ou=Roles,dc=example,dc=com
# role_objectclass = organizationalRole
# role_id_attribute = cn
# role_member_attribute = roleOccupant

[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory

[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

[filter:user_crud_extension]
paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

[filter:s3_extension]
paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[filter:url_normalize]
paste.filter_factory = keystone.middleware:NormalizingFilter.factory

[filter:stats_monitoring]
paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory

[filter:stats_reporting]
paste.filter_factory = keystone.contrib.stats:StatsExtension.factory

[app:public_service]
paste.app_factory = keystone.service:public_app_factory

[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory

[pipeline:public_api]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

[pipeline:admin_api]
pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory

[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory

[pipeline:public_version_api]
pipeline = stats_monitoring url_normalize xml_body public_version_service

[pipeline:admin_version_api]
pipeline = stats_monitoring url_normalize xml_body admin_version_service

[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/ = public_version_api

[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/ = admin_version_api

以上でコンフィグの設定は終わりです。

7.2.3.3. データベースの作成

Keystoneが利用するデータベースを作成します。
Keystoneのデータベースを設定するためのユーザ、パスワードはMySQLをインストールした時のものですので注意して下さい。
データベース名keystone、ユーザ名keystone、パスワードはpasswordとしているため適切なものへ変更してください。
ホスト名も同様にstack01としていますので変更が必要であればおこなって下さい。
# MYSQL_PASS_KEYSTONE=password
# NOVA_CONTOLLER_HOSTNAME=stack01
# mysql -uroot -pnova -e "drop database if exists keystone;"
# mysql -uroot -pnova -e "create database keystone character set utf8;"
# mysql -uroot -pnova -e "grant all privileges on keystone.* to 'keystone'@'%' identified by '$MYSQL_PASS_KEYSTONE';"
# mysql -uroot -pnova -e "grant all privileges on keystone.* to 'keystone'@'localhost' identified by '$MYSQL_PASS_KEYSTONE';"
# mysql -uroot -pnova -e "grant all privileges on keystone.* to 'keystone'@'$NOVA_CONTOLLER_HOSTNAME' identified by '$MYSQL_PASS_KEYSTONE';"
# keystone-manage db_sync

7.2.3.4. プロセスの起動

Keystoneを起動します。自動起動の設定もおこなっておきます。
# service openstack-keystone restart
# chkconfig openstack-keystone on
# service openstack-keystone status
keystone (pid  2041) を実行中...

7.2.3.5. データの作成

KeystoneにOpenStackで利用するサービス、サービスに対するユーザ、ロールの設定を行います。
ここではサンプルのシェルを利用して作成します。
実際には環境にあった設定を利用したシェルの作成などが必要かも知れません。
Swift、Quantum、Cinder、Heatを利用する際にはコマンドで追加する手順を記述しますので参考にして下さい。
サンプルを利用はしますがサンプルへ最低限の設定を行います。
サンプルシェルを利用するための環境変数を先に設定しています。

データ投入スクリプトのコピー

# cd /usr/local/src ; cp -a /usr/share/openstack-keystone/sample_data.sh .

環境変数の設定

# export CONTROLLER_HOST=stack01
# export SERVICE_ENDPOINT=http://$CONTROLLER_HOST:35357/v2.0/
# export ADMIN_PASSWORD=password
# sed -i "s/127.0.0.1/$CONTROLLER_HOST/" /usr/local/src/sample_data.sh
# sed -i "s/localhost/$CONTROLLER_HOST/" /usr/local/src/sample_data.sh
# export ENABLE_ENDPOINTS=yes
# /usr/local/src/sample_data.sh

7.2.3.6. 設定確認

実際にデータが作成されていることを確認しましょう。
ユーザがkeystoneを操作するにはオプションを付与する必要があります。
操作するテナント名、テナントに対するユーザ名、パスワード、エンドポイントを設定する必要があります。
エンドポイントとは、APIを利用するための接続先であるURLのことです。
OpenStackの各コンポーネントはそれぞれエンドポイントを持つことになります。
ここではKeystoneのためのエンドポイントを環境変数に設定します。
エンドポイントにはパブリックURL、インターナルURL、管理用URLの3種類があります。
:header-rows: 1
エンドポイントの種類 概要
パブリックURL エンドユーザがアクセスするためのURL
インターナルURL LAN経由でアクセス可能なユーザのためのURL
管理用URL 管理者用がアクセスするためのURL
一度ログアウトしてログインしなおしてみてから確認しましょう。
環境変数の読み込みを行ってから確認します。
# export OS_USERNAME=admin
# export OS_PASSWORD=password
# export OS_TENANT_NAME=admin
# export OS_AUTH_URL=http://stack01:35357/v2.0/
# keystone tenant-list
+----------------------------------+--------------------+---------+
|                id                |        name        | enabled |
+----------------------------------+--------------------+---------+
| 16f6901e35994b91a8e7c1cd0834df82 |       admin        |   True  |
| ac8bc19b6eb84a89826eff729c7768fa | invisible_to_admin |   True  |
| dc11dc7c81054668b7e3fbc6e68b19e5 |        demo        |   True  |
| f6918da2053742768a587be4603889d4 |      service       |   True  |
+----------------------------------+--------------------+---------+

# keystone user-list
+----------------------------------+--------+---------+--------------------+
|                id                |  name  | enabled |       email        |
+----------------------------------+--------+---------+--------------------+
| 8e5db0a1feed42a4894366b5ff2d4126 | admin  |   True  | admin@example.com  |
| 9007fac90aeb430592e954c24054567d | glance |   True  | glance@example.com |
| 9031614663bd4470b5961ade27ae10c8 |  demo  |   True  | admin@example.com  |
| d27701bacb0849b6957703dc661ca1e6 |  nova  |   True  |  nova@example.com  |
+----------------------------------+--------+---------+--------------------+

# keystone role-list
+----------------------------------+----------------------+
|                id                |         name         |
+----------------------------------+----------------------+
| 12c7840f2b484442b4c66d64845cf587 |    KeystoneAdmin     |
| 26616bd93dbb4e22bfafced66b07a3b5 |        Member        |
| 29ffed204d7743bcaf3adf3a8079373d |       netadmin       |
| 59c6067f259b4de0a49ec42eb545ae05 |       sysadmin       |
| a5550c20e78e4c8db179ae23dc93d409 |        admin         |
| c7de8e26730a42beb74794428ff296ab | KeystoneServiceAdmin |
+----------------------------------+----------------------+

# keystone service-list
+----------------------------------+-------------+-----------+---------------------------+
|                id                |     name    |    type   |        description        |
+----------------------------------+-------------+-----------+---------------------------+
| 817a5574779d4c16a5ec45a6c5421ce6 |   horizon   | dashboard |    OpenStack Dashboard    |
| 884912b44ce041b68bffddbabecc665f | nova-volume |   volume  |    Nova Volume Service    |
| 9d5e06cc84034f4abd16953c52dcea48 |     ec2     |    ec2    |  EC2 Compatibility Layer  |
| 9dc3f1fe62c44b33a5cc653fe4a9befc |    glance   |   image   |    Glance Image Service   |
| b1579cb3cc6144c6b3b0b7618bc0b765 |     nova    |  compute  |    Nova Compute Service   |
| bd6b4d918feb40a58d708ce8dfc22725 |   keystone  |  identity | Keystone Identity Service |
+----------------------------------+-------------+-----------+---------------------------+

# keystone endpoint-list
+----------------------------------+-----------+----------------------------------------------------+----------------------------------------------------+----------------------------------------------------+----------------------------------+
|                id                |   region  |                     publicurl                      |                    internalurl                     |                      adminurl                      |            service_id            |
+----------------------------------+-----------+----------------------------------------------------+----------------------------------------------------+----------------------------------------------------+----------------------------------+
| 8a79ad4225e348bdabd63314020cf1e7 | RegionOne |        http://stack01:$(public_port)s/v2.0         |        http://stack01:$(public_port)s/v2.0         |         http://stack01:$(admin_port)s/v2.0         | bd6b4d918feb40a58d708ce8dfc22725 |
| a6c122edc5c8484e889a574a250de113 | RegionOne |         http://stack01:8773/services/Cloud         |         http://stack01:8773/services/Cloud         |         http://stack01:8773/services/Admin         | 9d5e06cc84034f4abd16953c52dcea48 |
| b5a49ba9238343cca61c567db8a93835 | RegionOne |               http://stack01:9292/v1               |               http://stack01:9292/v1               |               http://stack01:9292/v1               | 9dc3f1fe62c44b33a5cc653fe4a9befc |
| e57407711a3b479f8af270c0ed2f0527 | RegionOne |        http://stack01:8776/v1/$(tenant_id)s        |        http://stack01:8776/v1/$(tenant_id)s        |        http://stack01:8776/v1/$(tenant_id)s        | 884912b44ce041b68bffddbabecc665f |
| edc91dfcf3a54c46bed0215d2bf1d10a | RegionOne | http://stack01:$(compute_port)s/v1.1/$(tenant_id)s | http://stack01:$(compute_port)s/v1.1/$(tenant_id)s | http://stack01:$(compute_port)s/v1.1/$(tenant_id)s | b1579cb3cc6144c6b3b0b7618bc0b765 |
+----------------------------------+-----------+----------------------------------------------------+----------------------------------------------------+----------------------------------------------------+----------------------------------+
# keystone catalog
Service: volume
+-------------+---------------------------------------------------------+
|   Property  |                          Value                          |
+-------------+---------------------------------------------------------+
|   adminURL  | http://stack01:8776/v1/e2a4fa1ab112443d9d877a503f34f57f |
|      id     |             a45d48185fab425f84265b5d685911ed            |
| internalURL | http://stack01:8776/v1/e2a4fa1ab112443d9d877a503f34f57f |
|  publicURL  | http://stack01:8776/v1/e2a4fa1ab112443d9d877a503f34f57f |
|    region   |                        RegionOne                        |
+-------------+---------------------------------------------------------+
Service: image
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |      http://stack01:9292/v1      |
|      id     | 07ba0915de4345edb947ab02746608d2 |
| internalURL |      http://stack01:9292/v1      |
|  publicURL  |      http://stack01:9292/v1      |
|    region   |            RegionOne             |
+-------------+----------------------------------+
Service: compute
+-------------+-----------------------------------------------------------+
|   Property  |                           Value                           |
+-------------+-----------------------------------------------------------+
|   adminURL  | http://stack01:8774/v1.1/e2a4fa1ab112443d9d877a503f34f57f |
|      id     |              4679bc61037c427c81ac394e31d20e21             |
| internalURL | http://stack01:8774/v1.1/e2a4fa1ab112443d9d877a503f34f57f |
|  publicURL  | http://stack01:8774/v1.1/e2a4fa1ab112443d9d877a503f34f57f |
|    region   |                         RegionOne                         |
+-------------+-----------------------------------------------------------+
Service: ec2
+-------------+------------------------------------+
|   Property  |               Value                |
+-------------+------------------------------------+
|   adminURL  | http://stack01:8773/services/Admin |
|      id     |  7bd3ef9495594df0a7beb34d47592a4d  |
| internalURL | http://stack01:8773/services/Cloud |
|  publicURL  | http://stack01:8773/services/Cloud |
|    region   |             RegionOne              |
+-------------+------------------------------------+
Service: identity
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminURL  |    http://stack01:35357/v2.0     |
|      id     | 18bf2f69e85d4bbba7f3fc3857df2393 |
| internalURL |     http://stack01:5000/v2.0     |
|  publicURL  |     http://stack01:5000/v2.0     |
|    region   |            RegionOne             |
+-------------+----------------------------------+
Keystoneのインストール、設定はここで終了です。