# OpenStack-Mitaka中Identity服務如何安裝
## 目錄
1. [OpenStack Identity服務概述](#1-openstack-identity服務概述)
- 1.1 [Keystone簡介](#11-keystone簡介)
- 1.2 [Mitaka版本特性](#12-mitaka版本特性)
2. [安裝前準備](#2-安裝前準備)
- 2.1 [系統要求](#21-系統要求)
- 2.2 [環境配置](#22-環境配置)
3. [數據庫配置](#3-數據庫配置)
- 3.1 [MySQL安裝](#31-mysql安裝)
- 3.2 [創建Keystone數據庫](#32-創建keystone數據庫)
4. [Keystone安裝與配置](#4-keystone安裝與配置)
- 4.1 [軟件包安裝](#41-軟件包安裝)
- 4.2 [主配置文件詳解](#42-主配置文件詳解)
5. [初始化身份服務](#5-初始化身份服務)
- 5.1 [數據庫表結構初始化](#51-數據庫表結構初始化)
- 5.2 [服務實體和API端點](#52-服務實體和api端點)
6. [Apache HTTP服務配置](#6-apache-http服務配置)
- 6.1 [WSGI配置](#61-wsgi配置)
- 6.2 [虛擬主機設置](#62-虛擬主機設置)
7. [創建域/項目/用戶/角色](#7-創建域項目用戶角色)
- 7.1 [基本身份架構](#71-基本身份架構)
- 7.2 [CLI操作示例](#72-cli操作示例)
8. [驗證身份服務](#8-驗證身份服務)
- 8.1 [臨時認證令牌獲取](#81-臨時認證令牌獲取)
- 8.2 [服務目錄查詢](#82-服務目錄查詢)
9. [故障排除](#9-故障排除)
- 9.1 [常見錯誤](#91-常見錯誤)
- 9.2 [日志分析](#92-日志分析)
10. [附錄](#10-附錄)
- 10.1 [參考命令速查](#101-參考命令速查)
- 10.2 [配置文件模板](#102-配置文件模板)
---
## 1. OpenStack Identity服務概述
### 1.1 Keystone簡介
OpenStack Identity服務(代號Keystone)是OpenStack框架的核心組件,負責:
- 用戶身份認證(Authentication)
- 服務目錄管理(Service Catalog)
- 基于角色的訪問控制(RBAC)
- 多租戶隔離支持
在Mitaka版本中,Keystone實現了以下關鍵功能:
```python
class KeystoneCore:
def __init__(self):
self.token_provider = 'fernet' # 默認令牌格式
self.driver = 'sql' # 默認數據驅動
Mitaka版本(2016年4月發布)對Keystone的重要改進包括: - 增強的Fernet令牌支持 - 改進的策略引擎 - 更細粒度的權限控制 - 原生支持多因素認證(MFA)
版本依賴關系:
Mitaka Keystone requires:
- Python 2.7.x
- MySQL 5.6+/MariaDB 10.0+
- Apache 2.4.x with mod_wsgi
推薦硬件配置:
| 組件 | 最低要求 | 生產環境建議 |
|---|---|---|
| CPU | 1核 | 4核 |
| 內存 | 2GB | 8GB |
| 磁盤空間 | 10GB | 50GB |
操作系統選擇: - Ubuntu 16.04 LTS - CentOS 7/RHEL 7 - openSUSE Leap 42.1
hostnamectl set-hostname controller
echo "127.0.0.1 controller" >> /etc/hosts
setenforce 0
sed -i 's/^SELINUX=.*/SELINUX=permissive/' /etc/selinux/config
yum install -y chrony # CentOS
apt install -y chrony # Ubuntu
systemctl enable chronyd
systemctl start chronyd
CentOS安裝示例:
yum install -y mariadb-server mariadb-client
systemctl enable mariadb
systemctl start mariadb
安全加固:
mysql_secure_installation
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
FLUSH PRIVILEGES;
Ubuntu系統:
apt install -y keystone apache2 libapache2-mod-wsgi
CentOS系統:
yum install -y openstack-keystone httpd mod_wsgi
編輯/etc/keystone/keystone.conf:
[DEFAULT]
admin_token = INITIAL_ADMIN_TOKEN # 僅用于初始化
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
provider = fernet
su -s /bin/sh -c "keystone-manage db_sync" keystone
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
創建/etc/apache2/sites-available/wsgi-keystone.conf:
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
</VirtualHost>
啟用配置:
a2ensite wsgi-keystone
systemctl restart apache2
graph TD
A[Domain] --> B[Project]
B --> C[User]
C --> D[Role]
創建管理員:
openstack user create --domain default --password-prompt admin
openstack role create admin
openstack role add --project admin --user admin admin
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
openstack catalog list
Error: Unable to connect to database 檢查MySQL連接字符串和權限
403 Forbidden 驗證admin_token或用戶憑證
關鍵日志位置:
- /var/log/keystone/keystone.log
- /var/log/apache2/error.log
# 重置Fernet密鑰
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# 驗證數據庫連接
mysql -h controller -u keystone -p
完整keystone.conf示例:
[DEFAULT]
log_dir = /var/log/keystone
[identity]
driver = sql
[assignment]
driver = sql
