6. KeyStone インストール手順

統合認証機能担当 KeyStone インストール手順を記載します。

6.1. KeyStone 関連パッケージのインストール

インストール直後から KeyStone が起動しまので設定前にこれを停止します。

$ sudo apt-get -y install keystone
$ sudo /etc/init.d/keystone stop

6.2. /etc/keystone/keystone.conf の修正

6.2.1. デフォルトの設定ファイル(2012/08/02)

[DEFAULT]
#bind_host = 0.0.0.0
public_port = 5000
admin_port = 35357
admin_token = ADMIN
compute_port = 8774
verbose = True
debug = True
log_config = /etc/keystone/logging.conf

# ================= Syslog Options ============================
# Send logs to syslog (/dev/log) instead of to file specified
# by `log-file`
use_syslog = False

# Facility to use. If unset defaults to LOG_USER.
# syslog_log_facility = LOG_LOCAL0

[sql]
connection = sqlite:////var/lib/keystone/keystone.db
idle_timeout = 200

[ldap]
#url = ldap://localhost
#tree_dn = dc=example,dc=com
#user_tree_dn = ou=Users,dc=example,dc=com
#role_tree_dn = ou=Roles,dc=example,dc=com
#tenant_tree_dn = ou=Groups,dc=example,dc=com
#user = dc=Manager,dc=example,dc=com
#password = freeipa4all
#suffix = cn=example,cn=com

[identity]
driver = keystone.identity.backends.sql.Identity

[catalog]
driver = keystone.catalog.backends.sql.Catalog

[token]
driver = keystone.token.backends.sql.Token

# Amount of time a token should remain valid (in seconds)
expiration = 86400

[policy]
driver = keystone.policy.backends.rules.Policy

[ec2]
driver = keystone.contrib.ec2.backends.sql.Ec2

[filter:debug]
paste.filter_factory = keystone.common.wsgi:Debug.factory

[filter:token_auth]
paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

[filter:admin_token_auth]
paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

[filter:xml_body]
paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

[filter:json_body]
paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

[filter:crud_extension]
paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

[filter:ec2_extension]
paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

[app:public_service]
paste.app_factory = keystone.service:public_app_factory

[app:admin_service]
paste.app_factory = keystone.service:admin_app_factory

[pipeline:public_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension public_service

[pipeline:admin_api]
pipeline = token_auth admin_token_auth xml_body json_body debug ec2_extension crud_extension admin_service

[app:public_version_service]
paste.app_factory = keystone.service:public_version_app_factory

[app:admin_version_service]
paste.app_factory = keystone.service:admin_version_app_factory

[pipeline:public_version_api]
pipeline = xml_body public_version_service

[pipeline:admin_version_api]
pipeline = xml_body admin_version_service

[composite:main]
use = egg:Paste#urlmap
/v2.0 = public_api
/ = public_version_api

[composite:admin]
use = egg:Paste#urlmap
/v2.0 = admin_api
/ = admin_version_api

6.2.2. 変更箇所とちょっとした解説

関係ある部分だけ。

パラメータ 解説 今回設定する値
verbose ログを出力設定 False
debug デバッグログ出力設定 False
log_config ログ関連の設定ファイル /etc/keystone/logging.conf
bind_host KeyStone サービスをバインドするアドレス 0.0.0.0
public_port KeyStone サービスポート 5000
admin_port KeyStone 管理サービスポート 35357
compute_port EC2 互換API サービス用ポート 8774
admin_token 管理機能認証用トークン 999888777666 (適宜変更)
connection データベース 接続文字列 mysql://keystone:y7u8i9YUI@localhost/keystone

6.3. サービス起動

不要なデータベース(Sqlite)を削除した後、新規データベースの設定を行います。

$ sudo rm /var/lib/keystone/keystone.db
$ sudo keystone-manage db_sync
$ sudo /etc/init.d/keystone start

6.4. keystone-manage

KeyStone 管理コマンドによるユーザ等の作成を行います。

6.4.1. 今回の構成

  • テナント(Nova でいう Project)
    • admin - 管理ユーザ用テナント
    • demo - デモ用テナント
  • ユーザ
    • (管理ユーザ) admin - (パスワード) y7u8i9YUI
    • (デモユーザ) demo - (パスワード) y7u8i9YUI
  • 所属
    • admin - (テナント) admin
    • admin - (テナント) demo
    • demo - (テナント) demo
  • ロール
    • Admin
    • KeystoneAdmin
    • KeystoneServiceAdmin
    • Member

6.4.2. 設定スクリプト

以下のスクリプトを実行します。IPアドレスやパスワードなどは適宜修正します。(DevStack から抜粋)

コマンドの詳しい解説などはマニュアルをご覧ください。

#!/bin/bash
KEYSTONE_CONF=/etc/keystone/keystone.conf

# Service endpoint
export SERVICE_TOKEN=$(grep ^admin_token /etc/keystone/keystone.conf | awk '{ print $NF }')
export SERVICE_ENDPOINT=http://127.0.0.1:35357/v2.0

# User password
ADMIN_PASSWORD=y7u8i9YUI
SERVICE_PASSWORD=y7u8i9YUI

function get_id () {
    echo `"$@" | grep ' id ' | awk '{ print $4 }'`
}

# Tenants
ADMIN_TENANT=$(get_id keystone tenant-create --name=admin)
SERVICE_TENANT=$(get_id keystone tenant-create --name=service)
DEMO_TENANT=$(get_id keystone tenant-create --name=demo)

# Users
ADMIN_USER=$(get_id keystone user-create --name=admin --pass="$ADMIN_PASSWORD" --email=root@localhost.localdomain)
NOVA_USER=$(get_id keystone user-create --name=nova --pass="$SERVICE_PASSWORD" --tenant_id $SERVICE_TENANT --email=root@localhost.localdomain)
GLANCE_USER=$(get_id keystone user-create --name=glance --pass="$SERVICE_PASSWORD" --tenant_id $SERVICE_TENANT --email=root@localhost.localdomain)
DEMO_USER=$(get_id keystone user-create --name=demo --pass="$ADMIN_PASSWORD" --email=root@localhost.localdomain)

# Roles
ADMIN_ROLE=$(get_id keystone role-create --name=admin)
MEMBER_ROLE=$(get_id keystone role-create --name=Member)
KEYSTONEADMIN_ROLE=$(get_id keystone role-create --name=KeystoneAdmin)
KEYSTONESERVICE_ROLE=$(get_id keystone role-create --name=KeystoneServiceAdmin)
SYSADMIN_ROLE=$(get_id keystone role-create --name=sysadmin)
NETADMIN_ROLE=$(get_id keystone role-create --name=netadmin)

# Services
EC2_SERVICE=$(get_id keystone service-create --name=ec2 --type=ec2 --description="EC2 Compatibility Layer")
GLANCE_SERVICE=$(get_id keystone service-create --name=glance --type=image --description="Glance Image Service")
keystone service-create --name="horizon" --type=dashboard --description="OpenStack Dashboard"
KEYSTONE_SERVICE=$(get_id keystone service-create --name=keystone --type=identity --description="Keystone Identity Service")
NOVA_SERVICE=$(get_id keystone service-create --name=nova --type=compute --description="Nova Compute Service")
VOLUME_SERVICE=$(get_id keystone service-create --name="nova-volume" --type=volume --description="Nova Volume Service")

# Add Roles to Users in Tenants
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user $ADMIN_USER --role $KEYSTONEADMIN_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user $ADMIN_USER --role $KEYSTONESERVICE_ROLE --tenant_id $ADMIN_TENANT
keystone user-role-add --user $ADMIN_USER --role $ADMIN_ROLE --tenant_id $DEMO_TENANT

keystone user-role-add --user $DEMO_USER --role $MEMBER_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $DEMO_USER --role $SYSADMIN_ROLE --tenant_id $DEMO_TENANT
keystone user-role-add --user $DEMO_USER --role $NETADMIN_ROLE --tenant_id $DEMO_TENANT

keystone user-role-add --tenant_id $SERVICE_TENANT --user $NOVA_USER --role $ADMIN_ROLE
keystone user-role-add --tenant_id $SERVICE_TENANT --user $GLANCE_USER --role $ADMIN_ROLE

# Endpoint
keystone endpoint-create --region RegionOne --service_id $NOVA_SERVICE     --publicurl 'http://192.168.0.2:$(compute_port)s/v1.1/$(tenant_id)s' --adminurl 'http://192.168.0.2:$(compute_port)s/v1.1/$(tenant_id)s' --internalurl 'http://192.168.0.2:$(compute_port)s/v1.1/$(tenant_id)s'
keystone endpoint-create --region RegionOne --service_id $EC2_SERVICE      --publicurl 'http://192.168.0.2:8773/services/Cloud'                 --adminurl 'http://192.168.0.2:8773/services/Admin'                 --internalurl 'http://192.168.0.2:8773/services/Cloud'
keystone endpoint-create --region RegionOne --service_id $GLANCE_SERVICE   --publicurl 'http://192.168.0.2:9292/v1'                             --adminurl 'http://192.168.0.2:9292/v1'                             --internalurl 'http://192.168.0.2:9292/v1'
keystone endpoint-create --region RegionOne --service_id $KEYSTONE_SERVICE --publicurl 'http://192.168.0.2:$(public_port)s/v2.0'                --adminurl 'http://192.168.0.2:$(admin_port)s/v2.0'                 --internalurl 'http://192.168.0.2:$(public_port)s/v2.0'
keystone endpoint-create --region RegionOne --service_id $VOLUME_SERVICE   --publicurl 'http://192.168.0.2:8776/v1/$(tenant_id)s'               --adminurl 'http://192.168.0.2:8776/v1/$(tenant_id)s'               --internalurl 'http://192.168.0.2:8776/v1/$(tenant_id)s'

# EC2 Token
keystone ec2-credentials-create --tenant_id=$ADMIN_TENANT --user=$ADMIN_USER
keystone ec2-credentials-create --tenant_id=$DEMO_TENANT --user=$DEMO_USER

6.5. 確認

$ export SERVICE_TOKEN=999888777666
$ export SERVICE_ENDPOINT=http://localhost:35357/v2.0
$ keystone tenant-list
+----------------------------------+---------+---------+
|                id                |   name  | enabled |
+----------------------------------+---------+---------+
| 767ad4a065714f68b041ea775c8fb580 | service | True    |
| abc2b56b73e346e1b6ce2c58f8927fe5 | admin   | True    |
| d2de8f2a22d64b1983e3909899f7265c | demo    | True    |
+----------------------------------+---------+---------+
    $ keystone user-list
+----------------------------------+---------+----------------------------+--------+
|                id                | enabled |           email            |  name  |
+----------------------------------+---------+----------------------------+--------+
| 0c2477d2da0c40b6b93649a0ab10847a | True    | root@localhost.localdomain | glance |
| 35eb88a368ca49beb853378b91d79314 | True    | root@localhost.localdomain | demo   |
| e2a09c3c95d94544b575421b4b070488 | True    | root@localhost.localdomain | admin  |
| e81361eb16b540b08670c7e41460d060 | True    | root@localhost.localdomain | nova   |
+----------------------------------+---------+----------------------------+--------+
$ keystone role-list
+----------------------------------+----------------------+
|                id                |         name         |
+----------------------------------+----------------------+
| 255a9db746cb49a78b649f8520296c8c | KeystoneAdmin        |
| 690e07240aae4dfc8b8ef7ebc0c783ab | sysadmin             |
| 7b487d8626184fd09b39bdb923207e25 | admin                |
| a46147c0b4f34ec080e155d3ca8f8720 | Member               |
| b58e55e870924ea08d4aea3d7e778903 | KeystoneServiceAdmin |
| e59a9e3d699748beaf754db82d52922c | netadmin             |
+----------------------------------+----------------------+
$ keystone service-list
+----------------------------------+-------------+-----------+---------------------------+
|                id                |     name    |    type   |        description        |
+----------------------------------+-------------+-----------+---------------------------+
| 46538db3bf1249348cf6a6f55810f0dc | nova-volume | volume    | Nova Volume Service       |
| 6da4d3a173554e939d72e43c65309f4f | nova        | compute   | Nova Compute Service      |
| a408330b6afd47b880d68cb75c698465 | keystone    | identity  | Keystone Identity Service |
| a496288ce6624b51ac715b6d8f1629e6 | glance      | image     | Glance Image Service      |
| b3fe27c4117541da92cb99b635b42a6d | horizon     | dashboard | OpenStack Dashboard       |
| d48fb1e33d094ef7a49690469ead99e1 | ec2         | ec2       | EC2 Compatibility Layer   |
+----------------------------------+-------------+-----------+---------------------------+
$ keystone endpoint-list
+----------------------------------+-----------+--------------------------------------------------------+--------------------------------------------------------+--------------------------------------------------------+
|                id                |   region  |                       publicurl                        |                       internalurl                      |                        adminurl                        |
+----------------------------------+-----------+--------------------------------------------------------+--------------------------------------------------------+--------------------------------------------------------+
| 17f5eb6590fd4b70a72cd0347e876a0c | RegionOne | http://192.168.0.2:$(public_port)s/v2.0                | http://192.168.0.2:$(admin_port)s/v2.0                 | http://192.168.0.2:$(admin_port)s/v2.0                 |
| 55e32b76346e44408385ca0599416c55 | RegionOne | http://192.168.0.2:$(compute_port)s/v1.1/$(tenant_id)s | http://192.168.0.2:$(compute_port)s/v1.1/$(tenant_id)s | http://192.168.0.2:$(compute_port)s/v1.1/$(tenant_id)s |
| b3128da52a384fc382f7d5f07cb99e81 | RegionOne | http://192.168.0.2:9292/v1                             | http://192.168.0.2:9292/v1                             | http://192.168.0.2:9292/v1                             |
| cd4bbdcc2b1a4f6ca69e0c8569cbea1d | RegionOne | http://192.168.0.2:8773/services/Cloud                 | http://192.168.0.2:8773/services/Cloud                 | http://192.168.0.2:8773/services/Admin                 |
| db486b3047c548899a26f61d2abd5492 | RegionOne | http://192.168.0.2:8776/v1/$(tenant_id)s               | http://192.168.0.2:8776/v1/$(tenant_id)s               | http://192.168.0.2:8776/v1/$(tenant_id)s               |
+----------------------------------+-----------+--------------------------------------------------------+--------------------------------------------------------+--------------------------------------------------------+
$ keystone ec2-credentials-list --user e2a09c3c95d94544b575421b4b070488
+--------+----------------------------------+----------------------------------+
| tenant |              access              |              secret              |
+--------+----------------------------------+----------------------------------+
| admin  | 0890d0b5e7274ea1a3180b31f200ca6f | 8fbcfee19d804ceba1b520f29f04685e |
+--------+----------------------------------+----------------------------------+
$ keystone ec2-credentials-list --user 35eb88a368ca49beb853378b91d79314
+--------+----------------------------------+----------------------------------+
| tenant |              access              |              secret              |
+--------+----------------------------------+----------------------------------+
| demo   | 70af2c3645e54cb4873b62bbade85862 | 91d81426a80c4fe28f7f5312fd5f0644 |
+--------+----------------------------------+----------------------------------+

$ curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "y7u8i9YUI"}}}' -H "Content-type:application/json" http://192.168.0.2:35357/v2.0/tokens | python -mjson.tool