¿ù°£ Àα⠰Խù°

°Ô½Ã¹° 715°Ç
   
OpenStack JUNO - Ubuntu 14.04 #02 Keystone(ÀÎÁõ)
±Û¾´ÀÌ : ÃÖ°í°ü¸®ÀÚ ³¯Â¥ : 2015-02-23 (¿ù) 14:37 Á¶È¸ : 4448
                                

Keystone (ÀÎÁõ´ã´ç ¼­ºñ½º)

  ==>> Horizon(´ë½¬º¸µå) ÀÎÁõ ¹× nova ¸¦ ÅëÇØ ÀνºÅϽº »ý¼ºÀ» ÇϰԵɶ§ glance¿¡ µî·ÏµÈ À̹ÌÁö¸¦ ¹Þ°í nova-networking ȤÀº neutron À» ÅëÇØ ³×Æ®¿öÅ©¸¦ ¼³Á¤ÇÏ´Â ÀÏ·ÃÀÇ °úÁ¤µé¿¡ ÀÎÁõÀ» ÅëÇÕÀûÀ¸·Î °ü¸®ÇÏ´Â ¼­ºñ½º¸¦ ¸»ÇÕ´Ï´Ù.

1) keystone µ¥ÀÌŸº£À̽º ¹× À¯Àú Á¢±ÙÁ¤º¸ Ãß°¡
root@controller:~# mysql -uroot -pXXXXXXXXXXXXXXX
mysql> CREATE database keystone;
Query OK, 1 row affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'XXXXXXXXXXXXXXX';
Query OK, 0 rows affected (0.00 sec)

mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'XXXXXXXXXXXXXXX';
Query OK, 0 rows affected (0.00 sec)

mysql> exit
Bye


2) admin token »ý¼º 
Identity Service¿Í ´Ù¸¥ ¿ÀǽºÅü­ºñ½ºµé°£ ÀÎÁõ(keystone)À» À§ÇØ ÇÊ¿äÇÑ ÅäÅ«°ªÀ¸·Î openssl rand ¸í·É¾î¸¦ ÅëÇØ »ý¼ºµÈ ÀÓÀÇÀÇ ¹®ÀÚ¿­À» »ç¿ëÇÕ´Ï´Ù.
root@controller:~# openssl rand -hex 10
4c8b1d9877514460e813


3) keystone install
root@controller:~# apt-get -y install keystone python-keystoneclient


4) /etc/keystone/keystone.conf  ¼öÁ¤
[DEFAULT]
#admin_token=ADMIN
admin_token=4c8b1d9877514460e813

[database]
#connection=sqlite:////var/lib/keystone/keystone.do   ### ÁÖ¼®Ã³¸®
connection = mysql://keystone:XXXXXXXXXXXXXXX@115.XXX.XXX.6/keystone


5) keystone Å×À̺í»ý¼º
root@controller:~# keystone-manage db_sync
¿¡·¯¸Þ¼¼Áö¾øÀÌ ¾Æ¹«·± ¸Þ¼¼Áö¾øÀÌ ¶³¾îÁö¸é ¿Ï·áµÇ¸ç ¾Æ·¡Ã³·³ Å×À̺íÀÌ »ý¼ºµË´Ï´Ù.

root@controller:~# ls -l /var/lib/mysql/keystone/
total 220
-rw-rw---- 1 mysql mysql 8764  2¿ù 23 16:43 assignment.frm
-rw-rw---- 1 mysql mysql 8726  2¿ù 23 16:43 credential.frm
-rw-rw---- 1 mysql mysql   61  2¿ù 23 16:43 db.opt
-rw-rw---- 1 mysql mysql 8654  2¿ù 23 16:43 domain.frm
-rw-rw---- 1 mysql mysql 8832  2¿ù 23 16:43 endpoint.frm
-rw-rw---- 1 mysql mysql 8702  2¿ù 23 16:43 group.frm
-rw-rw---- 1 mysql mysql 8705  2¿ù 23 16:43 id_mapping.frm
-rw-rw---- 1 mysql mysql 8666  2¿ù 23 16:43 migrate_version.frm
-rw-rw---- 1 mysql mysql 8648  2¿ù 23 16:43 policy.frm
-rw-rw---- 1 mysql mysql 8738  2¿ù 23 16:43 project.frm
-rw-rw---- 1 mysql mysql 8714  2¿ù 23 16:43 region.frm
-rw-rw---- 1 mysql mysql 9064  2¿ù 23 16:44 revocation_event.frm
-rw-rw---- 1 mysql mysql 8618  2¿ù 23 16:43 role.frm
-rw-rw---- 1 mysql mysql 8654  2¿ù 23 16:43 service.frm
-rw-rw---- 1 mysql mysql 8730  2¿ù 23 16:43 token.frm
-rw-rw---- 1 mysql mysql 8916  2¿ù 23 16:43 trust.frm
-rw-rw---- 1 mysql mysql 8604  2¿ù 23 16:43 trust_role.frm
-rw-rw---- 1 mysql mysql 8790  2¿ù 23 16:43 user.frm
-rw-rw---- 1 mysql mysql 8604  2¿ù 23 16:43 user_group_membership.frm


6) ¼öÁ¤µÈ conf  ÆÄÀÏÀû¿ëÀ» À§ÇØ keystone µ¥¸ó Àç½ÃÀÛ 
root@controller:~# service keystone restart
keystone stop/waiting
keystone start/running, process 4067


7) ºÒÇÊ¿äÇÑ keystone.db »èÁ¦
root@controller1:~# rm -f /var/lib/keystone/keystone.db


8) ȯ°æº¯¼ö ¼±¾ð
¸ÕÀú »ý¼ºµÈ admin token¸¸À¸·Î »ç¿ëÀÚ¸¦ »ý¼ºÇÒ ¼ö ¾ø±â¿¡ keystone ¸í·É¾îÀÇ OS_SERVICE_TOKEN ȯ°æº¯¼ö·Î ÅäÅ«°ªÀ» Àü´ÞÇÏ°í OS_SERVICE_ENDPOINT º¯¼ö¿¡´Â Identity Service(ÄÁÆ®·Ñ·¯)ÀÇ À§Ä¡¸¦ ÁöÁ¤ÇÕ´Ï´Ù.
root@controller:~# export OS_SERVICE_TOKEN=4c8b1d9877514460e813
root@controller:~# export OS_SERVICE_ENDPOINT=http://115.XXX.XXX.6:35357/v2.0


keystone »ç¿ëÀÚ, Å׳ÍÆ®, ·Ñ ±×¸®°í endpoint »ý¼º
To create tenants, users, and roles
:: Create the admin tenant  °ü¸®ÀÚ ÅͳÍÆ® »ý¼º
ÅͳÍÆ®(Tenant) : ÁöÁ¤µÈ »ç¿ëÀÚµé°ú ¸®¼Ò½º¿¡ °ü·ÃµÈ ¸ðµç°ÍÀ¸·Î »ç¿ëÀÚ ±×·ìÀ» ÁöĪÇÕ´Ï´Ù. ´ë½Ãº¸µå¿¡¼­´Â ÇÁ·ÎÁ§Æ®(Project)¶ó°í ÇÕ´Ï´Ù.
root@controller:~# keystone tenant-create --name admin --description "Admin Tenant"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |           Admin Tenant           |
|   enabled   |               True               |
|      id     | 1cf650d0c8ea4b8b93ee38b1bb3cea76 |
|     name    |              admin               |
+-------------+----------------------------------+

:: Create the admin user   °ü¸®ÀÚ À¯Àú»ý¼º
¿ÀǽºÅó» ÀüüÀûÀÎ ºÎºÐÀ» °ü¸®ÇÏ´Â °èÁ¤ÀÔ´Ï´Ù.
root@controller:~# keystone user-create --name=admin --pass=XXXXXXXXXXXXXXX --email=newbd@smileserv.com
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |       newbd@smileserv.com        |
| enabled  |               True               |
|    id    | 60cbefc60c03447ca0ed720b627c85a3 |
|   name   |              admin               |
| username |              admin               |
+----------+----------------------------------+

:: Create the admin role
root@controller:~# keystone role-create --name=admin
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | e47bd1de2b1d4a83ac7296fa58e39751 |
|   name   |              admin               |
+----------+----------------------------------+

root@controller:~#  keystone role-create --name=_member_
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | f82a5ab12d6c4d7c963145606835f131 |
|   name   |              member              |
+----------+----------------------------------+
¡Ø ICEHOUSE(1.3) ¿¡¼­´Â ÀÌ¹Ì »ý¼ºµÇ¾îÀÖÀ¸¸ç JUNO(2.2) ¿¡¼­´Â »ý¼ºÇØÁà¾ß µÊ...
root@controller:~# keystone role-create --name=_member_
Conflict occurred attempting to store role. (IntegrityError) (1062, "Duplicate entry '_member_' for key 'name'") 'INSERT INTO role (id, name, extra) VALUES (%s, %s, %s)' ('7949bc2113a647d6a30e28f3f975a0bb', '_member_', '{}') (HTTP 409)


¸¸µé¾îÁø °ü¸®ÀÚ À¯Àú, °ü¸®ÀÚ ·ê, °ü¸®ÀÚ ÅͳÍÆ®¸¦ ¼­·Î ¿¬°á
root@controller:~# keystone user-role-add --tenant admin --user admin --role admin

¡Ø By default, the Identity service creates a special _member_ role. The OpenStack dashboard automatically grants access to users with this role. You must give the admin user access to this role in addition to the admin role.
root@controller:~# keystone user-role-add --tenant admin --user admin --role _member_

ÀϹÝ(demo) »ç¿ëÀÚ »ý¼º
ÀϹݻç¿ëÀÚ´Â ºñ°ü¸®ÀûÀÎ ÀÏÀ» ÇϰԵɰæ¿ì »ç¿ëµË´Ï´Ù.
root@controller:~# keystone tenant-create --name demo --description "Demo Tenant"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |           Demo Tenant            |
|   enabled   |               True               |
|      id     | 3bfcda4338fb4c5089660f90e8cfdb95 |
|     name    |               demo               |
+-------------+----------------------------------+

root@controller:~# keystone user-create --name=demo --pass=XXXXXXXXXXXXXXX --email=newbd@smileserv.com
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |       newbd@smileserv.com        |
| enabled  |               True               |
|    id    | 673544f2d937406e92527a9043824620 |
|   name   |               demo               |
| username |               demo               |
+----------+----------------------------------+

ÀϹݻç¿ëÀÚ(demo). member role, demo ÅͳÍÆ® ¿¬°á
root@controller:~# keystone user-role-add --tenant demo --user demo --role _member_

service ÅͳÍÆ® »ý¼º
´Ù¸¥ ¿ÀǽºÅà ¼­ºñ½ºµé¿¡ Á¢±ÙÇϱâ À§ÇØ »ç¿ëµÇ´Â À¯Àú, ÅͳÍÆ®, ·ÑÀÌ¸ç ±âº»ÀûÀ¸·Î ÇϳªÀÇ ÅͳÍÆ® À̸§ ¼­ºñ½º¸¦ °øÀ¯ÇÕ´Ï´Ù.
root@controller:~# keystone tenant-create --name=service --description="Service Tenant"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |          Service Tenant          |
|   enabled   |               True               |
|      id     | 54a4a20b9e6243d9a08b57c950e9edd5 |
|     name    |             service              |
+-------------+----------------------------------+

Identity Service´Â ¼³Ä¡µÈ ¿ÀǽºÅà ¼­ºñ½ºµéÀ» ÃßÀûÇϰųª ³×Æ®¿öÄ¡³» À§Ä¡¸¦ ¾Ë¼ö ÀÖµµ·Ï ¼³Ä¡ÇÑ ¿ÀǽºÅÃÀÇ °¢ ¼­¹öµéÀ» µî·ÏÇØ¾ß ÇÑ´Ù.
root@controller:~# keystone service-create --name=keystone --type=identity --description="OpenStack Identity"
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |        OpenStack Identity        |
|   enabled   |               True               |
|      id     | f5ac6b794c324f81b027b271bbbd19ae |
|     name    |             keystone             |
|     type    |             identity             |
+-------------+----------------------------------+

¹ÝȯµÈ ¼­ºñ½º ¾ÆÀ̵ð·Î Identity Service¿¡ ´ëÇÑ API endpoint ¸¦ Á¤ÀÇÇϸç endpoint¸¦ Á¤ÀÇÇÒ¶§´Â public API, internel API, admin API ¿¡ ´ëÇÑ URLÀ» Á¦°øÇØÁÝ´Ï´Ù.
root@controller:~# keystone endpoint-create \
> --service-id=$(keystone service-list | awk '/ identity / {print $2}') \
> --publicurl=http://115.XXX.XXX.6:5000/v2.0 \
> --internalurl=http://115.XXX.XXX.6:5000/v2.0 \
> --adminurl=http://115.XXX.XXX.6:35357/v2.0
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  |  http://115.XXX.XXX.6:35357/v2.0  |
|      id     | a5b6eac651f74c4c8fcf336ae187d6c6 |
| internalurl |  http://115.XXX.XXX.6:5000/v2.0   |
|  publicurl  |  http://115.XXX.XXX.6:5000/v2.0   |
|    region   |            regionOne             |
|  service_id | f5ac6b794c324f81b027b271bbbd19ae |
+-------------+----------------------------------+

root@controller:~# (keystone service-list | awk '/ identity / {print $2}')
f5ac6b794c324f81b027b271bbbd19ae

Identity Service¸¦ È®ÀÎÇϱâ À§ÇØ È¯°æº¯¼ö°ª »èÁ¦
root@controller:~# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

»ç¿ëÀÚ À̸§±â¹ÝÀ¸·Î ÀÎÁõÀ» ¿äûÇغ¸¸ç ¾Æ·¡¾Ö¼­´Â admin »ç¿ëÀÚ¿Í Æнº¿öµå¸¦ »ç¿ëÇؼ­ ÀÎÁõ ÅäÅ«À» ¿äûÇÕ´Ï´Ù.
root@controller:~# keystone --os-tenant-name admin --os-username admin --os-password 'XXXXXXXXXXXXXXX' --os-auth-url http://115.XXX.XXX.6:35357/v2.0 token-get
+-----------+----------------------------------+
|  Property |              Value               |
+-----------+----------------------------------+
|  expires  |       2015-02-24T03:28:16Z       |
|     id    | MIIE+gYJKoZIhvcNAQcCoIIE6zCCBOcCAQExDTALBglghkgBZQMEAgEwggNIBgkqhkiG9w0BBwGgggM5BIIDNXsiYWNjZXNzIjogeyJ0b2tlbiI6IHsiaXNzdWVkX2F0IjogIjIwMTUtMDMtMDZUMDE6NTg6NDIuODI1OTY4IiwgImV4cGlyZXMiOiAiMjAxNS0wMy0wNlQwMjo1ODo0MloiLCAiaWQiOiAicGxhY2Vob2xkZXIiLCAidGVuYW50IjogeyJkZXNjcmlwdGlvbiI6ICJBZG1pbiBUZW5hbnQiLCAiZW5hYmxlZCI6IHRydWUsICJpZCI6ICI2MThlMmE3ZWZkOTA0N2Y4YjNkYmQzNzlkOTY0MmU1NSIsICJuYW1lIjogImFkbWluIn19LCAic2VydmljZUNhdGFsb2ciOiBbeyJlbmRwb2ludHMiOiBbeyJhZG1pblVSTCI6ICJodHRwOi8vMTE1LjY4LjE0NS41OjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vMTE1LjY4LjE0NS41OjUwMDAvdjIuMCIsICJpZCI6ICI4MjA3MDFjMGYzYWY0YmIyOTE3ODA1NTBkNTE2YzRmNyIsICJwdWJsaWNVUkwiOiAiaHR0cDovLzExNS42OC4xNDUuNTo1MDAwL3YyLjAifV0sICJlbmRwb2ludHNfbGlua3MiOiBbXSwgInR5cGUiOiAiaWRlbnRpdHkiLCAibmFtZSI6ICJrZXlzdG9uZSJ9XSwgInVzZXIiOiB7InVzZXJuYW1lIjogImFkbWluIiwgInJvbGVzX2xpbmtzIjogW10sICJpZCI6ICIxNGZhOTIyNjdmOTI0NDJjODU2ODkxN2RhNDVmM2ZmMSIsICJyb2xlcyI6IFt7Im5hbWUiOiAiX21lbWJlcl8ifSwgeyJuYW1lIjogImFkbWluIn1dLCAibmFtZSI6ICJhZG1pbiJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogWyI5ZmUyZmY5ZWU0Mzg0YjE4OTRhOTA4NzhkM2U5MmJhYiIsICI5ZGY1NjI2MmZjOWE0Zjg1YWI5ZDIzMWE5ODUwMjM5ZSJdfX19MYIBhTCCAYECAQEwXDBXMQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVW5zZXQxDjAMBgNVBAcMBVVuc2V0MQ4wDAYDVQQKDAVVbnNldDEYMBYGA1UEAwwPd3d3LmV4YW1wbGUuY29tAgEBMAsGCWCGSAFlAwQCATANBgkqhkiG9w0BAQEFAASCAQBANteEmwPY6UCF6-w1xEiBbu-o1BmwCwYsSfh0rpTkr8Tqa1CgBKpSS8K81wo2mmY6dZGtzfyJOwWLLfN7YS3RLI6X7xzcx1S+5VxUJkcMZogCA7teDasM6RSj-HZiEonYluk4hvvb7tiDui42rlNEUNizi6F+2wLgjdS2A+QOoSXwM2tvfpLfdTsgRjziFpidFWdNM6eaVTlp0iL5Tq0cqZupW8+GHxLDyV+--944RpJoh6LT-QNhQfeDuGmlEY57pOZReK9PFeX67B48Rk8P-iLgzH2yLa8rCuG2u4ajq5v5uuw1qPZIIf1TaGOvWDJ7vGz-H7wDiHcTu5BBy9V5 |
| tenant_id | 1cf650d0c8ea4b8b93ee38b1bb3cea76 |
|  user_id  | 60cbefc60c03447ca0ed720b627c85a3 |
+-----------+----------------------------------+
¡Ø Juno 2.x vs 1.3 ¿¡¼­ÀÇ ÅäÅ«°ª ±æÀÌ°¡ ´Þ¶óÁ³À½...;;

½ºÅ©¸³Æ®·Î ¸¸µé¾î¼­ ȯ°æº¯¼ö°ª Á¤ÀÇ
root@controller:~# cat > /root/admin-openrc.sh 
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=XXXXXXXXXXXXXXX
export OS_AUTH_URL=http://115.XXX.XXX.6:35357/v2.0

root@controller:~# cat > /root/demo-openrc.sh 
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=XXXXXXXXXXXXXXX
export OS_AUTH_URL=http://115.XXX.XXX.6:35357/v2.0


ȯ°æº¯¼ö Àû¿ë
root@controller1:~# source admin-openrc.sh 

keystone user-list¸¦ ÅëÇØ ³ª¿Â ID¿Í keystone user-role-list¸¦ ÅëÇØ ³ª¿Â user_id ¿Í ¸ÅĪ
root@controller:~# keystone user-list
+----------------------------------+-------+---------+---------------------+
|                id                |  name | enabled |        email        |
+----------------------------------+-------+---------+---------------------+
| 60cbefc60c03447ca0ed720b627c85a3 | admin |   True  | newbd@smileserv.com |
| 673544f2d937406e92527a9043824620 |  demo |   True  | newbd@smileserv.com |
+----------------------------------+-------+---------+---------------------+

root@controller:~# keystone user-role-list
+----------------------------------+--------+----------------------------------+----------------------------------+
|                id                |  name  |             user_id              |            tenant_id             |
+----------------------------------+--------+----------------------------------+----------------------------------+
| e47bd1de2b1d4a83ac7296fa58e39751 | admin  | 60cbefc60c03447ca0ed720b627c85a3 | 1cf650d0c8ea4b8b93ee38b1bb3cea76 |
| f82a5ab12d6c4d7c963145606835f131 | _member_ | 60cbefc60c03447ca0ed720b627c85a3 | 1cf650d0c8ea4b8b93ee38b1bb3cea76 |
+----------------------------------+--------+----------------------------------+----------------------------------+



¡Ø Err Message
root@controller:~# source demo-openrc.sh
root@controller:~# keystone user-list
You are not authorized to perform the requested action: admin_required (HTTP 403)

À̸§ Æнº¿öµå
ºñ¹Ð±Û (üũÇÏ¸é ±Û¾´À̸¸ ³»¿ëÀ» È®ÀÎÇÒ ¼ö ÀÖ½À´Ï´Ù.)
¿ÞÂÊÀÇ ±ÛÀÚ¸¦ ÀÔ·ÂÇϼ¼¿ä.
   

 



 
»çÀÌÆ®¸í : ¸ðÁö¸®³× | ´ëÇ¥ : ÀÌ°æÇö | °³ÀÎÄ¿¹Â´ÏƼ : ·©Å°´åÄÄ ¿î¿µÃ¼Á¦(OS) | °æ±âµµ ¼º³²½Ã ºÐ´ç±¸ | ÀüÀÚ¿ìÆí : mojily°ñ¹ðÀÌchonnom.com Copyright ¨Ï www.chonnom.com www.kyunghyun.net www.mojily.net. All rights reserved.