|
|
3.0.keystone认证服务
: C! Z2 w+ d- X. y) x k7 u9 M3 K/ S. g/ y. i2 U
1)用户与认证:用户权限与用户行为跟踪
- I. g: b+ c/ o& i5 A' \% X ?; f+ C6 W3 i/ |4 [0 f: |, Y
User 用户
- y4 E! `1 U7 J) ?Tenant 租户
# a8 D3 A( E" t+ l! ?Token 令牌0 h# f* p5 f% B7 N
Role 角色% A" b: @1 l% L2 u. H: F: f7 w+ A
2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点3 G w Z/ D7 x: Z
8 C! A# Y# j) [* i7 k; N UService 服务
! |# r0 Y# v s! wEndpoint 端点
% g! F0 T! C( k6 c9 E3.1.在控制节点创建keystone相关数据库5 C8 i& Y; T R5 O
' Q- Z7 T3 ]8 h1)创建keystone数据库并授权
* K3 a2 Y, G3 X) a+ u0 s- F! C0 r# B5 Z3 [6 g, E' r- s5 d: }
mysql -p123456
9 f, i o/ V" W; h8 _--------------------------------
8 T8 T% t2 I' }& J( H; z5 B; mCREATE DATABASE keystone;
0 t5 d- l; h$ H, {GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘keystone‘;4 `. z' {0 R6 O! @
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘keystone‘;
' f) m( C* O- v' S! E$ dflush privileges;9 U# Y2 A- k5 o, Z8 W2 a
show databases;
V: S+ v4 _" d b) Q* Mselect user,host from mysql.user;9 e2 j# _$ K7 k) y% L6 y
exit
3 q& i: m) r, W o6 I& ^; B: q--------------------------------
" Y" @% U/ w( _* x7 _: m h D( L6 g3.2.在控制节点安装keystone相关软件包, w" i5 Q ]8 x
" e7 c& r4 F% d3 `1 M, l0 |1)安装keystone相关软件包
9 I* g( _7 j% o" J) S( X
. ]: I) x8 U; p% }7 @. H9 A) N* X# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口3 b8 S- k- M6 h* U# r; k
! z1 p7 G+ b6 a P' F. Byum install openstack-keystone httpd mod_wsgi -y- q' L+ i2 t6 \0 b
yum install openstack-keystone python-keystoneclient openstack-utils -y% @: M0 t, u. y! w) V+ t
2)快速修改keystone配置
# U. b$ `" V) N8 o- G' F
/ o) z; j1 u0 k3 x" ]# 下面使用的快速配置方法需要安装Openstack-utils才可以实现4 W6 g# }9 A3 T
. h$ \+ r& p& i, S
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone; B/ a* m* u l0 K/ Z: ~
openstack-config --set /etc/keystone/keystone.conf token provider fernet
2 \( }! l" ?1 w. ]( }# 注意:keystone不需要连接rabbitmq+ [8 p) s7 E( w, P' l4 j
& s! G$ Y( ?! u+ e: T9 h4 h a8 G# 查看生效的配置
4 Z' S* p5 R/ U
( R2 I; u/ _! \egrep -v "^#|^$" /etc/keystone/keystone.conf 7 t/ a `. q& S4 r. G5 N
# 其他方式查看生效配置: m9 b5 A. p3 v# W, D
a3 g+ K$ \9 J, I
grep ‘^[a-z]‘ /etc/keystone/keystone.conf
. x7 K$ l% E3 V: D# v* v# 实例演示:/ L* }% }0 W" l5 j
% @& F3 B- k* j
[root@openstack01 tools]# grep ‘^[a-z]‘ /etc/keystone/keystone.conf
! h) ~4 t7 a6 `3 l9 ^connection = mysql+pymysql://keystone:keystone@controller/keystone; D0 E4 ?4 W. K3 [% p" F% ]- A
provider = fernet
) |1 w7 a8 }3 E# d# keystone不需要启动,通过http服务进行调用
% q5 U7 |, }+ t* t( b
% g: _8 \2 z' F# l' o" K; y3.3.初始化同步keystone数据库- Z3 S$ Y; ?% j% W
9 r1 Z+ X7 b( a8 |, n S
1)同步keystone数据库(44张)/ d# C1 ]/ v- E! s1 A
9 W& j9 ?5 t4 m/ v/ p6 R$ Dsu -s /bin/sh -c "keystone-manage db_sync" keystone4 j! G9 v1 j+ F# F, S. ]
2)同步完成进行连接测试
4 w5 _7 `( L7 D+ d8 V1 s* S
3 o& d8 D! ]$ |" j! e+ M! Y5 Q$ k# 保证所有需要的表已经建立,否则后面可能无法进行下去
- Z+ |$ C( U, D( c
7 K; Z- \8 n' B4 q1 qmysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
4 u' K' P H5 V3 b实例演示:' n+ e6 p) @. x; U+ A$ V8 ]; h
; W1 q( q: E& n- J0 u[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
* A; }5 ?+ Z. |* m3 \1 ?( k+-----------------------------+
@- `: ?- Z/ T5 }$ c/ g| Tables_in_keystone |
! u+ n j, {9 `3 D7 D* L) b0 o8 t+-----------------------------+
* c6 _. K: @' a; G| access_token |
S) t" @7 e, q. m/ o| application_credential |1 U; P6 T' ]0 X2 D1 _+ U M* e9 ?$ j
| application_credential_role |+ L; Y# O: c7 e' m: ?% M; [3 o
| assignment |
- _; l# T9 r& k0 t| config_register |+ e# o" Y, t9 ]1 H% {% @5 {
| consumer | v" ]/ H$ J6 \" e3 d
| credential |
! ^# w" l* m: S| endpoint |
- A% k6 y+ R- N( M2 O$ H| endpoint_group |
4 |- M( A7 E3 w1 h4 m9 d| federated_user |
+ `8 K: D- m& a: C| federation_protocol |: C0 M, W) P+ d( |
| group |
" x6 P$ N, u8 \. A% w) o| id_mapping |
6 _6 E- x# x5 _$ u3 h' n. l) Y- b| identity_provider |
/ v" ]( g7 I$ C" f$ V* b| idp_remote_ids |2 C7 P4 b9 U9 j. C E
implied_role |
* Z# g: P- W5 g) ?8 t& a( f▽ limit |( f8 E4 M5 S6 {6 q. |5 M
| local_user | k: b: h: m1 V& z8 h, u6 |
| mapping |6 b5 f7 n1 N* E6 L3 @8 u
| migrate_version |0 A: P- X+ Q, w* M& R/ n+ `
| nonlocal_user |& c9 ~2 i* U8 m$ \% q6 q# p2 g F
| password |
2 h$ b- d3 P& l( x| policy |
6 G" K% V1 v6 Z1 E3 k2 k; l| policy_association |
( _, d& x! O, L; M3 c| project |$ Z! n4 t* h i4 _' v/ R$ r6 k
| project_endpoint |) C& X; o W* |7 v
| project_endpoint_group |6 p4 R7 w" }" t( B3 W; x2 M
| project_tag |
. Y5 ^, Y- X- o _& E. K, y; K| region |
6 O4 w7 s3 M. z% r! j3 P| registered_limit |; U/ x2 [, i; v4 A5 P# C; @
| request_token |% x* w7 T! {2 t4 p) J4 U7 x0 \; e
| revocation_event |
% i M8 O0 d% R+ y| role |( c: X, g& R8 t
| sensitive_config |
+ _& z6 r8 g0 Z8 {| service |& `3 x+ h/ ~8 p- m3 A; ?
| service_provider |9 |; w2 B* V& B( v- ?
| system_assignment |
$ P; r4 H0 P* Y, @% V| token |
. d+ h0 ~* ~3 H1 F, w| trust |
6 O# B% |8 J) Z2 y* r/ n7 O& S| trust_role |; O8 u/ V V' B5 Y
| user |8 j0 H" I+ i) p! F
| user_group_membership |5 C) y0 y8 F; K. ?5 M& t* L- d
| user_option |
8 W) Z6 z1 u' p3 R' c+ F9 k| whitelisted_config |
& ?3 M3 v! c3 m9 k; ]+-----------------------------+" a% W: c. x8 `# J5 F3 H. O
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l
" \; {$ f1 v+ x% m+ {8 R) e/ l453 D- `: V# w5 t& |; Y) T1 V+ }
3.4.初始化Fernet令牌库- v+ c$ \0 i$ t: R) w: B) A
6 {; M9 `! f: K! n# ~# Initialize Fernet key repositories:
7 D# b& }/ i4 a% m4 w4 F
' L+ K. n/ }. v( [: r# 关于Fernet令牌可以参考:https://blog.csdn.net/wllabs/article/details/79064094
( z0 ]' i, d% D+ t+ T
) @. [5 F! F7 b3 ]$ d# 以下命令无返回信息% U9 }( G2 E: g7 J# L& ^
& S" J ^/ @6 u" e, F
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
9 D9 B2 O P+ P/ N' y) x2 ikeystone-manage credential_setup --keystone-user keystone --keystone-group keystone7 r2 b" V2 J) I' J6 i$ L, `
3.5.配置启动Apache(httpd)
1 s6 N# \6 r6 ]: }" r _9 w ~( R9 N' Z
1)修改httpd主配置文件
! }: h0 }3 c" k$ r8 f
! c# M5 P. W) J+ b U1 m% hvim /etc/httpd/conf/httpd.conf +957 }) H9 P2 h: O
------------------- 第95行,启用 ----------------------; A2 i0 \' h) M# y# d! V2 N/ \
ServerName controller
- A+ v8 o# u, {--------------------------------------------------------4 @" q6 S- O* b5 M; L! o7 ?
# 或者# w3 Q7 Y4 B8 @: N2 G
( N) _* A( P0 t1 c$ I% l/ q; h
sed -i "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.conf7 Q/ I" g; y) N& M" d% c; J5 [9 y
cat /etc/httpd/conf/httpd.conf |grep ServerName' x5 V; V6 H j/ t Q
2)配置虚拟主机
6 }! X# Y5 Q9 E$ A3 S, T' S1 T( B
$ h5 N' D0 a3 V5 Y. z# 创建keystone虚拟主机配置文件的快捷方式,也可以复制过来
1 K, b1 [2 z9 M* e9 s
/ }# n! T+ ~1 W- Y; E! Jln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ n; y3 G* `4 T) L; V/ I
# 或者可以手动编辑创建该文件
& c0 X7 g7 i2 {( {) B6 _1 p& p0 N& R; q' g9 y
cat /usr/share/keystone/wsgi-keystone.conf; R* M9 Q/ h# y7 O; S
--------------------------------------------" \7 d1 I# M9 D: T
[root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.conf {- W Y/ ^2 t9 k; D! u
Listen 5000 f- a. r: k& z& C2 t6 p; U# Q
& ?7 |) I0 g0 A
<VirtualHost *:5000>
7 Y) g# u; e3 v1 J6 c9 d WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
8 L) ~; C6 F: R WSGIProcessGroup keystone-public9 r W4 v1 u! A8 f5 I
WSGIScriptAlias / /usr/bin/keystone-wsgi-public/ b- ^, ^/ N5 C9 H
WSGIApplicationGroup %{GLOBAL}
3 e" @! e1 J* _$ u" E* L0 G: n WSGIPassAuthorization On
1 A2 G* C8 U p2 ? LimitRequestBody 114688
* w1 A. B# I& j: j' D9 v <IfVersion >= 2.4>/ b1 x8 e$ e# s# [9 L5 h
ErrorLogFormat "%{cu}t %M"
2 x9 R/ z6 L! Y2 Y- ]# p </IfVersion>3 H" x0 z. q' w0 }0 V
ErrorLog /var/log/httpd/keystone.log
! s2 _9 H# Q4 |/ f6 O5 } p" o. R CustomLog /var/log/httpd/keystone_access.log combined$ ?2 c) O& v. b/ V3 c
7 y2 S; y9 r* }- t6 E* O
<Directory /usr/bin>( [( g( B- [% ~
<IfVersion >= 2.4>
) A) Y6 ]. @0 ^& k) { Require all granted& m0 d) P+ \7 d7 } @6 ]
</IfVersion>
. \4 y+ k6 ]7 \7 X" t <IfVersion < 2.4>
- Q4 A$ R. C# c/ Y8 l) m- { Order allow,deny
* N4 O7 j Q2 Y( y# q Allow from all% {% E) N( O2 U2 s) v _
</IfVersion>) S& u. ~! v1 H1 q6 Q
</Directory>4 N1 d1 o. l# t9 I# A
</VirtualHost>
( X3 b7 t/ N0 c1 R- e- v8 j% I, v" h2 S1 N. J' S
Alias /identity /usr/bin/keystone-wsgi-public
8 f6 g8 K( O' N& ]0 {<Location /identity># }/ {* Z% d( e/ Y+ }! F
SetHandler wsgi-script
, X" F; B7 K. {- U- \/ _ Options +ExecCGI
* _5 j" u4 S* L0 W% R, o( G+ |, U% J: _
WSGIProcessGroup keystone-public
5 R2 }8 g& n- ?' G( D8 K WSGIApplicationGroup %{GLOBAL}
; @6 m& [/ Y4 j( g& ?# b5 h w0 Y WSGIPassAuthorization On* G& W' C3 }6 @" l" C
</Location>' s k# j ]- H
--------------------------------------------------
, d6 m$ }# a- m9 H. ^* L$ T3)启动httpd并配置开机自启动
, R4 t) o' O* z* ?7 X
3 z6 D5 r$ h B' s( ]% asystemctl start httpd.service$ V+ y* X" ]/ i! ]+ ?' w# B- v
systemctl status httpd.service4 d7 u& K# g4 _' c$ ?
netstat -anptl|grep httpd
' a/ F5 \) I0 r5 J: y$ { M, f2 u# J! j8 Y7 t
systemctl enable httpd.service1 {! |' Q1 p* X' u9 |
systemctl list-unit-files |grep httpd.service
+ b+ `2 w" X! {7 B0 d# 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux
: |0 T8 k- T' Q9 W! _, L* j
1 d! W9 @+ d4 G实例演示:2 n" J% C4 l: A1 c r1 O
6 V: i6 k2 O; p6 ^7 ^' f[root@openstack01 ~]# systemctl start httpd.service: N1 c7 x$ Q4 ~9 o* k( x
[root@openstack01 ~]# systemctl status httpd.service
/ U7 q+ \* p* |: k. Y● httpd.service - The Apache HTTP Server
, X3 e2 [1 {: h8 h1 C! f. W' F; ~/ H Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
4 P3 ?& {$ c4 f: H t; w Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago- `/ {+ _. |- t. M. K2 O% Z
Docs: man:httpd(8)
: E0 w8 ~4 Q( [5 m* }0 }2 c3 D man:apachectl(8)
; S' ~/ [% l1 t+ b/ F+ Q Main PID: 1978 (httpd)7 P/ M V, ? D3 f8 u% z
Status: "Processing requests...") H% y c8 E2 @5 L! `! L& x
CGroup: /system.slice/httpd.service
$ V! U+ a/ p2 `3 a6 ^& x6 ` ├─1978 /usr/sbin/httpd -DFOREGROUND# S) ` e& r1 O$ ^" D) M
├─1981 (wsgi:keystone- -DFOREGROUND
7 k( H. ]6 n. j Z& E$ _& V ├─1982 (wsgi:keystone- -DFOREGROUND) S+ v C1 S* _
├─1983 (wsgi:keystone- -DFOREGROUND
1 c& d( C* g& C$ C2 G, f0 k2 {7 ? ├─1984 (wsgi:keystone- -DFOREGROUND I' J; f, e: n4 o8 V' c
├─1985 (wsgi:keystone- -DFOREGROUND& u9 q$ X/ D. H5 q, v
├─1986 /usr/sbin/httpd -DFOREGROUND
' t2 c* M' C8 e1 F ├─1988 /usr/sbin/httpd -DFOREGROUND
3 D# w6 ]; S! l' p! R" S └─1989 /usr/sbin/httpd -DFOREGROUND
8 Z. K* t8 i5 `9 u
1 {' x0 q" `1 U- A' b10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server...0 v+ U+ D, t4 m+ L! \
10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server.
4 o/ n& F. P4 c5 R* f* a[root@openstack01 ~]# netstat -anptl|grep httpd# V/ O. a3 A c2 Z1 ^4 \$ P2 ~3 @! ^( V
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1978/httpd {& {4 J7 Q; V; y
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1978/httpd
5 V6 L7 N: v$ T% G2 D[root@openstack01 ~]# systemctl enable httpd.service: f& J$ H1 b% |4 H0 X
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
$ _3 I; m, g& w& c0 J, i, J[root@openstack01 ~]# systemctl list-unit-files |grep httpd.service0 H1 T5 z7 W4 |0 k% P. k
httpd.service enabled
; P: Z7 ?0 y: R# 至此,http服务配置完成1 I8 l4 q" d2 k: ^
( `. d1 C. x2 d. v* p3.6.初始化keystone认证服务
+ D1 o# {) x6 d, U! Z8 g- j7 l2 }, \
6 d8 H% j" h% D9 k1)创建 keystone 用户,初始化的服务实体和API端点4 y; V* N8 o2 g/ w' n! ~* ~* P
& J3 K+ [% Z' O# b9 X" g7 O' y# 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口提供服务
3 ?- a+ g% `; o+ D- W# A' X! w5 N
# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。! S5 W( k1 L0 a( r; Y4 {
) |% }& \# H0 @. S) L9 a
# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456
& Y6 g) V2 {' n6 z: e
0 r G& T! n3 j1 z, \5 x+ Dkeystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne& ~8 |( p' y c4 i8 `! S, E
# 以下为命令实例:
0 T% u4 d& G) U: k! S! D
, Q4 ^! W; `" k( [* H! kkeystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
+ c+ F+ e' f) |, }& X+ f# 运行这条命令,会在keystone数据库执增加以下任务,之前的版本需要手动创建:
9 Y9 X, R& |5 A- c6 h
, f' m5 o6 E* ?0 g1)在endpoint表增加3个服务实体的API端点. S! `' l# G4 O
2)在local_user表中创建admin用户
( r& t( A% M# X) V" D) r# M3)在project表中创建admin和Default项目(默认域)
9 |$ X. g2 F; f4 j4)在role表创建3种角色,admin,member和reader
" n: u- }. R7 [5)在service表中创建identity服务
/ E, r' z j" y2 ~2)临时配置管理员账户的相关变量进行管理
, o. R T. b$ V4 v7 w* Z
( n3 _: F3 O/ J7 L8 b# 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS
' S$ r* _9 r1 t# Q ?. T/ t" l& e/ I g* o
export OS_PROJECT_DOMAIN_NAME=Default
0 T4 f5 V# k* l6 h* J0 m) j' n1 dexport OS_PROJECT_NAME=admin0 x! |4 ^1 V; `: b& h6 h4 b9 ~1 s6 w* Y* s
export OS_USER_DOMAIN_NAME=Default6 ^6 k u+ I2 ~
export OS_USERNAME=admin
]( D/ @) c8 p7 C' p4 Wexport OS_PASSWORD=1234566 l/ x1 w+ q! k) |3 Y% u
export OS_AUTH_URL=http://controller:5000/v3/ s" W/ }, T0 [$ x. T" D+ X5 p
export OS_IDENTITY_API_VERSION=37 |0 s5 x3 x; w" p$ c. h8 B* s. S. B
# 查看声明的变量
2 @4 f% o4 p* W ^$ Q6 T% E& _
1 U5 Y, b: o* kenv |grep OS_% k1 ]. N' K! G/ }/ J8 b( b
实例演示:
3 b; X" \; d8 o1 y8 X. E( R2 s2 U" n( s/ m
[root@openstack01 ~]# env|grep OS_7 j. V+ `& l( `9 |
OS_USER_DOMAIN_NAME=Default
; N8 C* }/ ?/ p0 I5 qOS_PROJECT_NAME=admin
+ J+ u6 l0 c8 e: v. fOS_IDENTITY_API_VERSION=3
' H8 f! |9 K0 |( ^8 nOS_PASSWORD=1234566 p1 K. ?# O" j: W
OS_AUTH_URL=http://controller:5000/v3( ~+ U n& A, H8 T
OS_USERNAME=admin* {5 K4 f' j/ \2 l; m
OS_PROJECT_DOMAIN_NAME=Default; s+ e6 _, U5 ?; b. L/ E: l# @, V
# 之前的版本采用admin_token来设置初始化的管理用户认证令牌,类似下面的. U3 J# W* E' l* S( I
. q) A( Y3 w2 g2 @% jexport OS_TOKEN=c0053993bb39ad3de84a" A7 D; ?( g2 @+ O" v
export OS_URL=http://192.168.1.81:35357/v3
" u8 _& y. n8 N3 O( Iexport OS_IDENTITY_API_VERSION=3
- ^- x) j* k! s; w: I. aexport OS_SERVICE_ENDPOINT=http://controller:35357/v2.0 Q4 c8 I$ R8 D) a8 n
附:常用的openstack管理命令,需要应用管理员的环境变量
5 N8 S9 G6 B ~4 f8 l# [0 |! u6 }+ z T X, h) ~8 O
# 查看keystone实例相关信息
5 L9 y& v" S# ^
7 W! b* a& c7 \openstack endpoint list+ n J9 L$ @8 W" p8 X3 O
openstack project list1 y% [, h2 R( n
openstack user list
- g( @- R& s U4 N- x1 y实例演示:8 _% g& S% ]4 _1 r* ^" b* E
# x) F, \8 @+ g% Z4 u: @
[root@openstack01 ~]# openstack endpoint list) T4 t2 X7 q: h* Z3 o
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+1 O% Z8 H' T# |1 A1 F1 a0 E" b
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
. z8 K& |* W, a+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
! |2 ?5 r2 s2 P& e* _5 }| b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ |$ F+ G' ]8 M3 f6 B* Z# r# c) D
| eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ |
/ ?8 ]6 L7 z2 A! J| f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |. t; ]+ A0 d; t( U& ?6 j
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
* r! p U2 |1 P. c7 |: {% W[root@openstack01 ~]# openstack project list
- G6 m& ?% Y& x5 Q+----------------------------------+-----------+
$ t5 z4 y2 O; O% z| ID | Name |* _) L6 A# D$ C* y S* q; f
+----------------------------------+-----------+/ |" L8 Q. E" W( h$ O- f' w- S5 u* ]
| 3706708374804e2eb4ed056f55d84666 | admin |
1 e( H/ P* R2 y* {/ T4 C4 r| 84cc7185f2c8461eb19a14968228b272 | myproject |& P t# q& ~* J& `8 Q5 r
| b8e318b3c7a844708762169959c34ff8 | service |
, D; d d2 y& Z+----------------------------------+-----------+
! ^7 I. d9 A- s. E: _% A i' x[root@openstack01 ~]# openstack user list
" o, @5 {7 v$ Z6 o+----------------------------------+--------+
; q! W* Z# P; X7 k$ M( l- b| ID | Name |
\) P0 L7 b% \( W0 b# c+----------------------------------+--------+3 O# P k! @) a# b+ }
| cbb2b3830a8f44bc837230bca27ae563 | myuser | T3 T u. `& Q8 L8 @, v* W
| e5dbfc8b394c41679fd5ce229cdd6ed3 | admin |) i- }: }6 W/ P% o3 l& X# z% ^1 V9 x
+----------------------------------+--------+
: B/ B( G7 G8 x# C. n- i) w3 e# 删除endpoint1 V8 g6 ]" B9 p ]" v8 Y: w
$ F) h+ f) v( s. @5 n |
# 以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错) g5 M/ E1 o7 z) F1 V* V4 O
% l$ k% P1 X& r
openstack endpoint delete [ID]
" e1 u6 d2 t# J8 j+ F3.7.创建keystone的一般实例
' _/ _" v' \% d- I" T; e+ g# x+ j) P& S% w
# Create a domain, projects, users, and roles" C+ y ~) q: H* U$ M% N i
( t0 R: t) Z& }9 y, ^1 w4 Q1 dhttps://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
+ r! ~) x1 { @( e7 i2 V
% s; Y0 s" F' i5 U D7 e1)创建一个名为example的keystone域
7 v% e8 K. j' j! W
0 D8 T5 P7 z- s4 V. A4 |& q# 以下命令会在project表中创建名为example的项目. \* d; M9 A9 u4 ~$ N2 i3 P
/ w3 |3 l: P# U# vopenstack domain create --description "An Example Domain" example
; r. F2 g( _) ^+ K2 u实例演示:
5 a) P1 ^* ?) R* o7 ~; `8 E: y$ s
[root@openstack01 ~]# openstack domain create --description "An Example Domain" example
]3 j# Z! l. x$ {# n5 \; n+-------------+----------------------------------+
4 L' I' s1 c. P& H; \4 n5 H| Field | Value |6 q/ T8 l7 |) M! P- l( O( ?# d+ R. a/ c
+-------------+----------------------------------+
3 l) A' n0 ^# R, S2 U& t y( V| description | An Example Domain |- Z {7 w0 @0 ?6 a+ d/ J
| enabled | True |4 ]( G/ v$ ^% M3 k' u: A; ^/ f
| id | 17254ea898de477ca4a1f6f3cbc6c5bc |( o/ A6 q2 @& V* @ ?2 p8 B
| name | example |
8 v+ b! ^6 ^/ x) X2 }8 m0 [| tags | [] |
& ]) A7 P5 Q9 ` _' d5 a& C+-------------+----------------------------------+
9 v! e }5 e6 F. Z6 Q! R/ S- N% O2)为keystone系统环境创建名为service的项目提供服务 ]3 t& i( E, W# I. z2 J
1 c7 T& m4 m$ L# 用于常规(非管理)任务,需要使用无特权用户9 |- n( V; k H& ~/ }( d/ t
! ?5 h" {$ W2 c$ M
# 以下命令会在project表中创建名为service的项目 t, O! ?# C! n6 [( X' ]
' N# O) A" h' t K
openstack project create --domain default --description "Service Project" service
9 E0 B: X u" f实例演示:1 `: M1 I: \1 p4 U- S$ j, o
+ V" t: L' u2 N: _9 {4 H7 S
[root@openstack01 ~]# openstack project create --domain default --description "Service Project" service8 a- t% M! u! l6 X7 P
+-------------+----------------------------------+
/ {) W3 s" B1 n8 G| Field | Value |& i: Q! h' P: W8 r" J
+-------------+----------------------------------+8 f c1 z( w# }3 U
| description | Service Project |
7 a* x: z. V9 k$ ~% l; M| domain_id | default |
1 ~% ^( Y0 n b% V| enabled | True |
; _; ]3 z( N( a& @: {4 ?% N| id | b8e318b3c7a844708762169959c34ff8 |) Y2 w- I" Z7 ~$ _1 n
| is_domain | False |
. g/ i& h- E7 [| name | service |
( x( R3 Z& X2 P R; d, z' B| parent_id | default |
& {) f& i5 {3 }6 }0 N W' O$ F: G| tags | [] |" e" V9 L h1 \2 ^" {
+-------------+----------------------------------+" e& u- @9 V/ O. j. Y
3)创建myproject项目和对应的用户及角色
2 |- K8 u( M' q9 j( R8 Z3 U" t+ S& }" V+ {, f# Z
# 作为一般用户(非管理员)的项目,为普通用户提供服务3 `3 K+ P$ z- U- @
% `$ Z F& U% D1 \! M ?# 以下命令会在project表中创建名为myproject项目
$ p( @- |4 X" Y b+ X* c
* H* J R I, O0 iopenstack project create --domain default --description "Demo Project" myproject* y0 J( @0 c+ j" t0 ]5 [1 |
实例演示:
" M6 s' I; O; ] x; f1 o$ O: l; H( v
[root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject) u9 t( U u6 b: ]
+-------------+----------------------------------+, M1 {# Y; W4 J2 e2 A0 s
| Field | Value |9 P/ S; D% K# }( U( {. p
+-------------+----------------------------------+; n+ w! ^; g7 \' h: x" L
| description | Demo Project |& v* i3 n6 O8 N( _
| domain_id | default |
' X! z" _( Z2 p, H1 }| enabled | True |
6 U/ x6 f+ e a! o7 U| id | 84cc7185f2c8461eb19a14968228b272 |* p- s, B7 h5 }9 H: J' i4 O' d
| is_domain | False |
3 T( x8 A* @/ m" W| name | myproject |4 z9 I6 S, E) c2 K4 k7 q( G X
| parent_id | default |
1 E7 y7 F/ _5 w+ U5 B, k- N| tags | [] |
! o& L) g7 `- Q* O% ~+-------------+----------------------------------+! G! z; v# E8 y4 {! [
4)在默认域创建myuser用户
$ R" {% q- ]" X/ R
" V, x7 F: a% C2 M# 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码1 L0 ~% T" s- M2 }" N
# 以下命令会在local_user表增加myuser用户, A+ o' |& p8 ^- [: U2 F
* n2 x! |6 C" a# r n7 Q4 z4 k
openstack user create --domain default --password-prompt myuser # 交互式输入密码4 J1 D, s# b2 }0 V5 w
# openstack user create --domain default --password=myuser myuser # 直接创建用户和密码4 l/ X, ]4 u8 h* n1 c: M$ i! O
实例演示:
. c. m6 W4 L5 y1 t) ^- x2 C) [7 p
[root@openstack01 ~]# openstack user create --domain default --password-prompt myuser o2 E/ g! M! c$ R3 \. p
User Password:
$ E) F8 ], e/ X5 FRepeat User Password:
- u7 C/ I( X; r; ]' o2 `: l/ e+---------------------+----------------------------------+
; B& I% c# g& u. Z w2 }: ]+ U$ Q| Field | Value |! f8 w5 K' @1 [" x1 ^
+---------------------+----------------------------------+% R/ C" K4 h) V+ C
| domain_id | default |
7 M; x/ o( k1 ]- }, S" q| enabled | True |
* o9 J, D% w: q" P5 R7 B' N| id | cbb2b3830a8f44bc837230bca27ae563 |
4 ^4 y! s! M7 q& | O' ~- r a| name | myuser |
, p; t6 N7 _$ Y2 v| options | {} |
" V* x6 H) Z& x! t# V7 b| password_expires_at | None |
: _# l4 [' H( w7 q0 \% Q* e+---------------------+----------------------------------+/ f2 V5 _: j$ P* E2 X/ I& W
5)在role表创建myrole角色. C. O1 `: b9 \8 m" V' j
/ I7 [% O: }- G# `- R, s
openstack role create myrole
* v, N ]3 E3 q' O. N实例演示:; M2 `9 X0 u& z# t
0 ]& f1 j. d f' s# [+ D
[root@openstack01 ~]# openstack role create myrole1 Q1 H/ G. p9 q9 W1 M& E) x
+-----------+----------------------------------+
1 a j6 Z0 Q7 a9 U| Field | Value |
1 T, A- Z. c4 l& h+ h+-----------+----------------------------------+
1 U& y$ p6 _& B( P: U| domain_id | None |0 a: \ e- l1 h! y8 {
| id | 75ac33f79cc945afa42a18a3dd0ba0ad |' ?+ B+ v& m! I
| name | myrole |5 b% ?. [( O ~- L" K
+-----------+----------------------------------+
/ q3 \6 Q( [4 T7 z/ A6)将myrole角色添加到myproject项目中和myuser用户组中
/ Y. c: w3 o2 C8 B: L, W
7 w1 L2 Y D( ]* I: m# 以下命令无返回,数据表操作不太明显
' P1 G6 U, p2 `3 M3 r& C4 f0 b3 h
% k0 M9 U2 }: ]# L4 sopenstack role add --project myproject --user myuser myrole
# r( Y+ P3 Z8 T1 X& S3.8.验证操作keystone是否安装成功
3 g) f; H$ [- j" d* G
8 N: c' j* T* Y' T" _7 l/ l' t: [" |1)去除环境变量
1 d& |+ H' Q. Y9 Z: M( H" r# d; c/ g* [+ ^& p( A% U, C
# 关闭临时认证令牌机制,获取 token,验证keystone配置成功
( j8 o! J7 o& [2 G) x* x* ^4 T4 F8 f
unset OS_AUTH_URL OS_PASSWORD
$ h, x1 h: r3 _ B/ ?5 Zenv |grep OS_
! H5 U* o- D, Y& Q0 y9 n* P9 d2)作为管理员用户去请求一个认证的token
" H2 L- N' X5 Y8 {4 j+ [
; z3 C8 g% G0 ^8 r1 O% b# 测试是否可以使用admin账户进行登陆认证,请求认证令牌9 ~7 \5 u I! e& b: U
2 }1 C( h1 z; d3 S7 f6 J% P: Y
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
% I5 Y2 K) T* X$ X0 y1 T实例演示:2 M. z- T+ b7 }" x
\8 i$ `7 _# E7 o4 t9 m, e1 r
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \
! z8 H) t( n5 ~4 ~4 v# y: H> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issue
: |/ Z9 D: w! [* m+ q3 L# ^3 D4 v. SPassword:
$ k- N* ~4 D# s B4 \+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+' I2 `5 Q& v( o( o9 l5 D" y
| Field | Value |
- ~- W: `. ~& ?. f: [+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+8 {0 o; ]8 P7 H2 F" z
| expires | 2018-10-26T11:48:40+0000 |- Z" s F# {8 N
| id | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY |9 a, O, n- e2 c4 ]" Q
| project_id | 3706708374804e2eb4ed056f55d84666 |* p0 f" k& n. p1 q/ w
| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |
9 W- H3 y( U! H) x2 J+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
$ g6 C# {7 j/ ?' o3)使用普通用户获取认证token% z8 N: Z& d; d8 ]# k
, ~( h1 t5 U( Y s r# [! J# 以下命令使用”myuser“用户的密码和API端口5000,只允许对身份认证服务API的常规(非管理)访问。
! w% ]3 f7 p4 R- r1 V, w y9 a1 {
! K. V m# q- T' lopenstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue% y; D9 b0 ?- e2 `2 r; j
实例演示:: [" i: a: U8 `
3 S9 _7 K9 n5 _, n/ Y- ]# w" Q[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \9 i( @4 G! V% ]2 b8 Q
> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name myproject --os-username myuser token issue, t% m! u5 M; Z* t6 Z" i; B$ ]9 b
Password: ! w* F& }# v+ n5 H( g3 @0 Q& f" h
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+, c2 K( w1 V! |: F7 x* k: K, f
| Field | Value |8 G7 X9 g5 ~0 ?% L# w: C* Y8 k
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
7 F3 r4 K) h+ \| expires | 2018-10-26T11:49:18+0000 |
- a4 p+ U0 S/ z/ l @& j* o| id | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g |
( z9 U( O/ y8 `6 }% h0 y6 H4 l| project_id | 84cc7185f2c8461eb19a14968228b272 |
3 a$ H+ [# h3 ]0 S( @% W| user_id | cbb2b3830a8f44bc837230bca27ae563 |
5 |7 [9 [: X; y) Y+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
; i3 l2 @* _; }) Z- A- }1 L, i' P 8 `- y2 X! T* W, ?+ v: [! z% ~
/ H: I; S* p) G& a, q
3.9.创建OpenStack客户端环境脚本8 b' T9 r: }% X1 Q
5 `+ [, F( J% }1 C i/ v
# Create OpenStack client environment scripts
4 ~/ v% [+ |6 z* y K1 v% L+ x$ V3 F- D9 W# f9 u
# 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。
) N+ e$ x. O" P3 k" a6 o! [4 N/ [. Y# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名
" \- k/ A/ D# k! t9 k1 K+ E1 X! @% W+ c: g, E, S# E
1)创建admin用户的环境管理脚本& q" a ]: Z+ V7 Y9 ^
( w8 E$ \2 Q9 T& N
# vim admin-openrc0 D7 J. d4 ? {$ R, t3 B7 P0 M' ^/ _ t
cd /server/tools
8 A0 Z' m, {" b8 R/ [* u; evim keystone-admin-pass.sh# `; v* Y1 w9 V% n% ]9 `' _
---------------------------------------------$ m- M" m# q3 _' Z+ O h% h
export OS_PROJECT_DOMAIN_NAME=Default
+ g7 ^7 w" M! S* g' R E$ hexport OS_USER_DOMAIN_NAME=Default
, h ?7 m! c! S# G! Mexport OS_PROJECT_NAME=admin
1 M0 m/ G9 T, H: A7 ~export OS_USERNAME=admin
$ S8 {0 D3 t7 @6 |' _2 [6 kexport OS_PASSWORD=123456' \% p) g! O& i8 Q& y
export OS_AUTH_URL=http://controller:5000/v30 o; O! S, @5 r/ F+ I+ e
export OS_IDENTITY_API_VERSION=3
9 @) L+ A x8 l9 a+ m( J8 \3 Lexport OS_IMAGE_API_VERSION=2) S3 L/ [; p! O
----------------------------------------------0 Y; M% @% I1 m/ m
env |grep OS_" p$ i7 O+ L* g+ Y# P B
# 应用:$ u) [. F1 W& [( J( {% G7 v0 O' Q
如果修改dashboard登陆密码忘记了,可以使用admin_token认证机制修改登陆密码6 N. n% Z9 Q! z3 Y, Y5 w$ Z
$ _5 A' e7 b' p* y
2)创建普通用户myuser的客户端环境变量脚本
5 e5 |" J& Z" A! S4 v+ o; s- R; G% N4 ?: ?: R, L X: q9 E- j
vim keystone-myuser-pass.sh
& l" Z, r' e" r' @( E( t: _& c---------------------------------------------5 ?/ M) A4 u! a# O$ F
export OS_PROJECT_DOMAIN_NAME=Default
8 ~$ y0 { A9 r9 d. Q3 o. Fexport OS_USER_DOMAIN_NAME=Default. p6 ~2 Z A7 X+ \' r3 p& N, w
export OS_PROJECT_NAME=myproject1 a) _) }+ r" Y* o: X
export OS_USERNAME=myuser
3 }; w0 v U# Q# f3 x* k* kexport OS_PASSWORD=myuser! M: X% z6 @; l% R* U8 E
export OS_AUTH_URL=http://controller:5000/v3
8 c; Y H4 ]- ~export OS_IDENTITY_API_VERSION=3
/ g" V. m& R! \3 [& k2 A" n2 fexport OS_IMAGE_API_VERSION=2. x V, U3 `; h k
----------------------------------------------9 r2 R8 r( ]6 h/ K, `
3)测试环境管理脚本8 T" p0 e5 \6 {5 h+ l5 i" N
0 \1 }0 z6 I2 X# c7 X6 W7 L# 使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端
+ X6 B' t# |; k0 K+ z
# C/ {6 z- V+ F1 i1 j% u$ T* jsource keystone-admin-pass.sh
! L3 m* Y* V: g" i4)请求认证令牌
4 y+ o- Y$ S# g1 m1 Q/ D, S1 ^6 z
* Q4 X/ w5 h. u2 F* L5 q$ m9 I7 `/ Bopenstack token issue
( K" a& ^. c0 Y7 b% n6 V5 @. B实例演示: P& S2 q% p; J% ~# O& ~! c
# l" H5 m- v C/ x) y) z& H( {# S
[root@openstack01 tools]# openstack token issue( j, T) D+ ]7 x
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------++ d9 u; a) z! ~: t& A) W- g, x
| Field | Value |/ K3 R H8 \% t0 Y" u9 _
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+' y0 T( H5 |; A ^ K3 c
| expires | 2018-10-26T12:13:28+0000 |
X" u H7 k! _- O$ D/ F| id | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE |3 G0 R3 ]# b! f" o) |
| project_id | 3706708374804e2eb4ed056f55d84666 |0 p5 Y& h3 ~: s% E; ]
| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |
6 ], t; r9 {8 _, k( V" W+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+8 o- g( j( }# ?: E
# 可以看到user_id和上面用命令获取到的是一样的,说明配置成功
& c |! w* Y4 @1 D" u0 t6 i! f7 C. ^# a& A' D9 j
# 至此,keystone安装完毕 |
|
发表于 2019-1-7 21:30:46