|
|
3.0.keystone认证服务
0 v$ ~5 v* A ?% n
* h/ s' Y" G. o& Z1)用户与认证:用户权限与用户行为跟踪8 g$ _) e, v6 n. y0 P- f8 L
# q6 T7 ~+ P) R4 B* _) t4 U
User 用户
, F( y% o6 F9 D0 oTenant 租户+ R2 q- U9 }. X/ l) X3 n0 L
Token 令牌7 `9 b7 ?& x) w% ^* j
Role 角色7 v( d( T$ W+ s; t$ k
2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点
! g: e) h8 H, n* I* {6 C3 h
! j7 F- t( m) UService 服务
+ |- c# Q/ e2 xEndpoint 端点
% x, ~) w. P0 ~7 L) K3.1.在控制节点创建keystone相关数据库
% U9 O: L! U. \/ i8 P7 T" m6 W K
: k* @, w9 n7 z W Q$ L1)创建keystone数据库并授权9 Z1 [" a( H, q2 J5 y0 Y
$ v4 Q# s, x2 u$ Z
mysql -p123456
5 [! }) i3 W5 s2 W; S--------------------------------
3 R& e) l9 U) Z- D6 E* h+ _CREATE DATABASE keystone; A1 g/ B( M$ n( y. T; U! ~
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘keystone‘;" m+ c5 \* D- N* D2 V
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘keystone‘;5 D |7 C5 ], V* ]) O/ a; N4 m$ ?
flush privileges;. v* Q( |. ]! F9 y; G7 } X7 j' h
show databases;
+ i P& L2 V3 f$ |+ ?: Tselect user,host from mysql.user;& d- A6 k# C6 L) K y0 F
exit% K) b2 ?, g, {$ ]' p
--------------------------------1 b$ _) O% f+ |( R& P* F- I
3.2.在控制节点安装keystone相关软件包3 W k5 R3 P: r3 K9 t2 p; y9 n
; F3 o2 a7 D2 w, v8 e6 ~" [
1)安装keystone相关软件包
- b+ T5 f6 h$ l, R3 L, |2 Y' G% W) t
1 I) I5 l; v" G9 a# L% T9 W# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口1 F7 R* w' ?; V) b# L
) H. e# J6 [ C# |" m0 |
yum install openstack-keystone httpd mod_wsgi -y5 @# f- t0 }" U% K2 l- k* e
yum install openstack-keystone python-keystoneclient openstack-utils -y
8 G. x: }4 v( O+ h; E' ]2)快速修改keystone配置: s& N( }3 K0 g$ p# @1 _) ~! ?' F
4 c. }, Y4 e2 @; u
# 下面使用的快速配置方法需要安装Openstack-utils才可以实现
/ y. c3 C" p8 O I. M- T
- Q. X" z' R5 d% b2 R1 Xopenstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
& J; D; T$ R. z& `3 z7 M6 o7 {openstack-config --set /etc/keystone/keystone.conf token provider fernet
3 K3 Q1 S$ u/ c' C! K# 注意:keystone不需要连接rabbitmq7 w: I, L# G# R' E( r% P9 s
* ~( D6 s7 m/ K$ p, F3 s6 r* Q( y# 查看生效的配置' s( {" O; d, ^: z! z6 L( ]
( p9 W% ^; x# J9 }2 v
egrep -v "^#|^$" /etc/keystone/keystone.conf ( ^" R/ S" Y" O$ a% ^
# 其他方式查看生效配置
6 d6 ]$ o2 [8 d. p9 S" k' b
+ A7 B2 q, V/ D' I- L# b0 U. h1 fgrep ‘^[a-z]‘ /etc/keystone/keystone.conf8 ?& ]0 S4 h( V6 Q
# 实例演示:
4 w8 T; o+ {" m; @7 \1 i" ~- Y, E' |
[root@openstack01 tools]# grep ‘^[a-z]‘ /etc/keystone/keystone.conf
" ? k0 B- }5 S4 qconnection = mysql+pymysql://keystone:keystone@controller/keystone$ X0 q. I( d* S3 W
provider = fernet D% |: r7 o$ Q4 l
# keystone不需要启动,通过http服务进行调用
9 q; r. B; R* t4 i, i3 \' ~2 l, H
" |3 ^8 z: g4 z/ K$ J: t3.3.初始化同步keystone数据库$ x- U9 t! c6 E1 g% n+ w
) m0 d) I$ x& V3 t. a
1)同步keystone数据库(44张). x2 M/ {+ V9 }$ g1 A$ ]( i
* b2 c. ~* U/ U' Rsu -s /bin/sh -c "keystone-manage db_sync" keystone! ] D5 a( [7 n7 t; |& a% O* X9 _8 {
2)同步完成进行连接测试2 \) l/ S8 V# a7 V# C
+ ^$ R- V+ Q4 U6 n0 @ Y
# 保证所有需要的表已经建立,否则后面可能无法进行下去
2 s" `7 ^( ~5 q* E+ g$ {0 o& a6 [) ]/ _* b; k$ B5 ~* w
mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"$ w/ g, T; k2 N
实例演示:) y- R7 `/ S" H; U4 ?& r. d+ }' r
7 C$ N R# n1 Y" x% i7 y# W[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
" h9 q+ g7 U0 Q7 h+-----------------------------+0 X& X. |5 H) J" w8 G7 E* W0 E- g
| Tables_in_keystone |6 c8 t j6 a) p% S) B) {9 I
+-----------------------------+
% g7 ^, Y1 z% ]- a+ g1 m| access_token |
) m/ q& c* ~6 Z5 [2 N6 k| application_credential |
4 A" s* e+ b( j( h; [| application_credential_role |6 U4 I, t6 N. T5 i6 w5 U8 M' X* Y
| assignment |
) z9 q2 t; ` A/ ^' Y' v| config_register |
& ?" E" U* G9 z3 `| consumer |2 J/ M: [2 b% P+ r
| credential |
2 Q! O. [* U) \# Q p& i| endpoint |
$ Y4 o! g" P& W, G: y, b) g| endpoint_group |
9 b) _7 t% }6 e$ d$ B) _$ a. ?| federated_user |! Y( y3 u0 {& b) w/ n+ m
| federation_protocol |
) @7 h6 Q$ C/ e' V8 K5 w' ~| group |2 `6 m- b: ~ t: ~! e# p( n: J
| id_mapping |3 W6 \) Q7 q1 L" o: d; x9 q1 Y
| identity_provider |7 y' X( _ o+ n* m* r
| idp_remote_ids |
. H0 t* Z( N O; Q0 ` implied_role |5 v/ ^, R6 g( F R: X3 B+ Z
▽ limit |0 N5 X0 v! U X) i8 w3 U* S i
| local_user |- G: z7 @) v. |6 [; d) A
| mapping |
3 o6 W @3 n2 t| migrate_version |
9 ~) {9 z4 i) z2 G3 S+ n0 {| nonlocal_user |/ Q$ {) K+ f" j) [. X$ T4 H7 W
| password |& F2 n2 ~9 i5 K1 x
| policy |
! Z7 ~+ m. P6 _# {| policy_association | a+ L8 I. }" x J9 ~* p9 Q
| project |
& n- B+ k E" W3 t/ ]. L| project_endpoint |4 x/ i ~8 [" q' L( i
| project_endpoint_group |
6 x* N' f1 v2 @| project_tag |; q% X% k5 [9 Q+ N
| region |& k5 S* @: O! g. u) T/ w( S6 F
| registered_limit |
/ h( l' m0 G( K% X% Q| request_token |. h. z) v4 I, a- g9 s' S# g
| revocation_event | ]( j) ~1 f$ z
| role |+ K0 o. h2 z' C v1 c
| sensitive_config |: a9 P' h7 l- d; j
| service |' P& h2 b+ |/ f3 o( \# x* h, |
| service_provider |
* R" b3 K6 V$ j6 I% U2 t| system_assignment |1 X! l; V. V$ S
| token |
5 Y, Z- K. H9 b' h& o1 z# F) q| trust |
4 F# z- @3 m- _) @9 f| trust_role |
- k- \* p9 v$ H% z' } ]| user |% D9 h5 k6 E5 F8 f$ ~ H5 T) T# B( d& y
| user_group_membership |
2 l% O+ ?2 ]& |( H3 C- q" f| user_option |
2 Y; ~, ~" [& g F3 D| whitelisted_config |7 U5 K$ r# m) P& j3 w
+-----------------------------+7 k" x$ {+ W! Q8 [: Y$ w
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l
! h9 |$ l8 {6 @" m8 D45- U- g/ \7 l D" G
3.4.初始化Fernet令牌库
& q* n+ ]/ d7 I
. H/ `" L5 r. G) t& h' Y# Initialize Fernet key repositories:* i% H7 B4 r7 C: Z
8 B+ y1 g5 j9 n
# 关于Fernet令牌可以参考:https://blog.csdn.net/wllabs/article/details/79064094
3 s- F; v6 K9 U7 q& P+ I
6 Q8 d+ o- o* ~& M3 o/ E" D# 以下命令无返回信息
/ e7 \: @9 ]$ D* `5 }, d' n
3 X W6 N% _( p5 L+ vkeystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
8 t+ `, }% W$ Ukeystone-manage credential_setup --keystone-user keystone --keystone-group keystone# ]% c4 F z/ p% X9 e
3.5.配置启动Apache(httpd) . \' `8 F) F6 t8 u. @5 E
9 P' b$ ^& L$ g7 N1)修改httpd主配置文件
+ A. L' Z4 ~: G/ C1 z- U; U
/ t) h2 ~8 S n; L2 h0 Qvim /etc/httpd/conf/httpd.conf +95' w( f; P( [1 l& C$ M
------------------- 第95行,启用 ----------------------
+ J" O' N5 f+ {/ x c7 cServerName controller$ R( Z( l' R5 I0 X0 s: x8 O/ s
--------------------------------------------------------
- W d5 q$ S( ?6 K% w" _! Q# 或者: b# X- m `7 r8 G4 S
6 A- g. S, {7 w+ \2 y- b! m
sed -i "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.conf p) c# w( z/ i0 m
cat /etc/httpd/conf/httpd.conf |grep ServerName" M5 s3 u5 O2 H3 m2 u' `
2)配置虚拟主机0 `' _7 ]8 `: z3 e0 l) `9 _) k! r
, l+ d. r e: q0 a+ ], L: M# 创建keystone虚拟主机配置文件的快捷方式,也可以复制过来+ A g& t( H" s, b
* |% \- \8 Y6 Oln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/8 K5 I" V$ u2 x* b1 B2 P0 |
# 或者可以手动编辑创建该文件
# z; r0 Y2 \* b5 F% h1 K/ q; P# H! g% R2 w! h
cat /usr/share/keystone/wsgi-keystone.conf
1 {" c# S8 @2 H* o--------------------------------------------
1 p1 n5 k8 V* [; a" m4 B9 g4 Z$ |( K[root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.conf
6 v3 } n* y) q' QListen 5000* A3 y% d( `6 i0 m
, o9 x' u3 X- u2 B: W6 ]1 g: v
<VirtualHost *:5000>
" C) \7 ]1 u4 }3 F WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
. }+ y0 c( c* F/ ? WSGIProcessGroup keystone-public
+ u5 {& k6 z E- f# g5 ] WSGIScriptAlias / /usr/bin/keystone-wsgi-public
3 f* h0 N g+ j WSGIApplicationGroup %{GLOBAL}! f. N$ e; x ]! R- N$ S. L
WSGIPassAuthorization On* d' e+ m$ A- h. i
LimitRequestBody 114688$ p, b; j* C* q- t$ m; K9 ~
<IfVersion >= 2.4>: ^ I7 x' a# h! g- n2 D
ErrorLogFormat "%{cu}t %M"; R; \1 r; D! C m
</IfVersion>9 T1 c }9 x3 z9 P& O+ x1 G
ErrorLog /var/log/httpd/keystone.log. M1 z. w$ y1 A3 G) ~3 k* x
CustomLog /var/log/httpd/keystone_access.log combined0 w+ T1 @, n, G* g
: B4 k% O' J. E+ M <Directory /usr/bin>
7 `7 s2 r& U* S" G: f* c <IfVersion >= 2.4>% q+ k( [! q+ ^4 S6 }! r" t
Require all granted5 v1 P" J- ^+ i# d& C- q
</IfVersion>
6 v% l# A" N1 d7 N$ j6 G <IfVersion < 2.4>
& a% Y {/ w- Q$ A1 a8 o1 j Order allow,deny5 c4 o1 `, `$ B
Allow from all7 ~9 O( V6 M1 ~9 H2 E5 M5 \
</IfVersion> W- c: m2 ? t- O
</Directory>7 b0 U9 ^5 Y$ V7 X, E( y f
</VirtualHost>
W8 j2 r/ X7 T0 }2 r! f F) B: b+ f$ |2 k" S/ L
Alias /identity /usr/bin/keystone-wsgi-public
. b% x2 S2 Q5 i* z: J4 q" q<Location /identity>
; F2 l) w- g' J0 p- S8 ^ SetHandler wsgi-script; {) h( B0 v* K# ?
Options +ExecCGI
- ]! O4 ]' e( @9 [6 }5 g3 v4 e7 v" y3 X; b2 N; o* \; F
WSGIProcessGroup keystone-public8 a8 S5 H, U( ]/ J& {2 V
WSGIApplicationGroup %{GLOBAL}
+ a5 [* s+ V$ t6 t WSGIPassAuthorization On5 l4 `2 _3 B' E0 B8 g0 ?- F2 k
</Location>' ?# N& Z' @7 J' D( \; u% N
--------------------------------------------------$ a) s7 F: s9 ~% H% F
3)启动httpd并配置开机自启动
* w5 c: x2 x( `+ Y$ o; {$ u& Z/ R+ R( C0 ~; s
systemctl start httpd.service9 [$ I7 p. I# B; S
systemctl status httpd.service" f3 Y/ t$ s0 e5 C# L
netstat -anptl|grep httpd
% [; H3 L4 w, w* X$ b1 P9 s: ^4 X* s+ {! U
systemctl enable httpd.service1 B" p, D# j2 a) X1 ~
systemctl list-unit-files |grep httpd.service
. m1 {* Q- m: Q9 [' X. d# 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux
7 D" G+ C+ o7 p" e: I; m. z4 T
0 P. s8 |+ B, O- f7 Z实例演示:
5 Z# z- e' u: f7 @/ ~* W. m E; [; F( b, r, |: T
[root@openstack01 ~]# systemctl start httpd.service: `+ X3 i4 i: G# ?1 |: T6 t- Q: ]
[root@openstack01 ~]# systemctl status httpd.service3 e# L( \2 K+ B" u: B. {2 |) W
● httpd.service - The Apache HTTP Server; @2 w1 \: }9 u7 z
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)# B; Y" d2 {0 s; Y- z% V3 C
Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago/ \9 K3 o) K( S y6 X
Docs: man:httpd(8); i, Q- h$ ]- ` K2 B j9 A$ Z% I
man:apachectl(8)
4 ]: `, s5 w+ l3 a: o" h Main PID: 1978 (httpd)
1 Y& f4 d$ O: w" n5 S5 I% H Status: "Processing requests...". h. X& b' z: C, g Y5 d1 z" t
CGroup: /system.slice/httpd.service
1 I! n4 |, F, a- E$ S ├─1978 /usr/sbin/httpd -DFOREGROUND& R$ G. ]6 S: R, o! F4 [
├─1981 (wsgi:keystone- -DFOREGROUND7 S: x: p% Z. z
├─1982 (wsgi:keystone- -DFOREGROUND: ?9 r5 F$ b0 s
├─1983 (wsgi:keystone- -DFOREGROUND5 v9 f8 w8 Z8 l3 o8 K8 P4 n7 R! C" S4 u
├─1984 (wsgi:keystone- -DFOREGROUND
, o [1 I0 S1 K: k( U8 v& X9 ?3 A ├─1985 (wsgi:keystone- -DFOREGROUND5 ^6 q6 D0 ~' `0 B7 o# Z
├─1986 /usr/sbin/httpd -DFOREGROUND
6 c" v, s% t% f8 \' [+ |) k4 Q& m2 f ├─1988 /usr/sbin/httpd -DFOREGROUND
( g- _: [ C8 {4 C: w2 U └─1989 /usr/sbin/httpd -DFOREGROUND7 W$ m& r( }) ~, r4 |
' H p* y8 a) _' h+ |
10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server..." o" }( D* G$ m9 w4 H- E% \" e5 I
10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server.
7 s) Y. r. a% g5 y[root@openstack01 ~]# netstat -anptl|grep httpd* c0 e) V. A7 S
tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1978/httpd
' l" } c) i. d1 Ttcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1978/httpd
- n0 m' g4 a, w) A[root@openstack01 ~]# systemctl enable httpd.service2 o8 _* O' A5 ]! r9 p
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
2 x3 g3 h/ ?) g' l$ p[root@openstack01 ~]# systemctl list-unit-files |grep httpd.service& }8 g* i- P6 d- i
httpd.service enabled % r" M9 h0 d" \5 G; O
# 至此,http服务配置完成4 w7 p* e5 t" l7 e7 X) m4 k- f3 i
- @* Y8 E1 ]! e8 k3.6.初始化keystone认证服务! ^9 W7 B; _0 }5 q/ I
4 L7 [' h" _+ @/ ^
1)创建 keystone 用户,初始化的服务实体和API端点% Y" a+ D4 W% U6 n9 ]
& \1 s6 r1 `" C1 [3 z1 y# 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口提供服务2 X5 O8 z. j8 F. _
+ M& t8 ]/ r$ S# d7 k$ a7 K# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。" A/ O t2 ]5 _. j
/ F" L4 r. c& f5 g) W* g* E
# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456' J3 K2 a _* l3 D( \9 \
5 L& K* Y3 n& G5 r: V0 `9 U' w9 _) k/ X- K
keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne* X4 q4 k0 E2 }' n4 P+ O& M
# 以下为命令实例:
$ m K5 I5 c s, B2 _" l0 ]/ N- D" g9 M
keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne. l" U( ~, z; [" F- L! {( M
# 运行这条命令,会在keystone数据库执增加以下任务,之前的版本需要手动创建:
: F1 Q1 D. I! m5 g, c8 [& \- L
# ]2 b* Y3 z$ h4 C7 x3 y1)在endpoint表增加3个服务实体的API端点
9 ~9 U8 W6 E3 E3 o: S% Y3 r2)在local_user表中创建admin用户" g* I0 G( G# ~' M: l
3)在project表中创建admin和Default项目(默认域)- g& M- l( \" F' d( |
4)在role表创建3种角色,admin,member和reader
; m9 B# K. f* L/ ]) W1 e5)在service表中创建identity服务$ M0 x5 X) J0 e5 G7 K! h! [0 f
2)临时配置管理员账户的相关变量进行管理
0 Q ~! N, q5 i2 l! h3 ]* V, P8 n. D3 j2 X8 h
# 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS
$ u1 N9 Z: r, J$ \/ `2 C
: r$ \/ n7 {+ y# ?- }% }3 Dexport OS_PROJECT_DOMAIN_NAME=Default6 {; t0 T: [( K+ G" x
export OS_PROJECT_NAME=admin
0 y6 {& x7 ]) a9 V5 j* Cexport OS_USER_DOMAIN_NAME=Default! @' l- G: r1 y: r2 d1 G3 u) ?- }
export OS_USERNAME=admin. Q2 s3 J; K3 x6 w
export OS_PASSWORD=123456' R( q3 Y- O' ~3 W8 a
export OS_AUTH_URL=http://controller:5000/v39 x- ~, j. b1 F+ A; M7 X; W
export OS_IDENTITY_API_VERSION=3: ]/ ^6 w6 t/ m p
# 查看声明的变量
+ G* M* V! d* F( M; q- F+ ?( N1 i1 `
env |grep OS_
! \# ?* `3 E5 |/ Z$ n. F9 _; C9 }实例演示:
$ Y! X: Y( v# m2 m7 x+ ]$ I$ c8 B, d- b
& W" H5 \: j5 B1 o& y8 g/ }" \[root@openstack01 ~]# env|grep OS_# {3 A) I6 @8 z9 y1 \6 x+ ?
OS_USER_DOMAIN_NAME=Default
2 o/ M$ P" U* H- R, OOS_PROJECT_NAME=admin0 l$ Y, n8 x* ^8 p5 S. M
OS_IDENTITY_API_VERSION=34 b. G9 E3 N1 E! y5 {
OS_PASSWORD=123456
/ |5 q& D. v3 @$ wOS_AUTH_URL=http://controller:5000/v3 ?' u/ S% b4 w& U
OS_USERNAME=admin) L, b7 j- ]# N1 d1 b8 m9 h
OS_PROJECT_DOMAIN_NAME=Default. J2 ?0 P8 N( u( C: A
# 之前的版本采用admin_token来设置初始化的管理用户认证令牌,类似下面的
5 M- `1 H% V9 h# m! D( `
7 h2 I) O$ l4 ^- N" g) Rexport OS_TOKEN=c0053993bb39ad3de84a
1 R: `0 f) e/ N" hexport OS_URL=http://192.168.1.81:35357/v3
9 i- ?. O9 I0 g7 E" I: q6 Y. Texport OS_IDENTITY_API_VERSION=3
" D9 O% m+ e o$ Oexport OS_SERVICE_ENDPOINT=http://controller:35357/v2.0* p% q/ P, |1 }* X
附:常用的openstack管理命令,需要应用管理员的环境变量
) N9 t) E. Q* X8 S) C; f2 {1 d+ ]' p" a& C% G' g! ~+ [: c# g
# 查看keystone实例相关信息
4 R. i0 S8 o, c
. t+ L+ g( c5 l% ?2 B; kopenstack endpoint list
# M) p8 k* j- c7 ]; [* \# _3 ^openstack project list
" u5 L( `! L* N- ?' _' \9 L" }openstack user list
# h) v, z4 ]( _7 \* N% H实例演示:: }8 l0 p6 d" y+ G- W* T
5 f. a" `$ }; Z[root@openstack01 ~]# openstack endpoint list6 m( ~. g4 X I9 J0 G* n' _; [
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+$ T) f# ?+ g: F; \: w( e% t
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |# m: k1 T3 S1 Z$ t5 f+ \: n' M$ u
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+/ ^9 Y5 b1 j0 s8 x* j
| b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ |, _. t! \& u7 \- v
| eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ |) d3 f# U# i' I: [
| f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |, r- x2 P! B% Z0 C' y& K& A
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+: X; ]8 j k& G0 x9 V
[root@openstack01 ~]# openstack project list& ]8 J, j7 Q G7 B* r# F
+----------------------------------+-----------+
1 r3 y: d* @; u4 O& f| ID | Name |6 A5 U) m; J6 U7 w
+----------------------------------+-----------+
" Z+ ?% ?5 X+ _9 v# w# _| 3706708374804e2eb4ed056f55d84666 | admin |
' C) \; L3 i% l' c| 84cc7185f2c8461eb19a14968228b272 | myproject |
5 `1 k5 _ t* K% O| b8e318b3c7a844708762169959c34ff8 | service |- N' {3 u$ n6 j. |
+----------------------------------+-----------+% i: D# F$ V/ z, o3 {( |) @/ @
[root@openstack01 ~]# openstack user list
2 y0 c9 n1 I H+----------------------------------+--------+
3 _5 V, I0 T# O| ID | Name |
' d* T0 X. j2 ?( u6 z) U+----------------------------------+--------+
: S+ B- m6 x( m& [/ g! s2 ^: r% ^| cbb2b3830a8f44bc837230bca27ae563 | myuser |$ W# j A+ b8 i5 L ? P T
| e5dbfc8b394c41679fd5ce229cdd6ed3 | admin |
! a8 N, z" L: c$ @+----------------------------------+--------+
# D$ Y* b$ K5 F9 R# 删除endpoint
7 P: m1 [' ?2 j+ ?$ b* ]# a+ s6 K2 Q6 r1 H
# 以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错6 C8 `) d; S2 ~" P! M
" Q- b5 h3 k; G7 K! p: ^- O5 j
openstack endpoint delete [ID]
b. Z* J* C3 {3 b7 C3 v' H3.7.创建keystone的一般实例5 F- g1 L6 b/ {5 t8 y& z6 T! Y) N
9 _# {- I$ k! {6 A5 p. P u# Create a domain, projects, users, and roles
* z9 B) w8 N x5 p" `
0 k" G/ q$ O& L; i7 A6 K4 fhttps://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
& |% G# ^: z/ L1 z7 z! a% H) e, D3 e: `. S9 Q+ k: Y
1)创建一个名为example的keystone域0 A8 o( p: \6 c( d( i4 I
6 z4 d, Q6 e7 v( p5 ~4 Q2 ^3 E
# 以下命令会在project表中创建名为example的项目
7 x5 |' @! i$ F) u" R) w6 g0 p1 |" w2 a1 X! K* D1 [
openstack domain create --description "An Example Domain" example
6 _0 h# t* V% J+ K3 W8 V8 Q实例演示:+ c' Q4 r7 c$ T; _5 @1 @2 H
4 y- E+ ^" H. J+ q/ j, W1 Z- R" T
[root@openstack01 ~]# openstack domain create --description "An Example Domain" example
' |7 C% t, J) Q1 O/ f& C+-------------+----------------------------------+ u9 U9 Z1 L% L/ V1 V/ U
| Field | Value |' V7 w9 Y7 h# g* X' W) u
+-------------+----------------------------------+
5 w& M& s: \& _- D) P| description | An Example Domain |; _: L& | W! ]6 I
| enabled | True |* y, _& x) T" n; u6 q
| id | 17254ea898de477ca4a1f6f3cbc6c5bc |: s/ f( R5 K/ ^. N
| name | example |( |) D( s% T; g1 V
| tags | [] |1 L. m5 K3 m5 c! t# j
+-------------+----------------------------------+* C! Q* t3 V! v: K3 V/ q
2)为keystone系统环境创建名为service的项目提供服务
x& y5 ^+ B \; Z, z$ V8 `% A4 f: D( x& A7 p6 R
# 用于常规(非管理)任务,需要使用无特权用户/ O: [- B: I& S
. Y9 u) H* ~$ W: u$ ^( b) W" Q
# 以下命令会在project表中创建名为service的项目
% q" H) l( `7 h( e4 E. k g" W0 y( ?0 s1 \
openstack project create --domain default --description "Service Project" service
/ z8 @; [5 z w$ k实例演示:
2 m) C6 e2 n% K
7 U; O4 g' A; l) h" M0 W[root@openstack01 ~]# openstack project create --domain default --description "Service Project" service
0 T2 X+ B* h! u( g+-------------+----------------------------------+
" @% K6 A7 M; y" d k/ F: E| Field | Value |
2 S6 _( x2 {% Z, v2 X5 X+-------------+----------------------------------+6 N2 T8 g4 s- I2 G6 A$ N
| description | Service Project |: Y' ^+ K- [+ b) ?5 ]. p* l( f5 ~1 ^
| domain_id | default |$ f9 A* j% @ v! N
| enabled | True |, `4 I' x! A: F, F1 V, E2 ?, J
| id | b8e318b3c7a844708762169959c34ff8 |
/ i2 ]" J7 Z0 r# P4 ^9 s| is_domain | False |+ A1 @: l R, }3 i4 R
| name | service |
! l% j! Z! @- G- j5 `/ p6 S7 l2 w| parent_id | default |6 Q' j; |, r0 {
| tags | [] |
4 k' F! z8 C( @0 V0 I: o. U+-------------+----------------------------------+
; R4 M8 |! I. L0 c+ f( R2 e3)创建myproject项目和对应的用户及角色
, M) s5 Y, K; f% O
S! L/ P o2 e$ R. @# 作为一般用户(非管理员)的项目,为普通用户提供服务
9 r/ c1 Q/ k' k, k- c( T; R: b) J; s6 v4 X c3 [, V+ g0 E
# 以下命令会在project表中创建名为myproject项目
, ^. a) U7 s5 ` {- V }8 L; x5 A4 K7 g/ v
openstack project create --domain default --description "Demo Project" myproject5 _3 h8 ~( W T, W9 P
实例演示:
: d5 P5 w, h% l7 b" Q: M3 E, w5 P. g8 J/ w- p! g
[root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject' F' T% P- Q$ f5 C" V' K; T8 t6 U* a
+-------------+----------------------------------+: [3 W# L; o" o8 ]
| Field | Value |
( W! V3 }8 }+ s9 M+-------------+----------------------------------+
+ F5 z7 ^0 Y8 o' ?% r| description | Demo Project |0 ^$ ]8 B5 J2 b! ~/ ?4 R4 p
| domain_id | default |
7 d/ E- r8 O0 I% U2 h) l| enabled | True |' B8 ]3 `2 e. t; R; |$ V
| id | 84cc7185f2c8461eb19a14968228b272 |
9 V5 n N; t/ O& t) b& ]0 T8 H) _* h| is_domain | False |" f$ R' V8 S! |6 x1 w+ O* R
| name | myproject |/ c, u2 \( }% [- V. y g; H
| parent_id | default |
3 E8 e- O. e6 e5 a+ K, A4 F| tags | [] |
( ?$ \$ ?9 D2 ?+-------------+----------------------------------+* i: B* \' u% Q
4)在默认域创建myuser用户, |7 R" q9 R6 Z
& J7 H. j$ e) n' e% q# H% t T
# 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码
5 O* s/ H' O" t4 M( e# 以下命令会在local_user表增加myuser用户
( P: L! {/ ]0 t. Y: ~ n' u5 Z6 A( l! `, K. D
openstack user create --domain default --password-prompt myuser # 交互式输入密码% [8 _0 U% \- N. c
# openstack user create --domain default --password=myuser myuser # 直接创建用户和密码
2 Z- z. q( X5 E }实例演示:
3 A9 S O$ W$ o
4 H2 x! _' X' K4 z) j[root@openstack01 ~]# openstack user create --domain default --password-prompt myuser
- |6 R4 I+ w: YUser Password:
) q- W6 G9 v: H/ w1 \Repeat User Password:0 `& g" d' i. n% V* b
+---------------------+----------------------------------+7 l& J6 l3 ?! g/ N9 n0 j, ]6 Q# f
| Field | Value |3 s3 R& A B/ {" n1 M! x
+---------------------+----------------------------------+
, a% s7 `9 F! c- i| domain_id | default |
6 O" Y# Y- ~% y- @' ?| enabled | True |* Y" X) e4 Q# v# p5 Z# v
| id | cbb2b3830a8f44bc837230bca27ae563 |
0 I+ E) @$ g$ q5 S| name | myuser |) {; w4 z6 W j
| options | {} |7 f7 G6 L$ D& X8 @4 e
| password_expires_at | None |
8 h# [1 ?% L/ Y! S+---------------------+----------------------------------+ v6 U# I" C- \" K
5)在role表创建myrole角色2 ^5 W1 a+ z! B2 n
) }. q6 m0 u2 Z' z' ~
openstack role create myrole
9 M+ u4 K, T4 ^1 s0 p实例演示:
) ~, X$ z& ^6 E& A
0 P& [: w# q6 V3 p" y# Y A[root@openstack01 ~]# openstack role create myrole
$ ^; `; m$ ]7 _2 U2 r) T2 s+-----------+----------------------------------+" a' [1 r! p5 B( x' l1 T
| Field | Value |9 ?: W7 B8 @4 j6 y Y, h6 H: s
+-----------+----------------------------------+
) D4 d# V) @4 q3 C9 k7 d| domain_id | None |
- S4 V l0 C# ?; ]$ a9 v8 l$ _| id | 75ac33f79cc945afa42a18a3dd0ba0ad |* R* o3 w" `+ W, R# m& R+ ~/ Z6 l
| name | myrole |
& u: q3 _( E' L1 i3 |+-----------+----------------------------------+6 B5 h" \' N: [: s/ P' m% c
6)将myrole角色添加到myproject项目中和myuser用户组中
6 _5 E8 \: f0 D$ k, }: @* B: l1 Q: @, x
# 以下命令无返回,数据表操作不太明显! U. I: l9 v0 f5 u( h
$ F) P, K2 r- D& D* E7 a {: bopenstack role add --project myproject --user myuser myrole. _ s- A( U7 H; g+ E4 k( X
3.8.验证操作keystone是否安装成功
( z9 k" a# t, G! p( l& N
* s) O4 N8 \0 G. }* i, ]) _, o( l1)去除环境变量
) Q% R* d' v" j4 n1 V, M2 F- A. Y- h ?$ b1 i' J
# 关闭临时认证令牌机制,获取 token,验证keystone配置成功
- v, L* t$ l) S7 F4 M0 n3 @* c, Y5 U
unset OS_AUTH_URL OS_PASSWORD
5 ]1 p T; p7 X* c k0 F2 Y/ s5 J* ^env |grep OS_
" b2 O% a$ D/ d9 C* R2)作为管理员用户去请求一个认证的token5 i- b+ Z2 d2 t( v( |9 D. l
$ c! |2 W0 R, G' H% B
# 测试是否可以使用admin账户进行登陆认证,请求认证令牌
; T8 R; [+ K) N. W8 V/ j. O: _
' l6 n, p2 n0 a5 wopenstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue7 n3 i6 h* c3 |
实例演示:
+ J- @! R% Y z/ z
/ U6 F5 V$ T% f+ z5 N[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \6 B" b( t6 C& V4 m% ]
> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issue
" j. X0 l" _+ ?Password:
2 p6 X- Z8 e/ p; [1 j: [& w( F2 n+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
9 }7 e, g" k' y| Field | Value |& v4 D; Y Y& f
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+( u5 d2 q8 ?# x& d1 Q+ d5 p
| expires | 2018-10-26T11:48:40+0000 |5 P3 @3 N: L" i2 M
| id | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY |, D; S+ U o& f; A3 a2 k& M+ ~
| project_id | 3706708374804e2eb4ed056f55d84666 |4 i. ?" i0 I& Z* x
| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |
- l' a& K1 [5 T6 c" C+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
j7 D# H% |; E3)使用普通用户获取认证token
: ?1 F' l& Y, ^+ F. T7 z% z* u' t4 {# ]) D) M" z% k) l, }
# 以下命令使用”myuser“用户的密码和API端口5000,只允许对身份认证服务API的常规(非管理)访问。
' D) @9 @) S, T. I2 h- ~# d2 D* |1 a8 H
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
- _' E1 g& o1 W$ i- u& ^- [6 Z实例演示:3 L* C; A: F# ^) s& B
0 D2 c z+ i$ e: W6 `, V
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \! J% k& i$ m6 \6 i) D6 D/ S
> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name myproject --os-username myuser token issue
# D$ ~& _- r. K- HPassword: + _. t; J0 V- q, ^1 l6 U6 _5 _
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
6 S4 O! n' o% ^1 `| Field | Value |
* w3 z- g+ M* [7 l+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+6 ?) s7 x3 ]5 H8 S0 }1 _- |2 U
| expires | 2018-10-26T11:49:18+0000 |
3 U/ u3 Y+ } n| id | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g |4 b+ Q; B( d0 m" V5 q b
| project_id | 84cc7185f2c8461eb19a14968228b272 |
; a' k6 k- } a, ]. ]: T| user_id | cbb2b3830a8f44bc837230bca27ae563 |. g2 U3 k/ f1 `9 t$ Q. K) L
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+, {! [+ {1 B/ j% A( r2 \: J
3 B( E, a1 R; ~3 p9 J. b
$ D+ A$ n# e5 @3 `) U) L/ M3.9.创建OpenStack客户端环境脚本
- e. D6 @" K( W4 M7 C
$ b; M2 j# _2 U7 _/ [# Create OpenStack client environment scripts
+ R6 D3 n0 w1 \7 h% r2 H+ Y) @& c( G* M& _- R- E% U
# 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。3 t" o# X$ q% C; H
# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名9 @& J7 _: f, _0 z4 q
, `! U( v( p1 X% y4 ?& e2 b; U9 P
1)创建admin用户的环境管理脚本
2 K* Y: Y. _# \; o' ?( r( q8 M% `5 I h- W: P6 U1 J) ?
# vim admin-openrc
9 g5 W: q) |, ~cd /server/tools* T1 m4 J; U) m4 e
vim keystone-admin-pass.sh) K3 M m0 H v6 O
---------------------------------------------
! i8 {) J! j. r! \6 c4 z5 n# q* Pexport OS_PROJECT_DOMAIN_NAME=Default
& ~+ [ s( N+ \, B: Fexport OS_USER_DOMAIN_NAME=Default5 u( b/ ^3 K1 Z7 t& ?1 S* \7 [, y
export OS_PROJECT_NAME=admin! g( X4 d4 d* I. z L
export OS_USERNAME=admin! N# I0 {& t# k* |' v/ r* d
export OS_PASSWORD=123456
+ [1 k" e+ H/ e* D( K+ Uexport OS_AUTH_URL=http://controller:5000/v3
0 @$ D% t' H8 M1 u' K: a: ?export OS_IDENTITY_API_VERSION=3, o3 S% ?" D- S& i5 g9 ?" I
export OS_IMAGE_API_VERSION=2. T% b1 ^# z& X/ S! |( g. H
----------------------------------------------
7 F; ], B& }, ]; O0 Qenv |grep OS_8 B# _$ j6 _+ ?, d9 V
# 应用:' M. P3 b% b$ ]6 w }5 X& Q3 c
如果修改dashboard登陆密码忘记了,可以使用admin_token认证机制修改登陆密码
1 l* p% d8 r9 ^9 }
4 K$ E0 {$ ]+ X; j" R8 [2)创建普通用户myuser的客户端环境变量脚本
- Z9 q$ z/ U6 S) |- [! g9 P
( i4 ?, i6 k# x( S9 D" k: `vim keystone-myuser-pass.sh* i1 ?. `8 S2 }6 |
---------------------------------------------8 O! I8 i! r, x; g2 p8 m
export OS_PROJECT_DOMAIN_NAME=Default
5 c( j, R2 _ |/ F, texport OS_USER_DOMAIN_NAME=Default& ^9 @( `6 i0 D& o9 s! ]$ J; N
export OS_PROJECT_NAME=myproject" i& m& F- y# Q- w! T9 C
export OS_USERNAME=myuser; A& S+ y, b7 a! h+ M
export OS_PASSWORD=myuser8 z- V" s3 i2 m* G
export OS_AUTH_URL=http://controller:5000/v3
# {0 e% `- K. l% |5 A; S( Pexport OS_IDENTITY_API_VERSION=3
/ K9 M. r1 l: b8 A# vexport OS_IMAGE_API_VERSION=2
& j$ y" H! W. `----------------------------------------------" L7 t+ l! X7 d) [( L/ [: c
3)测试环境管理脚本6 \! E) d$ E4 _, O, _. E
6 P; E1 z1 K2 } ^0 X/ @# 使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端
$ x2 O+ O! g- k( Y8 B
" ~. `8 l. D3 D( Osource keystone-admin-pass.sh1 |2 p: `2 g% \8 p, c; x* I) |% P
4)请求认证令牌
V8 g- G2 R- H
' S. f& @7 p) q- jopenstack token issue
! r* E0 h C/ d* }实例演示:
& ?3 ^$ e" g- b
$ K4 q" r( k3 Y( `" d5 M[root@openstack01 tools]# openstack token issue- n: T- L2 L/ o: o& c ^
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+2 K( \7 ?; k4 q6 i2 r7 F8 X+ h
| Field | Value |- ?& r/ `0 W8 q# M
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+% ?' ?8 J6 n0 n( l
| expires | 2018-10-26T12:13:28+0000 |, N2 S; j3 c( |' m9 Y
| id | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE |
, D& `# u F+ L7 n! U7 a| project_id | 3706708374804e2eb4ed056f55d84666 |
) y$ L0 Y0 t* f8 M' q3 E| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |9 P7 d7 H6 o3 X u
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
7 ~% B; c, ]. d8 _: O% f3 q6 N# 可以看到user_id和上面用命令获取到的是一样的,说明配置成功
) Q. x2 E/ p; C; z; @' q. ~; l" v1 u( V' i
# 至此,keystone安装完毕 |
|
发表于 2019-1-7 21:30:46