|
|
3.0.keystone认证服务5 V$ M, V$ \% J% m4 Y
; j9 u% U3 g# O: ?- y1 m6 u; h1)用户与认证:用户权限与用户行为跟踪
& i% M( q9 p6 S, z; q4 K, N) v5 A9 I: z$ A
User 用户
& E, i: g* j9 T0 x: e2 LTenant 租户
/ |# }9 m; Z7 j' n& cToken 令牌 W) n$ t- Q1 q6 n; U' p$ X
Role 角色
& J4 V! S1 o, |5 `2 x2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点: s) ~+ m" [! T5 |' H$ Q: }/ e( R
- I: j# S' s/ W
Service 服务) V2 b2 k( E+ `3 ~) ~
Endpoint 端点, h8 K# s1 M; B& U- Z
3.1.在控制节点创建keystone相关数据库
/ G) U( P3 E8 F l6 b& p9 O& Z; E1 n- ~+ v H4 U
1)创建keystone数据库并授权
, C1 q/ k" U9 P% ], p
6 L V3 l4 ?' w. [. r% ~7 o/ L# Umysql -p123456
' |/ s& O; ^ S. |0 m- {--------------------------------3 F! y6 R0 p. l! U8 r. P) ~
CREATE DATABASE keystone;0 {- b3 C9 U4 L9 W, E; A
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘keystone‘;2 j: [( C2 f- @1 Z s4 ?+ k7 X
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘keystone‘; a2 w/ X, j/ z- Z2 s
flush privileges;5 a Y8 O# A5 U) f9 t3 U
show databases;3 U8 Z8 k0 [% X3 w8 S& @; y, g
select user,host from mysql.user; f7 I6 T- _2 T* g# `3 H5 y
exit
8 x& C# A+ \ _2 P) H; ]) r" g! x4 \--------------------------------. |7 M5 v# q& n |$ X6 K
3.2.在控制节点安装keystone相关软件包
) A a3 x9 ^8 L% \; S3 C" ~3 K. S+ T3 |- }: [3 x
1)安装keystone相关软件包$ T: V/ y% \# \( c0 k6 a
8 g& v& o$ }; F0 ` @# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口
F t/ {$ m5 k3 n9 I9 p' u2 ?( ^. T6 a- }( g% z7 S+ m0 U
yum install openstack-keystone httpd mod_wsgi -y2 X2 R( X0 [4 c3 B1 Z3 r. d4 S2 `
yum install openstack-keystone python-keystoneclient openstack-utils -y8 a1 d3 C! u( `+ [- R/ w' F
2)快速修改keystone配置
, X+ q! |! \( @5 I& M" s, l: t. A' h a0 w7 X4 G
# 下面使用的快速配置方法需要安装Openstack-utils才可以实现5 l$ I, x0 B2 v* ~6 i) h
1 J+ Z1 \9 w$ h9 E6 bopenstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone5 ^; H; t- a' a, \, q5 k. U, _
openstack-config --set /etc/keystone/keystone.conf token provider fernet
) m) k- |1 D' t) T. z# 注意:keystone不需要连接rabbitmq
% _5 U" P {4 o% W' d. E) ^: B
5 H1 S7 A& m& D8 ]5 H2 @9 f# 查看生效的配置* {9 e [1 F; m# y( R
; r7 b# ?/ |* eegrep -v "^#|^$" /etc/keystone/keystone.conf - [0 ]. G+ I# @1 H
# 其他方式查看生效配置
4 x1 E& w! ?9 Z# K, p' _0 y& \9 ?$ V, r3 V
grep ‘^[a-z]‘ /etc/keystone/keystone.conf, C, p! ~% F3 D6 e/ t; p" m
# 实例演示:5 Q4 s1 E) d" i7 c2 @' R0 J" |
8 f& e K1 \/ ^2 L[root@openstack01 tools]# grep ‘^[a-z]‘ /etc/keystone/keystone.conf _0 }% O* J. Q' V; F0 F
connection = mysql+pymysql://keystone:keystone@controller/keystone
% d; G; Y6 _6 M T+ c+ eprovider = fernet2 X2 B2 s: z% p7 w5 i% S/ j* _, D
# keystone不需要启动,通过http服务进行调用
; d- b1 P+ @" b
U% P x' s& y( v3.3.初始化同步keystone数据库# ^" }& F. W- S3 A" f G
6 S/ q+ R! O `9 z9 q. b1 {1)同步keystone数据库(44张)
" P$ I$ ^8 A, m% F4 x% p
5 {2 `) W4 N: o/ z6 Ssu -s /bin/sh -c "keystone-manage db_sync" keystone
9 P X, w" }& T2)同步完成进行连接测试1 U0 u& D! a2 ]& r7 a* \: G# P# D9 y
; m2 i" O2 L P% l9 p% l' T
# 保证所有需要的表已经建立,否则后面可能无法进行下去% |- k% A' ], s% e
0 t4 n8 o6 w( x. bmysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"$ i; z3 Y5 ` |- x3 O# p0 Z" J1 a$ u
实例演示:
. v, |1 A! s$ W$ s* n& A+ Y# [4 J4 T1 z4 ^' K M: M: u* `
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
# i6 Z- }* Y3 d% `, `2 _( n4 }$ H1 y+-----------------------------+
) ~* M$ q& v9 R$ v- {% ]| Tables_in_keystone |
4 d/ o4 }7 X) y/ s* U+-----------------------------+
. n( {6 S9 V) @. k6 `2 ?$ `| access_token |$ E7 P: Z% E; N+ n4 \2 f- h
| application_credential |
8 k, j6 ]5 I! e| application_credential_role |6 k: w& V1 `" X: {* e5 V
| assignment |
/ j9 V) K. |# v+ @& R7 R( O! N| config_register |
" _ ?& T: \ T F# y| consumer |3 d- Y5 A3 e& x9 E! T5 w/ v
| credential |
, ^3 w% B6 h& N" F1 }; F3 g| endpoint |
; _6 D7 k' v2 m2 j. P( d| endpoint_group |* Z8 k, }; @ u4 m$ r" O
| federated_user |
$ k, D/ ~& {6 U6 M: R+ `| federation_protocol |
& L- A1 |6 e3 N6 ?% L| group |
; s9 f/ a# ~. B' r| id_mapping |. Z3 R4 E9 M1 r% N
| identity_provider |# b/ u* D: W: A) L p' T
| idp_remote_ids |
, k$ u$ P" l5 ]- \) M implied_role |
2 H( n' \6 ~' U0 X* M+ o4 M; H) n+ t/ ?▽ limit |; ^$ i4 Y6 p9 w& u; X/ s" P
| local_user |
% W) _2 A. A3 z; L' B+ r| mapping |! L: T: W) c! ?( A7 t: G$ K3 ]1 @0 i
| migrate_version |
( `! I' Y$ X! f9 ]6 K1 L/ || nonlocal_user |
+ R0 h8 T4 L ^/ b& s1 l/ V% a. a| password |
( J6 ^: {( k' x5 }3 _| policy |
2 S: ~) W" M+ L| policy_association |
& n, X1 s X0 C$ P: M| project |( i: f }! O% `) n- k2 {
| project_endpoint |: Y' a' z, }% d& h O5 ?
| project_endpoint_group |0 p0 X, E2 b# Y. ^
| project_tag |/ T& H o6 i) `: B
| region |
/ K# Z6 s' K& E- K0 i| registered_limit |
% t% A- _2 K7 U$ u1 _/ b| request_token |6 c/ d" @1 D# A$ A
| revocation_event |
9 R, g- s- z! M O) A3 p4 w( U, j| role |
1 D" _& o# p3 i8 s) f2 r$ ~* a+ || sensitive_config |, `) g/ l2 J7 @& n& F0 U* Z! }! _. s
| service |' i" D6 ~* m" \' G
| service_provider |
9 U( V' L O" N% F' D| system_assignment |2 o6 k0 L" m! h( G
| token |
% i* [/ c' a0 o& q, e3 z2 U7 Z| trust |. m! {$ j, v' }. {. ^$ J
| trust_role |3 V# D9 v* ?5 K7 S
| user |0 E8 a; q7 ~3 h3 {& X
| user_group_membership |
6 Y2 T1 B7 U& ^' x3 C1 l| user_option |
# Z+ {7 _) K4 v; H7 W0 i| whitelisted_config |
3 r% w/ ?- e8 T# `8 O4 c5 O" I; ^* `& ~+-----------------------------+' H, e+ e0 _5 P) M
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l
& {, Z9 x9 I! x* s9 T/ Y/ g45% B( x- }& o! O
3.4.初始化Fernet令牌库- t9 J& R# L' V5 L6 d
2 D, m" H1 D" `$ N% N
# Initialize Fernet key repositories:
" Q+ }- x7 o, s' z5 _
6 y" A/ Y! }4 q2 O' T8 H# 关于Fernet令牌可以参考:https://blog.csdn.net/wllabs/article/details/79064094) N" d* E a& V
! G% t3 R& L. H& H( _! m# 以下命令无返回信息
9 M, ^9 t x; f& C2 s7 }- D7 X6 _3 @) x( e
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone5 ]' L) |0 N3 B- @6 s' @
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone) p0 D' D4 a. ^# X9 n6 R
3.5.配置启动Apache(httpd) $ i; l5 U# U' H! }* |9 v
: ^: e9 R5 e3 f. v9 F7 A- e! X" z1)修改httpd主配置文件
3 B* q X5 f4 B V. L4 E5 m& e* l0 N7 y
vim /etc/httpd/conf/httpd.conf +95
% S+ e7 G) P" L------------------- 第95行,启用 ----------------------
0 a5 t6 B L/ U3 U2 yServerName controller
9 r5 U* | _* s) _+ S8 O8 E6 i/ {9 B, _--------------------------------------------------------6 E% A# t; i9 J7 y. c4 G! S
# 或者
7 j# B, `6 m% x% v. u( R# s; }+ s# v* S& V
sed -i "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.conf
! b8 K& A( S7 q4 T2 k! E- p% fcat /etc/httpd/conf/httpd.conf |grep ServerName
& b- K! B$ n# S! ]8 {2)配置虚拟主机/ R# j# j! l% U% R: Q
8 C% ^8 t* i* Y' L" Q& ]1 X
# 创建keystone虚拟主机配置文件的快捷方式,也可以复制过来
' A- h* X. _# a) ?3 O8 q V* `. Y, Y$ n
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
, S4 f. t0 \8 w- j5 j# 或者可以手动编辑创建该文件
( U. a3 G* B& B+ M: j8 a' Z* _6 f) S% K" S' v- W( f; a
cat /usr/share/keystone/wsgi-keystone.conf9 j; i2 L# f6 g$ W0 J
--------------------------------------------: [! q& a0 c! t2 j. M
[root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.conf
9 X$ Y, E& j. T6 x2 C+ I/ LListen 5000; y" g% G" l& w1 {, W% H
/ w$ _! V$ y5 p( d- Z5 x<VirtualHost *:5000>% O( p# l) E+ F
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
6 ~! s; n! Q; ^+ V4 r# O WSGIProcessGroup keystone-public
( J2 M; B4 g* @- ~: J! w) _ WSGIScriptAlias / /usr/bin/keystone-wsgi-public
. _1 h* @4 J9 ]. ]; U; [ WSGIApplicationGroup %{GLOBAL}
3 k* s. e2 F& r0 A WSGIPassAuthorization On3 n+ Z, h. n% k2 F* w& b
LimitRequestBody 114688/ [( v* a6 U% U: j& K
<IfVersion >= 2.4>& }- {( f$ K% e! h: c& [
ErrorLogFormat "%{cu}t %M"# J% C9 Y0 A0 P4 |7 K3 S! h) A
</IfVersion>9 l4 z! r& S& Z# a, q) o
ErrorLog /var/log/httpd/keystone.log
6 R! b' @- o; g5 k0 \ CustomLog /var/log/httpd/keystone_access.log combined
$ \2 ]/ y. {1 m( g" Q3 k' _ L8 _8 N# z/ K
<Directory /usr/bin>5 w: n1 v8 b2 L0 c
<IfVersion >= 2.4>
0 @( `: u" W N) E& g Require all granted- S# x* n. f- u7 E. `
</IfVersion>
' n* }% q8 D1 F) Z <IfVersion < 2.4>
6 W! _& u- H2 Z9 ? q1 v Order allow,deny
& _( ? O; B; K* r9 i! {3 a Allow from all* U. b. E g3 N5 i# I" E5 u
</IfVersion>
7 V7 a- h4 q9 _0 ^1 U# {! e6 s </Directory>6 y8 y5 B; X% h# \! ]8 A) v3 N
</VirtualHost>
" v2 X' O0 [" z# {1 p- y( }" h1 A1 U: y, q+ o7 _
Alias /identity /usr/bin/keystone-wsgi-public! W8 R- f* x& N9 ^; y
<Location /identity>
+ b3 x2 @; U) S SetHandler wsgi-script! u u6 R( ~/ s7 | c
Options +ExecCGI
/ G8 C! r8 P" v; I \" J' x4 m% p! X2 Z0 B* Y$ n x
WSGIProcessGroup keystone-public* q' m0 `% c* S5 u& X
WSGIApplicationGroup %{GLOBAL}: K7 Y* L6 f- Q5 ~) B
WSGIPassAuthorization On
' E' A7 K- F a' w. q) k$ }3 m</Location>
% ~0 Q" X! F/ Y: ~--------------------------------------------------
: G6 L( o8 h9 f3)启动httpd并配置开机自启动' \$ u3 D: V. O9 L. S5 ?
1 V& J) U$ T" v( m" M
systemctl start httpd.service9 m; A! W! {) ]) U9 [" S# e4 v
systemctl status httpd.service
7 c0 U8 Q$ ]6 e+ X0 ? y% xnetstat -anptl|grep httpd0 I; |7 k' \; {
" w3 m9 H) ~8 O- usystemctl enable httpd.service8 B+ h# ^; ]3 A; l
systemctl list-unit-files |grep httpd.service. S/ r) V% g/ [- ^* M1 Y6 t
# 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux
/ O; a! c& n& _( B7 Z% W: c7 y& A
' i5 |9 K, z8 D. ?% h实例演示:3 S8 \* A3 ~: T2 Q1 g
. c, p# |9 d$ P5 F$ k8 p
[root@openstack01 ~]# systemctl start httpd.service+ M- |) N. D3 y, |! u
[root@openstack01 ~]# systemctl status httpd.service
* u9 y# u+ v1 Y. H% E! T: C& o● httpd.service - The Apache HTTP Server
2 w% A: T$ N$ z, b* o7 G5 A Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
) Q$ s% W$ \& J' O u* {' n0 C( e Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago, p/ n% H& p n ^
Docs: man:httpd(8)/ M6 U5 ?( W- C$ O) ^& n. z
man:apachectl(8)7 \3 h6 L% p2 P+ }2 l K5 y
Main PID: 1978 (httpd)+ N. d- J+ R3 g( Z5 l
Status: "Processing requests..."
3 l# `1 `5 P9 x4 ? CGroup: /system.slice/httpd.service
' ?- k; p$ @' E# M6 U8 n+ u ├─1978 /usr/sbin/httpd -DFOREGROUND9 f% K- J0 h; f! R" E" ?, s0 p
├─1981 (wsgi:keystone- -DFOREGROUND
' y7 B5 e K5 f+ t; A* F3 N+ L% N3 m ├─1982 (wsgi:keystone- -DFOREGROUND6 l2 s8 R' }: J1 c
├─1983 (wsgi:keystone- -DFOREGROUND- M, P, f0 q. ]; r! B: G6 j
├─1984 (wsgi:keystone- -DFOREGROUND
( N4 v. G9 u% J2 \( ?4 ~ ├─1985 (wsgi:keystone- -DFOREGROUND7 x3 y; F/ v6 ^4 t: [# J
├─1986 /usr/sbin/httpd -DFOREGROUND6 f5 k, e4 B( n% k& O* j
├─1988 /usr/sbin/httpd -DFOREGROUND% P: _2 z, | G
└─1989 /usr/sbin/httpd -DFOREGROUND
+ c! _+ g% ?5 P. Q" A3 O a7 ]# J( v: l& I0 ?) A3 J0 N
10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server...+ v# K) g: G# u& j; h9 D0 [
10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server.; _) c: K P9 w5 d4 r+ k. W
[root@openstack01 ~]# netstat -anptl|grep httpd
" z/ [0 U7 {8 U6 e) g$ Ftcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1978/httpd
' ~5 ]0 x& c% c" T2 q# Q+ Vtcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1978/httpd
6 B# d# `& M4 E7 r- q8 t5 O[root@openstack01 ~]# systemctl enable httpd.service' c3 g5 n* K8 F' a' c& J
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.6 Y U$ n" s% N! K0 |; B
[root@openstack01 ~]# systemctl list-unit-files |grep httpd.service
: h3 J! m1 S2 I1 R) i# ahttpd.service enabled ' V w% R6 L+ T: s. v
# 至此,http服务配置完成
2 @7 \$ ^+ u' q" k: U+ `, ~
# K& \' E7 S8 e6 T$ s3.6.初始化keystone认证服务 t+ M# f" S( u; k/ h
2 o/ a# @4 D# i1 [" Y
1)创建 keystone 用户,初始化的服务实体和API端点
v1 g* u! C4 i- p
5 s. ?7 \3 t$ W: _3 @4 r# 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口提供服务3 N& I6 i o5 M2 B% F5 n( I
6 u8 L( j X+ |! F; @# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。0 h# k9 z4 e: m
1 i7 J' C3 g' ?
# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456
, {$ ]+ H7 Q9 f x3 W3 @/ [' ?5 k# ^ l; I9 q! W: F
keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
. q5 y$ s4 j S* r& h% J0 r# 以下为命令实例:
+ E( I3 A5 e& y5 d; m: L5 ^6 V
9 [" A0 U" W$ kkeystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne% Z( C9 B) A' r b) [) ?# E
# 运行这条命令,会在keystone数据库执增加以下任务,之前的版本需要手动创建:
: @! u9 t. Q' c9 |2 s
: I! i. o1 i$ I1)在endpoint表增加3个服务实体的API端点
, q1 {. D4 s# j4 Z0 ^3 j0 A2)在local_user表中创建admin用户
4 M7 {2 E7 M: v2 { N- f' u1 t3)在project表中创建admin和Default项目(默认域)
. _" R9 l- S, q4)在role表创建3种角色,admin,member和reader% `* u- H; u' S2 s" \& x/ \
5)在service表中创建identity服务
: s/ z8 s0 Q, w' G2)临时配置管理员账户的相关变量进行管理
5 c, z- @6 a8 i; e5 \
5 t6 A# b8 a2 t) y( w. ^0 r! O Z# 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS
1 v2 C0 M. s5 i2 X! r( a- i/ k6 x, Z' _" Z. J- Z8 A& R! r
export OS_PROJECT_DOMAIN_NAME=Default
4 m; {- a$ R$ qexport OS_PROJECT_NAME=admin6 G7 T* X; @% C3 F8 o: \
export OS_USER_DOMAIN_NAME=Default
% {. [0 {7 o0 N2 \" J% k& Hexport OS_USERNAME=admin
. Y. U V) d* P: h) m7 y. rexport OS_PASSWORD=123456
' A3 G! r, e: S' n9 z. x2 ^export OS_AUTH_URL=http://controller:5000/v3
$ @$ m0 P1 Q# C6 C3 M( `3 V5 v8 ^export OS_IDENTITY_API_VERSION=3' t% }" O2 k9 j V7 b
# 查看声明的变量
, @$ l0 b6 j( N7 K9 y) E0 R k- B0 P" w. T
env |grep OS_7 J1 p4 R. @$ k' p3 I# E
实例演示:, b3 ~' B: b% ?) }4 ]/ l" ]
6 z o9 H( |1 h' Q% i[root@openstack01 ~]# env|grep OS_( T" J0 p9 n! y- j: N
OS_USER_DOMAIN_NAME=Default
! i. H, a* j- F7 w2 e! {( o/ v; _- b6 ?OS_PROJECT_NAME=admin
8 L N( ?! G( E# N" L2 LOS_IDENTITY_API_VERSION=30 D, F% g/ u0 x
OS_PASSWORD=123456
# I5 |& t: i e7 h0 d/ ?2 ?6 E! mOS_AUTH_URL=http://controller:5000/v3# h$ ~, @- D! |0 `/ R7 J3 s) J
OS_USERNAME=admin
% G; j* F, b4 m" y# l+ gOS_PROJECT_DOMAIN_NAME=Default; J" l1 E) Q z( |. l
# 之前的版本采用admin_token来设置初始化的管理用户认证令牌,类似下面的; j8 N3 i2 ?+ O* z) Z
6 m; s0 x: V! S( p- F9 M6 U% R# nexport OS_TOKEN=c0053993bb39ad3de84a
( @/ o+ W0 ]: |- v" wexport OS_URL=http://192.168.1.81:35357/v3
0 Y7 l4 Q: L: o( T7 Y1 Lexport OS_IDENTITY_API_VERSION=3
9 e/ E2 }$ e! H8 c' ^0 U4 n: qexport OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
! Z$ z& D8 B0 l. Y4 J: X' Z附:常用的openstack管理命令,需要应用管理员的环境变量: y* Z s, }9 h1 P+ u4 v; x9 E
5 R- X6 y% K2 u4 m7 w1 H7 E: s" V
# 查看keystone实例相关信息+ o$ m7 i: Y4 f$ {% d ^
- G0 Y' J# b: ]2 L3 y% m5 f8 g- R
openstack endpoint list" U! @/ V9 {3 `. B2 d5 x/ b
openstack project list
# G6 Y/ R% ^4 o3 N: a5 s g% V4 |. jopenstack user list
7 R: O/ n1 |8 Z0 g8 ]实例演示:
1 j' u0 S9 V5 p; \1 I/ H
8 ?! ] L- C- s9 C8 D3 _[root@openstack01 ~]# openstack endpoint list
: @) `9 `/ T- S2 V- @2 o+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+7 n9 Y/ U6 y* l# s
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
" ?7 ?" N# K4 W9 Y1 O+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
1 [( Z( V/ u/ ~0 X! J8 A| b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ |
: O ^, a2 o& @2 T| eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ |0 m- r4 q7 x2 I9 E9 L9 p* Q7 n
| f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |
8 M; \9 C+ v& w0 @) F+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+6 a. q# @! v! D
[root@openstack01 ~]# openstack project list
8 ]5 j; r$ r9 f) x. S+----------------------------------+-----------+
0 D5 i. v) `' q5 t7 l| ID | Name |' h7 c& I+ C2 S. C6 q( G1 {6 g& B
+----------------------------------+-----------+8 \1 t7 ]1 t- Y. `% o
| 3706708374804e2eb4ed056f55d84666 | admin |+ j! B# s6 b& d7 A% ]
| 84cc7185f2c8461eb19a14968228b272 | myproject |
- o T! Q* K# x* V+ v: k| b8e318b3c7a844708762169959c34ff8 | service |
, e+ t$ b- r' k9 a8 Y7 e; \+----------------------------------+-----------+
) K: A" l# e" P' U0 Z[root@openstack01 ~]# openstack user list' Z8 H$ g) B) r
+----------------------------------+--------+* b2 I/ ^6 y. P. k9 h2 W* a
| ID | Name |
- n3 ^6 O( ?9 K. j6 i! ]+----------------------------------+--------+' w* g" u" B5 q' {" @0 S+ s S2 F
| cbb2b3830a8f44bc837230bca27ae563 | myuser |7 ~0 t* l2 H. U
| e5dbfc8b394c41679fd5ce229cdd6ed3 | admin |9 n* Q# _' Z! h" F q
+----------------------------------+--------+' u3 ?- P% w! m7 D, H" X* p( [
# 删除endpoint8 e; y% J2 G' s' I
( Z/ e5 K O% j0 `6 v( h
# 以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错
: k' I$ H' _9 U' `0 c, B" t3 ~( b0 F! c9 L; d
openstack endpoint delete [ID]) N+ q3 o3 n2 G. [. ^' e
3.7.创建keystone的一般实例3 \' V& J& }2 U' u. S5 D8 ]
0 h7 n w3 d, H# r/ C( n# Create a domain, projects, users, and roles
. h3 _0 V8 N' Z1 ?) n5 J
! n. O* \' d3 y2 z. \' {https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
p }: t) m9 `; Q4 }2 k6 O
7 H: T' e# o! i7 [1)创建一个名为example的keystone域
3 Z N1 A$ Y2 Z# d: Q) C5 K# V5 b% m
; z8 I- ]! `- a( e; Q) u7 G# 以下命令会在project表中创建名为example的项目
* Y7 \& U% p1 v3 v- P, W/ f& g+ i3 D% L0 U7 e* ^( r
openstack domain create --description "An Example Domain" example4 i" w6 k" S5 @. O' K* y3 i
实例演示: j' [! E) o) t
, V Q/ @; k4 h2 B[root@openstack01 ~]# openstack domain create --description "An Example Domain" example
- m! X4 I+ A# V% t! e1 V* ~% `+-------------+----------------------------------+
* z& N+ v2 t9 X2 K| Field | Value |
) {" w" Z1 i- V+-------------+----------------------------------+
+ D1 Z# { K5 ~' t3 ~) L| description | An Example Domain |5 B* W$ W/ X' L$ K C/ n; `
| enabled | True |! U& }4 K7 c k M2 z1 h
| id | 17254ea898de477ca4a1f6f3cbc6c5bc |
3 e: _- i! o1 t0 ]& C, _- T/ J3 t| name | example |
3 t7 F9 _' L3 h; d| tags | [] |
/ K- `1 [- G8 A: Z$ _+-------------+----------------------------------+5 k5 f8 d, L! i4 D, a
2)为keystone系统环境创建名为service的项目提供服务
) @4 M% U) }6 O* _% ], _0 S6 L
# 用于常规(非管理)任务,需要使用无特权用户
: B$ d7 e( D% C! g+ \: Y: r; z& N2 A1 i9 f* a+ i# t$ E0 Z
# 以下命令会在project表中创建名为service的项目: x6 b7 D+ d4 R# W2 A F6 B' @5 A# g
7 w k3 j& Z* C& sopenstack project create --domain default --description "Service Project" service
- C' \2 I3 B0 Y3 W# i) M实例演示:4 P6 y+ ]6 A5 }9 U
2 _. E& d8 }% l+ f, }, P/ W- X[root@openstack01 ~]# openstack project create --domain default --description "Service Project" service, E6 g' P3 j5 `/ D* c/ Q' F
+-------------+----------------------------------+% e" b$ Q8 Q# S$ ?& B
| Field | Value |
: n: ^' X; T; Y9 S; h+-------------+----------------------------------+
" a9 w+ u4 `& T7 N3 ?| description | Service Project |
% ^0 [& V, M: ~ s6 D& ?| domain_id | default |
" }# t6 F9 ?+ r+ s) k4 e| enabled | True |- K' }1 |+ i7 |+ O0 @6 t/ V1 Z
| id | b8e318b3c7a844708762169959c34ff8 | C. j( U; k' P
| is_domain | False |
2 T+ c) H" J/ b' p3 S' [| name | service |
% ~+ {" y! s+ e| parent_id | default |3 J" h: F g) I' W, Q' `
| tags | [] |, |7 O8 R2 ~' j% C9 p
+-------------+----------------------------------+- O0 c& u+ G" n. ^- z' |
3)创建myproject项目和对应的用户及角色
1 I$ D' S6 g* n1 P- k' x6 O& k+ }+ E, {! b* R. o
# 作为一般用户(非管理员)的项目,为普通用户提供服务
0 M- P% V! y' |+ _7 T3 {( y2 a% h
/ t- Q r/ Y1 |- W" }( n5 E/ n9 e# 以下命令会在project表中创建名为myproject项目
' q+ C2 [6 [9 ?6 y. u9 b$ \9 N! a0 ^2 \) N) S
openstack project create --domain default --description "Demo Project" myproject
1 }. x0 V' ]( C; n实例演示:, @9 {& S" r* | F
; S1 X" y6 j+ R5 ]7 G, S4 p; y Y
[root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject
# B& e$ b1 B: J+-------------+----------------------------------+
& i e0 F3 y" d+ }, D1 M| Field | Value |$ Z1 r, Z9 Y$ I/ A8 F7 M
+-------------+----------------------------------+4 X1 S; d, [! {
| description | Demo Project |
( ?" t# x6 O$ `0 C2 x, R| domain_id | default |! y8 c7 ~+ M! i; {3 ?( U9 a4 g1 M
| enabled | True |
- Q$ V: p, S3 c0 H) t| id | 84cc7185f2c8461eb19a14968228b272 |
3 ]- b% t4 K" s: z, j) t4 {/ d| is_domain | False |
/ a# E1 x0 q% J$ ~, q| name | myproject |' z8 U- z+ C' d
| parent_id | default | _1 S: u7 \/ c% d
| tags | [] |
4 h- C3 y5 ?1 z t' { W* w+-------------+----------------------------------+
W0 U3 `. x: L3 f3 K! E2 P# |# N4)在默认域创建myuser用户
& f) J" p, k( o7 g8 J
% N5 K+ u. s: t2 I" C6 x# 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码
3 w- k+ m( p, x6 r2 S; \ ^* D# 以下命令会在local_user表增加myuser用户: n5 t1 U' K [' y: m
f2 @# K9 V( t" {6 o2 Jopenstack user create --domain default --password-prompt myuser # 交互式输入密码' V5 ]+ [' F# ~9 X0 `- s% F* y* L0 y2 Q' \
# openstack user create --domain default --password=myuser myuser # 直接创建用户和密码, d- |& s6 P1 _, s1 h, `1 c
实例演示:
1 }* V1 n( D8 A: J: X( l9 D* c
z7 m( v! m4 Q5 E4 M[root@openstack01 ~]# openstack user create --domain default --password-prompt myuser* r9 x, ]5 j; m; k% P/ V
User Password:
; ~8 x, V. E$ Z% U0 XRepeat User Password:4 z. E+ P: Z2 W9 H5 Q* T- I, ?0 V
+---------------------+----------------------------------+
- i6 r: o: {/ S l- L3 p8 @. Y( Y| Field | Value |/ h, N/ ?# y7 a* Q+ |2 n5 ]6 ]2 ~) U" [
+---------------------+----------------------------------+
8 U% Y5 N* W* q! F' u| domain_id | default |$ h! @3 ~/ t7 ^& l7 D0 v* a
| enabled | True |1 H* b. z- p p' v. L. l$ Y% w' Z
| id | cbb2b3830a8f44bc837230bca27ae563 |( n" c0 u5 P: M& [3 ^2 e
| name | myuser |& T1 r* v6 f) U' z y/ F; {! q0 o
| options | {} |( V# D5 P B ]& N2 z* q# J. Q
| password_expires_at | None |/ C1 Z" a3 e- p& F9 Z
+---------------------+----------------------------------+" Y: @" c! @( `" _7 ^# w
5)在role表创建myrole角色
$ Y9 }: V$ X; ~3 ^+ I. h- M8 Q, W: ^6 F) Z- g
openstack role create myrole
" r" E- I* m3 l实例演示:6 g5 Y* E) J- z; H
?8 e' r0 P8 Y/ w; `
[root@openstack01 ~]# openstack role create myrole
) B3 K6 q6 v5 R& L+-----------+----------------------------------+
$ W! ^1 d0 K; a6 p% [: T| Field | Value |; \& ~, V T1 `2 r: [
+-----------+----------------------------------+
* A4 G) J: e% y5 b2 i8 Y, g$ m, i| domain_id | None |
- L" d. i; Y7 c1 |9 J| id | 75ac33f79cc945afa42a18a3dd0ba0ad |
' i! w, @. K1 j1 X| name | myrole |- I- q7 Y/ S: ?& B% W& l0 F: u
+-----------+----------------------------------+& Y1 |7 }0 K' B4 G0 O
6)将myrole角色添加到myproject项目中和myuser用户组中( M9 E& F9 N" M2 J
: e, g0 L. I- L
# 以下命令无返回,数据表操作不太明显
9 o. g; R4 @5 [
5 [, D7 i0 H3 s$ x5 jopenstack role add --project myproject --user myuser myrole, U) _) U* m6 J5 g! ?' p2 ^7 K
3.8.验证操作keystone是否安装成功! l- r, R' J# K4 Q$ J. p8 h/ p
k4 v) s4 q4 Z6 b8 z5 j2 |! D8 j6 n1)去除环境变量( v7 O# J$ s0 n7 a0 L
) V6 p" H1 h: ?. U1 n
# 关闭临时认证令牌机制,获取 token,验证keystone配置成功
3 z8 V. _5 M0 A3 M
6 B' Z; }+ {$ } punset OS_AUTH_URL OS_PASSWORD
, t& B3 v) {! Z8 i% G; t4 zenv |grep OS_" ^: k1 O# w7 g/ L0 v. a& b
2)作为管理员用户去请求一个认证的token
; O* G" s( Z$ O, p1 Q2 }9 R8 d/ @( |7 K6 V2 l9 Q$ u
# 测试是否可以使用admin账户进行登陆认证,请求认证令牌6 P+ ^. x2 u* @9 [7 h& h
% r5 x' Y5 F4 N) b
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue8 Y" e$ R. S/ X
实例演示:& w. H- h: ~* H K
- ?. I/ P7 u `0 B2 k% y- C8 ~
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \3 E# b' `! f6 ?
> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issue/ k/ c( j, t% v J" }# o
Password: & r- O3 o# B& W0 `: ?9 c4 f
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+0 Y1 R2 Y& g& C& J7 H8 j1 O* C6 F+ j8 L
| Field | Value |2 C/ \1 m- `5 j8 x$ F
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+% c3 L; a& b0 \) ~/ f9 P
| expires | 2018-10-26T11:48:40+0000 |
! w7 i) L0 j6 X2 O1 v0 ~| id | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY |
% }& x" O' J+ [| project_id | 3706708374804e2eb4ed056f55d84666 |/ T- Q H4 S+ I0 F
| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |- T& c3 g- E' z. v1 l
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+/ E7 i- E7 ^/ J' g
3)使用普通用户获取认证token
; q9 l/ R5 Z2 E) T: Q; U/ s& Z' y. u" L* `
# 以下命令使用”myuser“用户的密码和API端口5000,只允许对身份认证服务API的常规(非管理)访问。" P- |5 I/ N# E( P: B* F
0 s& m k3 J$ n
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue" g! }: w5 R3 \4 E# l7 X
实例演示:" o) k, ^ o) X2 L
' m5 {2 g4 J0 h3 p
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \
. a$ x0 ^9 S3 w) b' @% Z5 Q> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name myproject --os-username myuser token issue
5 B' z4 H' W5 M& u d' @6 b/ N! wPassword:
- o7 w2 E+ [$ X% f) I/ |+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
6 i5 F8 Q& o, A. O/ e- B| Field | Value |# M2 d5 I# L$ s7 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+: e: k7 T Z( p7 U3 K
| expires | 2018-10-26T11:49:18+0000 |
- W1 U; p6 }- M| id | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g |" z+ P! o6 M/ x$ |
| project_id | 84cc7185f2c8461eb19a14968228b272 |
) W* v" L4 r. N| user_id | cbb2b3830a8f44bc837230bca27ae563 |
/ f0 d; l% p) ]2 d( S7 u+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
* o8 f+ G$ x! e2 u5 g $ o: p# c& f% d7 J* l9 v
9 y e- a. ?$ X, D3.9.创建OpenStack客户端环境脚本
( _4 X. R& K. n: l+ w4 k. Q& _5 _
, L8 f# t4 p( x6 |% u# Create OpenStack client environment scripts
0 ?6 Y R- y& ` s8 p6 f" `& N. R) z, c4 Y* V
# 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。
- n0 ^3 r- e7 y7 l& v! X7 Q# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名
3 B5 K) k) X6 b; x& h
( k3 W9 r) }5 E, \1 f6 U9 B1)创建admin用户的环境管理脚本2 a- ]' I& l9 c. Z7 d% v7 b
5 k3 Y2 I" z' q+ }+ V* I
# vim admin-openrc/ ^( \4 a5 c! x# d _8 e7 `" Z
cd /server/tools+ A1 @4 \# ~$ v" @0 B3 l
vim keystone-admin-pass.sh
% g- t7 v& J4 O1 `) T5 `- |& B---------------------------------------------
& J5 I- |9 l( z, ^export OS_PROJECT_DOMAIN_NAME=Default+ k. l8 I: r( V0 `$ U3 n4 P
export OS_USER_DOMAIN_NAME=Default
" e0 G( a+ \) r. Kexport OS_PROJECT_NAME=admin9 u Q$ y+ n: M7 Z
export OS_USERNAME=admin- |3 ~+ y: q- V% X) E7 D! `6 u
export OS_PASSWORD=123456- m. S. l( X; z* q) |' X" {' _
export OS_AUTH_URL=http://controller:5000/v31 @' R i) V9 V. q5 v
export OS_IDENTITY_API_VERSION=3; b$ F, _: F" E( R+ u
export OS_IMAGE_API_VERSION=2' g2 Z, [$ W6 }! v. o
----------------------------------------------' r/ m9 y7 ~$ l! Q' o
env |grep OS_+ S9 x& W! i7 e# U; m
# 应用:- R5 j) j% o8 ?! @; C" K1 Y
如果修改dashboard登陆密码忘记了,可以使用admin_token认证机制修改登陆密码
% W& E) F7 s/ y* N! B5 ~/ N6 _: x) b6 z) [& {
2)创建普通用户myuser的客户端环境变量脚本
; N# R3 b- Q% e2 N% E) I! A/ [9 k! K. l. p& `1 l$ n3 j0 j
vim keystone-myuser-pass.sh0 U# G7 d! ~5 ?: e2 m/ a# _$ h
---------------------------------------------
: @( k0 }! f* o) z. p6 Jexport OS_PROJECT_DOMAIN_NAME=Default4 t+ v: l P1 _% ]
export OS_USER_DOMAIN_NAME=Default8 g: P/ H8 ^; b' [; Q' C2 w
export OS_PROJECT_NAME=myproject& ~- Q2 D) v1 {4 n9 q
export OS_USERNAME=myuser. Q8 ~# B/ |& \( ~
export OS_PASSWORD=myuser
, \% t! l8 g( Y6 L& kexport OS_AUTH_URL=http://controller:5000/v3' S& L* W- R6 H
export OS_IDENTITY_API_VERSION=3( s8 k, p. ?9 \# v6 I, G4 n
export OS_IMAGE_API_VERSION=2' Z! e" z1 E' ?: D
----------------------------------------------
' K# j6 M* V9 s3)测试环境管理脚本
' r2 E8 Y$ R S) q9 G5 N3 k' x& s1 K" k/ Y% ]* ?$ p7 J
# 使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端
) d/ I. ]3 J* o5 V
& N! l( B p% |6 ^) m+ zsource keystone-admin-pass.sh' f$ Y q* a$ Z2 Q& T
4)请求认证令牌* m# l% A& ]5 a: b e x& W
$ y6 O; o( G: _! Y0 f
openstack token issue
! l; ?! n# w, Q& W5 d6 l; k实例演示:3 d3 ]" f. ~$ k( v0 W7 v
* J+ ~/ h8 [# M$ J5 o( e: \[root@openstack01 tools]# openstack token issue
: Q. V# U) q9 N! F+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
% f: G4 a( x& d$ D1 C' o7 m| Field | Value |, s) K7 q7 }/ E' I, n
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
i8 f' q: y9 Q$ U' C4 L5 Z' g| expires | 2018-10-26T12:13:28+0000 |
9 I7 Z/ I# O% }- u* u| id | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE |" Q( R/ _& R# ~, K
| project_id | 3706708374804e2eb4ed056f55d84666 |
H: j/ T0 n( q1 O* N| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |
L$ j* y( K7 {# s' L' C+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+& Y( t8 i" e. j7 v- _
# 可以看到user_id和上面用命令获取到的是一样的,说明配置成功! K1 F+ R, O; L6 @5 z# V7 f
7 i/ N/ b! {! e1 s5 T |7 x* r( Z
# 至此,keystone安装完毕 |
|
发表于 2019-1-7 21:30:46