|
|
3.0.keystone认证服务
: ^2 d$ Y4 i- ]6 ^: C7 W
- F# l9 V6 q1 ?2 ]$ V$ K1)用户与认证:用户权限与用户行为跟踪( X7 r7 Q F, h3 c
( Y: d8 t5 n" s8 n& Q
User 用户1 i4 G6 q* D- u7 E& P* g- x
Tenant 租户3 p& b1 x1 f- O# M& o: v! Q k
Token 令牌
& n5 Y; L T H/ Z+ ^* CRole 角色% D0 z: l; t3 k( M4 v
2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点
0 M# P5 X1 a5 q& K
/ w, Y! x" r3 M5 B) hService 服务/ W; X! E) q( z i+ N a- V
Endpoint 端点( I) |) A0 z1 e
3.1.在控制节点创建keystone相关数据库1 a& U/ T+ I( o$ F, [4 J
# R" J- V0 {9 U2 U: b1)创建keystone数据库并授权
+ J g a- n! z& j1 `# I
! c' Q1 f, h, d) b3 H, h8 mmysql -p123456
4 ^* Q" I3 H1 e5 l; x* Y+ s--------------------------------
4 ?# o5 f" {/ ?* X8 X6 s, PCREATE DATABASE keystone;
. w7 W6 D2 P6 [3 p! O( F- F+ CGRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘keystone‘;6 N# L9 F2 M8 Z3 {8 ]
GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘keystone‘;
4 n$ A0 {; H/ A% f' j8 rflush privileges;+ B4 E0 U4 ]% d' _8 D3 V
show databases;. Q; t9 T0 Y+ [ r
select user,host from mysql.user;
C$ p; X) R4 o9 j5 M* Qexit$ Q' P/ B$ Y+ z
--------------------------------9 U6 d$ t1 B- a( k) K) O( T. V0 E
3.2.在控制节点安装keystone相关软件包
! G! Q2 D7 _) }0 y0 j# j) r' I& }$ L# u# I, L. {6 N
1)安装keystone相关软件包
* v( P% \" b( E, q3 H0 V
+ q$ i4 @+ n8 a& t( a# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口; w5 b0 {0 u+ p. y; F
$ `( o* I% N4 Z
yum install openstack-keystone httpd mod_wsgi -y
G a, k P1 ` o5 {+ iyum install openstack-keystone python-keystoneclient openstack-utils -y
' y9 W) g: ^! ^7 F/ L2)快速修改keystone配置
' Y/ K Y# {* e- g8 r- x+ X8 B2 _
1 {, K$ R, A- ^9 q9 r# 下面使用的快速配置方法需要安装Openstack-utils才可以实现$ r3 r t5 b9 {, k- t' j3 F
5 N( x- j' o5 ]& z
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
* a- s6 M1 Q, X Wopenstack-config --set /etc/keystone/keystone.conf token provider fernet
, R+ w# G+ K/ E4 {# 注意:keystone不需要连接rabbitmq
8 j8 i' n! S/ @% V7 d
0 z/ d! c- i- P2 E# 查看生效的配置
) y4 [2 ]( _. y- U: O2 K9 b) L, B0 A! T2 u& f
egrep -v "^#|^$" /etc/keystone/keystone.conf
! i% c# r! B1 B! G9 Z! d7 q. j# 其他方式查看生效配置+ L" e' d' ^" r
$ D: P! w D+ V& U
grep ‘^[a-z]‘ /etc/keystone/keystone.conf
1 Z! k; D3 C' y2 ]# 实例演示:: `/ ]# W, k P; X, y# n& e I
3 h% L& \3 H9 P% W3 i
[root@openstack01 tools]# grep ‘^[a-z]‘ /etc/keystone/keystone.conf
0 q. J Z9 x/ F& |" H3 zconnection = mysql+pymysql://keystone:keystone@controller/keystone
# G& r0 m; |: s% G+ a4 @0 y& lprovider = fernet0 L* z3 O. s- l& B* @' _$ f% |/ b. {4 ^
# keystone不需要启动,通过http服务进行调用* j1 a% b8 _$ g) b) J$ I
5 |3 L# q: z- p. J& M
3.3.初始化同步keystone数据库- j/ K8 s: ]% W( V" z2 I$ L/ U% t
' k% |" B; y( U: L" s9 i$ A, n1)同步keystone数据库(44张)( p& D# e3 H. }" m
( ?1 n1 F; U$ i) S; C4 csu -s /bin/sh -c "keystone-manage db_sync" keystone2 N5 @# ]; U8 s6 w3 k7 P
2)同步完成进行连接测试
6 q" [6 b% R& E4 i: X7 B$ L0 ?7 z3 d; e
# 保证所有需要的表已经建立,否则后面可能无法进行下去
5 W8 j9 ]4 j7 f+ C: U3 f& u* Z/ `( u1 f1 ]
mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"- R, n8 f' K l! r* g; @5 L) a
实例演示:8 Z- x" \. n, X
* s& o! A" d/ q
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"* K. l# e6 X/ N6 c; S# E
+-----------------------------+& ^" J n5 P" W
| Tables_in_keystone |# R5 K2 S2 v" \' o. ^( F4 b8 ?+ \, C
+-----------------------------+, d; x N1 n3 j) A4 t
| access_token |
# o; Q* ~" G9 g0 Y" t| application_credential |
4 ^$ X6 t8 o! k3 _| application_credential_role |
9 n! W( S' q1 e2 A/ [5 g| assignment |
- u/ q/ v4 X; Z7 f: u" || config_register | t+ `/ g7 s3 f( U8 T5 p1 G
| consumer |6 g$ F9 m$ K2 v, F, _3 |8 e" S
| credential |
' Y. y1 w( e, H; @) n: Y. l| endpoint |
& r# a+ [ L5 h" h5 S: h5 E2 d| endpoint_group |/ @- X9 U- G; e- |% N9 s$ u% C
| federated_user |
T8 R2 @& j/ |; y2 _) p7 j5 ]/ R2 || federation_protocol |
- f$ c" q' D! C) c6 y! d v" w, l| group |8 T( T8 t' R* E# |
| id_mapping |
" H1 B* Q$ P7 I9 A9 O! k! e| identity_provider |1 l. u& E- Z1 i
| idp_remote_ids |% q! p5 ~% Z" L8 \; S
implied_role |
a0 t% Y( b; |! @▽ limit |
" j- P6 @* ?0 S; F- {| local_user |
7 d H) N* n, Q( f| mapping |
' h7 W; }+ z5 c1 f# F/ G$ c2 T8 [| migrate_version |& y% s) y7 s! J- i, ?
| nonlocal_user |( b0 }' r/ i' p2 T$ B6 d
| password |
+ w: E* T4 t4 d8 d2 y| policy |
8 y* ? y7 v' g* `# c5 o8 W| policy_association |* ^, K4 g3 q; m$ f! u! H! H8 Q
| project |7 `% p5 I1 c) b# z2 S+ ?- L
| project_endpoint |2 ?8 o' j% _9 U+ h
| project_endpoint_group |
J6 T& f' e/ o+ Q# v| project_tag |2 L+ i+ {# _0 i/ {* N0 F
| region |
7 n5 C7 W" Z# w0 q/ C: a" \| registered_limit |; p7 r+ t) w' r, I
| request_token |; B+ A+ X( v4 k+ l% ^$ @
| revocation_event |
# f9 h5 V3 A* c* j| role |. [& q' W+ C* z' Q' P( g0 k
| sensitive_config |
# z7 C3 @- `5 X- t! l- s| service |
/ L' ~: ^. y+ I) k# B| service_provider |# C f. `/ F N
| system_assignment |
" F, o+ P6 [1 L9 a. u3 a| token |* ^4 c; c1 {6 v* s
| trust |
* c+ K7 E/ J- }0 o| trust_role |* Y, }: {6 g* L0 m
| user |7 v. _) k: F0 \6 \, v
| user_group_membership |
, \2 |& ]2 {6 J- ]! s" }| user_option |
; T5 t& ~) J, q* I! X1 @: f9 r| whitelisted_config |
$ R h* [. q* F5 h+-----------------------------+
# B5 y& W$ M. H/ O" Y[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l& n& y4 U- ?. r$ J) n
45
% \7 }( ]9 \) {9 k% z( |3.4.初始化Fernet令牌库
) g$ l1 h! m' u0 l0 ~
( I' ?# ?! `' H) `9 x6 Y: I( _2 H# Initialize Fernet key repositories:1 |* q4 J/ ^9 V2 {% C0 ]3 P
$ o) E) R6 ~+ F0 s# 关于Fernet令牌可以参考:https://blog.csdn.net/wllabs/article/details/79064094
i0 K6 d( [' o( ?
' M# z; d. F+ ]! _9 @% \: U# 以下命令无返回信息4 J w+ j: U, c& k
1 a4 b) |+ _- E* Ikeystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
$ u2 [; }' o9 J: ?( rkeystone-manage credential_setup --keystone-user keystone --keystone-group keystone+ O( e3 p7 l* F& R+ [$ D3 e
3.5.配置启动Apache(httpd)
: d* Y% h( T9 I! A; `: @7 \2 `. I
, i) r3 M4 ?! G v7 g1)修改httpd主配置文件
# r2 r" |: S" T9 y: Y) F$ J6 R# \
" w; ]' @# e0 A/ a8 y& ^ @- mvim /etc/httpd/conf/httpd.conf +95
0 N9 m4 d. Y1 f4 G# I. X( k/ P9 d& H Y------------------- 第95行,启用 ----------------------3 T1 [ `' P' u5 ?2 ]' y! v N
ServerName controller
$ S7 k' y {0 C& c, I7 j3 Q0 n6 U--------------------------------------------------------
# Y) Y0 E" }. u( q9 D1 t+ a# 或者; i% o. p8 D5 |% s* O
8 R/ }1 `' D `3 C2 _sed -i "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.conf
+ w( o9 y; y' Ucat /etc/httpd/conf/httpd.conf |grep ServerName' B0 P. l; [$ B1 B. c' O/ M
2)配置虚拟主机
" F" s6 v8 g& z2 V% Q& j+ E. W5 N( a& C* ?0 O/ L
# 创建keystone虚拟主机配置文件的快捷方式,也可以复制过来
! ^9 F/ l7 S: M G5 `: m
2 Q# L9 R0 J) ]) B+ k2 z0 _- fln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/2 _5 ^$ H6 }9 n2 }) k+ ?
# 或者可以手动编辑创建该文件! D0 {; x4 g1 [- Z+ U: o
/ L7 \' ]" R# H9 Icat /usr/share/keystone/wsgi-keystone.conf
( d8 B5 R6 `" o [* l--------------------------------------------9 ]% m2 d, i2 e: N6 L
[root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.conf* P6 r$ s/ l1 K4 n0 f
Listen 5000
- G6 D# X& a/ U, I; [9 h/ j
3 ]! P! O* l9 U. F" `& o$ M/ j<VirtualHost *:5000>. V7 }* U( k# `" B! b3 T
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
+ c; z9 p; E, A6 J- D; u* z3 ?7 ? WSGIProcessGroup keystone-public' K" x' g' `* d+ @
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
' H! \- {5 m+ ] WSGIApplicationGroup %{GLOBAL}7 {" ]; n+ P- _9 |' u2 B+ D
WSGIPassAuthorization On! W8 y! r( `/ y, G2 T
LimitRequestBody 114688
1 T: y$ P% Q# Y: j <IfVersion >= 2.4>
5 T; C2 o/ j, |& s ErrorLogFormat "%{cu}t %M"
8 e) H: n8 r8 f9 O1 H* ]7 H9 W </IfVersion>
' m' w( g4 l) |6 Y ErrorLog /var/log/httpd/keystone.log
& G1 X& E s9 E: c% S2 g/ @3 k CustomLog /var/log/httpd/keystone_access.log combined
7 u2 ^. N# z6 u/ r
. z) s8 f: Y) @* L) q3 G% T <Directory /usr/bin>
& m6 n( O; S" D9 b, u: K <IfVersion >= 2.4>
7 u% h3 i- y0 H& Q Require all granted, i% k$ c/ f H3 \: _
</IfVersion>
) Z1 U/ @% _' K: p" I <IfVersion < 2.4>
/ ^6 V8 R% F$ K3 }+ ]8 W/ u Order allow,deny
6 P- [! f! ^' U9 g Allow from all8 j8 K/ z" x' O5 D" A8 I5 H
</IfVersion>
' G5 h6 w3 x J6 T' n3 m$ g7 ?) y </Directory>5 k. t! \: a; e) A) x Q# r/ j
</VirtualHost>
# z! ]4 K+ v: k& ]/ b- A* x4 t& W1 [- [& H
Alias /identity /usr/bin/keystone-wsgi-public
- S% c, w2 H$ w+ _* h' g<Location /identity>
& U1 L* o. ~: P/ Q) G+ U; Y SetHandler wsgi-script$ x2 q1 t) k1 a0 T$ Z
Options +ExecCGI# A; T0 n; G. }, _% W) }
8 [ l, u# I0 A3 ^# Q6 @4 H WSGIProcessGroup keystone-public U8 T4 a# G5 |4 J+ q5 ]
WSGIApplicationGroup %{GLOBAL}& Y' s8 f5 k7 d& k f) z9 H
WSGIPassAuthorization On
- ~/ R; s9 T; g1 Q8 r _</Location>
" X' T+ u4 N! G6 v- O) ]. V--------------------------------------------------
# s- X5 X) l+ k4 x8 `1 P3 v3)启动httpd并配置开机自启动$ j+ E* v" K8 q) B! R
$ b' B7 i) [. v& m7 L, {systemctl start httpd.service
9 n1 I! x$ n. e' O2 P: t, Msystemctl status httpd.service
& c* q, i9 l7 x7 Knetstat -anptl|grep httpd
0 W# N( `2 J, ?+ {
/ @! M4 F0 l" s* Lsystemctl enable httpd.service
6 C- g* |% I; G& Gsystemctl list-unit-files |grep httpd.service
/ R5 r6 {' N/ j9 [# 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux
* T1 _ L2 O/ u# K7 O4 i4 e* {" o. t: E* a3 ^$ R( u" e1 E
实例演示:2 A; e" f; W2 U/ Z0 r1 k
+ _! C+ Z+ V. H[root@openstack01 ~]# systemctl start httpd.service
1 a+ e* n" H5 D[root@openstack01 ~]# systemctl status httpd.service
0 v: j1 w" \& @; m. j: T● httpd.service - The Apache HTTP Server
3 f4 _4 |6 j8 a( t B+ Z Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
0 c7 X- m! {, M1 p, L Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago
, Z* E6 m3 x) C: ]% B Docs: man:httpd(8)
7 ^- g( H/ E" n/ G3 [ man:apachectl(8)/ w8 e. j* k! o6 V9 F& D; |6 ?
Main PID: 1978 (httpd)
; c4 Q5 |6 D9 w7 D$ K& d% f- E Status: "Processing requests..."
) ^0 n2 }& b) A, f6 F8 L CGroup: /system.slice/httpd.service8 H u5 I7 \3 y
├─1978 /usr/sbin/httpd -DFOREGROUND
" Z H% U/ f; e, |" n/ @ ├─1981 (wsgi:keystone- -DFOREGROUND, I) _! Q$ p0 \; }+ c
├─1982 (wsgi:keystone- -DFOREGROUND, k$ m0 q7 \9 M5 L' W( K# L1 u
├─1983 (wsgi:keystone- -DFOREGROUND
4 `! @% B+ B( C ├─1984 (wsgi:keystone- -DFOREGROUND( \3 `9 R% a7 K
├─1985 (wsgi:keystone- -DFOREGROUND6 i* O9 K5 [! Q* _0 |
├─1986 /usr/sbin/httpd -DFOREGROUND; @ m- `) |& B l# n* o0 P
├─1988 /usr/sbin/httpd -DFOREGROUND
2 D# O) X7 g6 _; A+ N └─1989 /usr/sbin/httpd -DFOREGROUND) x" c: b5 p& z: }9 h) S4 B0 z
: C+ r1 p9 i% ~10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server...2 o1 d8 i- p5 Z- ?# x- ^2 ?" C n: }- V F
10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server.
. S p* H7 y. m: f/ O" T2 M[root@openstack01 ~]# netstat -anptl|grep httpd
/ n0 c- m( b4 o0 ~" J. [tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1978/httpd
, u# ?' f8 o z$ s+ ]tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1978/httpd 9 l3 n9 i7 S+ l7 i1 V M
[root@openstack01 ~]# systemctl enable httpd.service, c/ ?' e% K4 [2 \5 I+ M6 x
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
9 q4 L' Q z: F[root@openstack01 ~]# systemctl list-unit-files |grep httpd.service
5 I9 B% t/ L2 phttpd.service enabled
# g F/ C5 s% F, A) l$ K2 Q9 l( g# 至此,http服务配置完成8 v7 H% @; H/ A9 a4 w# b' p/ K+ s# T
4 h7 W2 ], \! B0 h5 m f
3.6.初始化keystone认证服务
( a$ n' L t, r* x/ r' g! g" w- D5 ?
+ A6 J W3 V5 I3 w1)创建 keystone 用户,初始化的服务实体和API端点* M2 ?. z+ I2 }% D
~3 a1 {$ x; C) C7 A* t9 v
# 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口提供服务
% A8 L4 D5 n1 o1 Q
* m5 E4 o( K/ E! O/ v* c, `2 K8 H7 {# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。2 A! o- ?1 `0 s' c; O
$ @7 J8 S6 H3 T6 f# J3 y7 O8 F2 z# 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456, J6 T( \) K2 ]* p1 p; `
8 [" e' q5 q7 x/ [
keystone-manage bootstrap --bootstrap-password ADMIN_PASS --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne3 G. r9 w' `/ e. u7 E! Y. ?' j$ _
# 以下为命令实例:
, t6 F# e. o' R. j! d8 ^6 D3 {: }" W
keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne% U" ^) g2 b7 D
# 运行这条命令,会在keystone数据库执增加以下任务,之前的版本需要手动创建:' W$ Y e! _) B5 u0 L
6 I4 C; v( f+ Z. h& `* y1)在endpoint表增加3个服务实体的API端点
& t7 S; O/ X1 w/ B" M2)在local_user表中创建admin用户
* G8 l8 l( m2 g4 T; z7 }# \3)在project表中创建admin和Default项目(默认域)
- K6 X1 s& ^/ E7 N2 q0 j `! k4)在role表创建3种角色,admin,member和reader
/ B, T. b, ^# c) I; }" R0 g% V& X5)在service表中创建identity服务# O, A' I- }) a) V$ ]. g
2)临时配置管理员账户的相关变量进行管理) o, @' t4 n0 V8 `- `) b
$ [: K( Q$ s& M3 {
# 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS
1 i# @- i7 T% l+ S& x/ @; S5 x/ ~9 }( G4 W
export OS_PROJECT_DOMAIN_NAME=Default% o+ Z& \ B/ E& Z( {
export OS_PROJECT_NAME=admin. r( ?7 j( ]% \0 H$ I
export OS_USER_DOMAIN_NAME=Default1 q0 n6 ?9 a a! W: B* G8 z
export OS_USERNAME=admin0 k9 |8 q' K9 ]7 B% q" E
export OS_PASSWORD=1234565 Y% S* e0 n' P4 a9 M! }6 _$ m3 R
export OS_AUTH_URL=http://controller:5000/v35 A3 p3 N$ k0 \" h
export OS_IDENTITY_API_VERSION=3' D v N/ y5 p% U. h
# 查看声明的变量
4 k& E% r8 }1 H9 H! b9 e/ { r
' f% {4 H$ @9 ]# t; f8 j* I- `env |grep OS_
7 K4 y$ G, x" b2 y实例演示:! U+ C- G: Y! B' G
8 D. L- _. ]8 j/ [
[root@openstack01 ~]# env|grep OS_
, \0 F' g' e! x" H" POS_USER_DOMAIN_NAME=Default
Y% B/ ]' U5 K& K! l' O" ~OS_PROJECT_NAME=admin6 O& ^$ c" }5 ~
OS_IDENTITY_API_VERSION=37 v9 ~- O1 `" l/ D
OS_PASSWORD=123456! v) S9 B3 G2 O' r- }$ C
OS_AUTH_URL=http://controller:5000/v3 K5 L, b0 a3 s
OS_USERNAME=admin
( _. v* ~( w. ]1 `9 c2 [OS_PROJECT_DOMAIN_NAME=Default
5 G1 O; G# i1 b6 [! Q, E* l# 之前的版本采用admin_token来设置初始化的管理用户认证令牌,类似下面的
o5 x3 }# Q9 V, B
0 I* D3 j S' }: B7 yexport OS_TOKEN=c0053993bb39ad3de84a
; n4 a3 g5 N+ |9 Eexport OS_URL=http://192.168.1.81:35357/v3' n$ C: T7 M( _! J
export OS_IDENTITY_API_VERSION=3
6 A3 L0 \* `8 U1 n' Jexport OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
$ K2 m) r3 G6 x5 ]. K# `附:常用的openstack管理命令,需要应用管理员的环境变量
& A- l( c! `0 e! v$ h* T$ E7 L _0 K- _
# 查看keystone实例相关信息! b9 ?( j, l6 @7 _' a( a, A( N
/ l `& e! T% A% S! b3 Z
openstack endpoint list' c: D# P5 B1 R% `# F/ B
openstack project list
& l8 V7 j$ B e9 R& Q' hopenstack user list
! U7 ~4 L6 p' u9 a3 |0 `3 A实例演示:
4 g2 D* H9 v( n# U6 ]. Q
' h! d$ u( m2 N% d7 I% \[root@openstack01 ~]# openstack endpoint list
6 l8 b; ^7 ^1 E7 Z% R2 e* y$ `/ e& Q) u+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+) Z6 O/ y: e4 y
| ID | Region | Service Name | Service Type | Enabled | Interface | URL | F0 J: _1 D7 h; @6 ~% A
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
* g- N& A9 c9 k% U; r+ A| b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ |
! z. U% Z) [' i$ \2 a# k- l/ {| eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ |
; |, x: P; W5 I+ I| f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |
- X9 y! f7 m1 I- |3 G; @+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
0 J% N6 ^0 ?7 _& {: m4 k) p4 ^[root@openstack01 ~]# openstack project list0 H6 x2 m# E& Q. g1 r! [5 A$ q. ]
+----------------------------------+-----------+. w+ r ~# i/ D/ i I3 C }- I
| ID | Name |$ e/ m h3 z ?$ A: J
+----------------------------------+-----------+2 |& N( Y- ?. M& X, _
| 3706708374804e2eb4ed056f55d84666 | admin |( Y5 A0 A8 h- O1 C
| 84cc7185f2c8461eb19a14968228b272 | myproject |! g ]6 {, `; w3 b) ?1 n+ H
| b8e318b3c7a844708762169959c34ff8 | service |
' @3 \( e9 T( C% x4 Y% ~+----------------------------------+-----------+
4 Z- I3 i4 w) s: @: b- E; I[root@openstack01 ~]# openstack user list; ^. K5 H: c( W2 e) |9 r) I
+----------------------------------+--------+
; ^: ~" Q- `2 ~; I3 l/ f| ID | Name |, q9 ]0 y- w+ K
+----------------------------------+--------+4 E( t3 r4 K% C
| cbb2b3830a8f44bc837230bca27ae563 | myuser |
0 f+ ~- R; y0 F2 D8 M$ P| e5dbfc8b394c41679fd5ce229cdd6ed3 | admin |
4 o4 ?6 Y( |" P% |3 Q, T. y+----------------------------------+--------+# S8 b9 X7 i {$ ]0 D
# 删除endpoint
: f/ H5 Z U( n' Y
) X- \+ b! j" S5 H) R& F D% W# 以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错
7 G3 p! X+ |' G# j5 ?- j
. l( I- a" L9 {' eopenstack endpoint delete [ID]
* [! f3 X0 m4 J3.7.创建keystone的一般实例
7 w5 b }5 d) k5 R" x% U( V' ?* f3 O: _: x- c
# Create a domain, projects, users, and roles+ S G ^7 k: g6 v
8 I' W4 ~/ x- {& x: y% ~' O7 ihttps://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
! N: H! m9 e6 g' l7 j! p* _8 [ `
7 L$ ~0 I/ `0 X! S$ w" T; K8 S1)创建一个名为example的keystone域: _: C' }/ B, {
5 ]+ d! i9 w- X' M
# 以下命令会在project表中创建名为example的项目
6 R0 n3 S7 b7 A3 b0 Q( k! f3 |* c# z1 I
openstack domain create --description "An Example Domain" example
0 P% Z+ B$ l" e3 ~7 S, D6 ~实例演示:
6 ?: l. r* j: S, R* R! h& Y. Z1 z1 b
/ n& A1 Y/ b5 N# W& r3 v+ O% e[root@openstack01 ~]# openstack domain create --description "An Example Domain" example4 O( b: Z6 I! z( M& B& N A/ W
+-------------+----------------------------------+# F) u' d7 K) o! R# @; z; v2 U
| Field | Value |
7 @4 t) {8 O' ^0 F; W+-------------+----------------------------------+! ?( P6 U+ O% j9 ~& G3 M0 u w
| description | An Example Domain |
) h/ [: ]5 R- x; l; {4 q| enabled | True |% x4 z. r, i4 u8 c! F! G
| id | 17254ea898de477ca4a1f6f3cbc6c5bc |1 B0 u' Q3 a7 N$ P9 G: b
| name | example |( E* H8 m- d4 {4 v/ G3 M- Q
| tags | [] |3 B3 g7 [ B5 G4 _6 t
+-------------+----------------------------------+
, f0 U# v. x* n3 n) F2)为keystone系统环境创建名为service的项目提供服务5 g. I# [7 z9 b( X+ u6 n
8 w& g9 K9 v+ h2 R- k. U- A, X# 用于常规(非管理)任务,需要使用无特权用户
1 M3 F% P+ i9 f! i& L( P/ @4 ], K0 z m
# 以下命令会在project表中创建名为service的项目
, \2 ~( s4 y; u& Q3 k/ p5 d7 l6 m$ a, Q. L, l7 J/ m) ^0 z, m
openstack project create --domain default --description "Service Project" service6 U3 E- C" t' g2 r. |) o0 f
实例演示:, O6 Z; b# f+ y; X* U% t
/ h, X8 w2 d7 t! n: X
[root@openstack01 ~]# openstack project create --domain default --description "Service Project" service; z. g, x/ e/ b: }3 x) x0 V! L# l7 E
+-------------+----------------------------------+
& }% E/ `3 G6 W| Field | Value |
6 P- h( Z2 R8 s+-------------+----------------------------------+9 T+ _. E* W+ p$ x' q% }
| description | Service Project |. k" f1 r0 R# f0 K. d
| domain_id | default |
+ h9 ~9 M1 S0 g& j| enabled | True |
( a: n" P8 T* U E, E| id | b8e318b3c7a844708762169959c34ff8 |
" _& u* t; w% A| is_domain | False |4 _/ y* h8 G" D) K ^& o
| name | service |9 m1 ?% d h* P5 h) s; _! k
| parent_id | default |# Z; B3 A3 [8 I, l
| tags | [] |
/ c2 j2 H6 v% P$ X% t, k4 U+-------------+----------------------------------+
* K& P* a- J. d' j: a3)创建myproject项目和对应的用户及角色
V. [) W4 V( O! D' {
2 A5 ~' ?4 n. r8 A% n9 b: b# 作为一般用户(非管理员)的项目,为普通用户提供服务
( [6 x+ p% t( K T
# p1 @/ Y( P. v9 n# 以下命令会在project表中创建名为myproject项目
. ]/ S0 \2 U' z$ A$ S" c/ F1 Y6 H3 D/ \
openstack project create --domain default --description "Demo Project" myproject$ Q. _& K2 E/ ^+ O; o4 [' L
实例演示:5 A' y# Q) |! s) |$ a
4 r- i1 ~; L8 c% S; U
[root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject
+ D( D/ s% e5 Z+-------------+----------------------------------+
5 i% p& s% H& ~7 S" |; ~" ^1 W+ a| Field | Value |
$ ]( R, }* t5 c; s" {# w( e3 ?+-------------+----------------------------------+
) X1 o6 ^ c8 } B3 W. m' X/ l. j| description | Demo Project |
" o; N; ]6 L: M/ e| domain_id | default |
2 p0 A( X( I0 P) s1 r| enabled | True |
7 d& R8 j- }# c/ p2 ~! Y| id | 84cc7185f2c8461eb19a14968228b272 |
& [8 m H( p! J5 S- S8 W2 Q& L| is_domain | False |
, K1 F# g4 j- R9 k1 U7 k" h7 C4 ]| name | myproject |. ?5 O8 I2 B/ z9 s! N
| parent_id | default |0 L1 a) U% e" k! e6 w4 B
| tags | [] |7 ~/ i, r5 O2 o3 Q2 _$ }8 A
+-------------+----------------------------------+
. l2 S( Z! T+ _. n4)在默认域创建myuser用户
5 W4 ~& \7 Y$ J- K1 U5 z5 c9 T0 `8 \( n
# 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码
& w0 r" K/ @# L$ ]/ A# 以下命令会在local_user表增加myuser用户& y1 `* }- z4 {. i: ~; V' I! r
5 g5 _0 T' i6 m, g; M1 [2 T
openstack user create --domain default --password-prompt myuser # 交互式输入密码) s! b" @& l. V% N9 l; B, z* r
# openstack user create --domain default --password=myuser myuser # 直接创建用户和密码
% m0 b' X* G- ]实例演示:# {7 M$ S# {& V% s% t2 {& ]
5 T { D+ U) ]3 B+ i7 K: A. ?9 R[root@openstack01 ~]# openstack user create --domain default --password-prompt myuser
! {% f. z; ^& z- f! A* tUser Password:6 r3 h( c! A2 ?/ K, W
Repeat User Password:
2 Y# O% Q* m3 @1 G* s" k+---------------------+----------------------------------+
" Y8 q" B1 V( O; B: N3 M| Field | Value |
% N, S, v3 ]: e p% X; u, x. ^+---------------------+----------------------------------+
& {3 u7 A3 A0 Q6 H5 r9 K9 _| domain_id | default |
3 d- K* v4 j) l1 ?| enabled | True |
" v, U: z( W# k8 f| id | cbb2b3830a8f44bc837230bca27ae563 |' k6 B: z6 F0 ~
| name | myuser |
2 T: ?" P$ Y0 M# m- r1 D0 G| options | {} |
% V$ ?; g1 Q6 T| password_expires_at | None |. u8 ?8 T+ H% g( ~3 b
+---------------------+----------------------------------+8 j; d# m7 V5 a1 w# s. H1 ?: Q7 k
5)在role表创建myrole角色+ c' H! z! F) z' O! R8 r
$ H0 Z1 h1 m# Y" Bopenstack role create myrole
) w: p5 T3 b% Y; L" C实例演示:* }8 t, g4 N' Q1 n; y
8 O2 ^4 v" {4 e+ m
[root@openstack01 ~]# openstack role create myrole& S3 b# |! s, x! X! c
+-----------+----------------------------------+6 J9 ?+ v/ M) b7 Q' \! R
| Field | Value |
# V7 N& C7 ~6 T+-----------+----------------------------------+* p, A, G! i7 c( `: y# r% b
| domain_id | None |
4 V8 S9 z8 u9 c0 N! Y) w# [| id | 75ac33f79cc945afa42a18a3dd0ba0ad |
* s! W5 _$ Q2 g0 G3 t+ f% Q0 U U0 ~| name | myrole |, ~( v4 ?5 i( J8 `7 h! D
+-----------+----------------------------------+
1 f% x' z$ n) u" _% a6 i. [6)将myrole角色添加到myproject项目中和myuser用户组中5 M$ v; a+ @* o! [6 K. e, D6 V
" H, [3 W6 q1 @( |- r# 以下命令无返回,数据表操作不太明显
" w+ s0 x" A; T. o
; g* q& B! h B3 p/ O1 l0 D4 A- Wopenstack role add --project myproject --user myuser myrole
+ }* r" `% y' p: E3.8.验证操作keystone是否安装成功
N; |# ~8 W2 d2 t+ \; ^: @2 o7 x9 \; G1 ~
1)去除环境变量: r: D4 {. I" |# m! k
4 b& X/ n7 a. f5 Y, e p7 A
# 关闭临时认证令牌机制,获取 token,验证keystone配置成功
! b+ e, c! y: p9 m$ G2 w9 w( c; c3 X
unset OS_AUTH_URL OS_PASSWORD/ p! p x3 K6 \ f7 d4 B
env |grep OS_
8 z, t3 r- G$ Y) \. z2)作为管理员用户去请求一个认证的token4 F8 M; i& N7 R
& r$ F# X9 n& ?5 b1 ?# 测试是否可以使用admin账户进行登陆认证,请求认证令牌1 D) N; u$ V z4 C2 {0 U% E
& T3 ~; Y$ ?; c. [5 S3 } b" iopenstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue4 ~ }, x" @! a% B) R& ]
实例演示:
, w. Y2 H" `7 y9 H( a0 i# \) E2 P" h0 k+ @' a/ E, n% O8 V& w
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \
4 G/ h" H4 g! ?> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name admin --os-username admin token issue, \' K" U; `4 r& W* G) L) w
Password: 4 z9 G4 b7 t) }9 I) J) B3 B
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
+ t8 ?+ l! v5 y1 F d/ N+ f! F| Field | Value |
9 N8 w- j+ J" T# h6 B P4 ~8 Z2 ]+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+! \+ [, i9 Z2 L% J* e9 n
| expires | 2018-10-26T11:48:40+0000 |3 F9 y+ ~8 L! h4 f8 N! b1 S
| id | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY |- ~9 ^5 E3 N6 u8 A( K
| project_id | 3706708374804e2eb4ed056f55d84666 |
- u- r. d1 |) s5 G| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |6 Z( B+ D" Y5 @' F( L
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+' M# A' E: h6 G; W* M" {
3)使用普通用户获取认证token. W6 W. i$ ^+ u
$ { i# e9 `9 Q
# 以下命令使用”myuser“用户的密码和API端口5000,只允许对身份认证服务API的常规(非管理)访问。
( c% d( S# n$ N- p
- x6 A( ]' V# Q d8 A$ {openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue2 j; J: I! M- O
实例演示: \1 r8 \0 G3 p4 D
! H# }2 X1 A% n[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \
6 @4 i. F& j& D i- I# a9 F) O> --os-project-domain-name Default --os-user-domain-name Default > --os-project-name myproject --os-username myuser token issue$ H: _5 r- ^) \2 n1 t! _$ t
Password:
9 x* N' @5 y# X+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3 b" D7 Y3 v s+ H, || Field | Value |
& X! o$ W- u; F. N- m, A+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+: m8 B g- L5 v
| expires | 2018-10-26T11:49:18+0000 |
4 R N( C- g5 F| id | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g |$ G# n, i. g! L; f
| project_id | 84cc7185f2c8461eb19a14968228b272 |) A+ h2 M$ W, p* n( `& I
| user_id | cbb2b3830a8f44bc837230bca27ae563 |
. V6 q& j4 j8 s+ k4 `! u+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
' _/ L. G2 U) ^1 T8 A5 Z
6 G" m8 i- T9 w' W, `0 {3 z/ K
% x6 t6 W' f( w' Q2 J3.9.创建OpenStack客户端环境脚本6 M; g; G5 Q0 U0 m6 P' @# _
4 o2 d2 c% {1 e9 I4 i* O1 h# Create OpenStack client environment scripts
; K( W( y6 Z; Q5 R% ^
6 A" d: L4 Z' D5 ]& Y9 ~% a# 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。
+ }( r3 y4 s3 M# ?' Z3 B4 v# 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名 V- ^7 g$ ~, E3 J
0 i$ S7 h% `$ ~- M( S9 L$ o1)创建admin用户的环境管理脚本. `, `. c7 ^0 {) K, B5 Z. L3 R
; ~& s! e3 a+ K$ F$ g
# vim admin-openrc
* ~& H& u4 i5 Z2 {: z# o$ gcd /server/tools3 g1 w$ R& E% p
vim keystone-admin-pass.sh
' W& {' t @+ e7 w---------------------------------------------5 v; D9 r7 G' x! H( g9 F
export OS_PROJECT_DOMAIN_NAME=Default7 I3 o# ?2 d: D9 O
export OS_USER_DOMAIN_NAME=Default0 R' o+ }, j4 X' f
export OS_PROJECT_NAME=admin
. _' h6 {) v4 p) I* {/ t9 X: Kexport OS_USERNAME=admin
7 K6 X1 @! m: y9 X% A/ V: |3 eexport OS_PASSWORD=123456
6 X4 Z: k' f$ |5 O4 }; g. k5 Rexport OS_AUTH_URL=http://controller:5000/v3
v# I0 W; W1 X! K1 @9 M9 M Dexport OS_IDENTITY_API_VERSION=3% E1 \; b3 F* T- {; R7 U. Q
export OS_IMAGE_API_VERSION=2: h# Y. g$ v+ u& |. g
----------------------------------------------
' R7 |# h3 E- l2 Lenv |grep OS_
; a) U' r x2 H; q6 _; T# 应用:/ @1 t; d; {. i
如果修改dashboard登陆密码忘记了,可以使用admin_token认证机制修改登陆密码
* o* f7 n- ]8 ]7 C# o3 x! p L
7 _8 q- C; P' a" q1 G7 f2)创建普通用户myuser的客户端环境变量脚本
0 |& D |' w6 d5 e8 D1 _8 ~1 Q
3 j& S; l; J' e* v" Jvim keystone-myuser-pass.sh
( l1 ^0 K2 z. j---------------------------------------------
% X- \; v9 ?6 n- I4 v Kexport OS_PROJECT_DOMAIN_NAME=Default
" b1 ~3 W% a/ Q2 y; bexport OS_USER_DOMAIN_NAME=Default- o, l) ?6 x0 K" L' e) E9 J/ Y
export OS_PROJECT_NAME=myproject
7 @! |& U. h+ ~8 o y* o) Sexport OS_USERNAME=myuser
- n0 ~3 \: R, \export OS_PASSWORD=myuser
* j$ G9 o2 H9 J" p7 Oexport OS_AUTH_URL=http://controller:5000/v3# f1 K% n+ @4 ~2 O9 w/ I
export OS_IDENTITY_API_VERSION=37 k6 F) `3 m, i) J _' [
export OS_IMAGE_API_VERSION=2
) q" [, U9 X8 ~4 W0 d) ?- U3 R----------------------------------------------: w& ~! H7 H9 H& f. ]- g- K
3)测试环境管理脚本( H+ V$ }' D( U# K J$ d( B0 H
. r7 c5 g* G2 B: G' _
# 使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端# i4 s. r1 i4 t, w' @: K) J
8 h' T3 G) l: \% `. p( f5 C
source keystone-admin-pass.sh
' C1 ]$ u( v; r( ]6 i* H, K1 ]4)请求认证令牌
$ j0 X% N4 O5 e0 j2 ]. D% v3 Y* U1 `* E" F% O+ k0 |7 l2 v t, D
openstack token issue: Y, d: A3 J$ Y4 T* t. B5 w
实例演示:
; C5 w3 h, K+ ?3 U& w
4 Y/ a2 q; u# @: x' \[root@openstack01 tools]# openstack token issue
R c% s3 I+ } F# Y0 H$ ~- o+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
^# q9 z7 e5 g/ O9 z| Field | Value |2 y5 k8 u& @3 ?8 ^
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+% Y9 D9 W3 M2 O6 K
| expires | 2018-10-26T12:13:28+0000 |5 X5 a: ]% w4 ^( A5 u) n$ `! J
| id | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE |8 S8 E( c2 f& E b; ]
| project_id | 3706708374804e2eb4ed056f55d84666 |% u8 @1 G7 a' `) Q. p
| user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 |
1 t# i+ {( _0 \" q) K+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+. K7 w* Z8 O, d2 U
# 可以看到user_id和上面用命令获取到的是一样的,说明配置成功7 w" @; l+ W- y; w" x
+ K: c" q6 L5 B- g/ Q) ]4 o
# 至此,keystone安装完毕 |
|
发表于 2019-1-7 21:30:46