openstack安装(liberty)--安装认证服务(Identity service)
二、安装认证服务(Identity service)1.1建立数据库
1
2
# mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE keystone;
1.2授权数据库访问
1
2
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
2.1生成临时随机数(token)
1
2
# openssl rand -hex 10
4904808b108b787d950f
3.1安装包
1
# yum install openstack-keystone httpd mod_wsgi memcached python-memcached
3.2启动memcached服务
1
2
3
# systemctl enable memcached.service
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
# systemctl start memcached.service
3.3编辑配置文件
1
2
3
4
5
6
7
8
9
10
11
12
13
14
# vi /etc/keystone/keystone.conf
admin_token = 4904808b108b787d950f
connection = mysql://keystone:keystone@controller1/keystone
servers = localhost:11211
provider = uuid
driver = memcache
driver = sql
#可选,用于排错
verbose = True
3.4初始化数据库
1
# su -s /bin/sh -c "keystone-manage db_sync" keystone#没有消息输出
4.1配置HTTP服务
1
2
# vi /etc/httpd/conf/httpd.conf
ServerName controller1
4.2创建配置文件
1
2
3
# vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
4.3启动服务并开机自动启动
1
2
3
# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
# systemctl start httpd.service
5.1配置TOKEN
1
2
3
# export OS_TOKEN=4904808b108b787d950f
# export OS_URL=http://controller1:35357/v3
# export OS_IDENTITY_API_VERSION=3
5.2创建业务实体##错误查看LOG( vi /etc/keystone/keystone.conf)
1
2
3
4
5
6
7
8
9
10
# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | f41a28a082fc408c8648d385822103e6 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
5.3创建API端点
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
# openstack endpoint create --region RegionOne identity public http://controller1:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | bbf5d984ed76415ba2ce2821bc8ed250 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f41a28a082fc408c8648d385822103e6 |
| service_name | keystone |
| service_type | identity |
| url | http://controller1:5000/v2.0 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne identity internal http://controller1:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b5fb1bde51974e89835840a695042c29 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f41a28a082fc408c8648d385822103e6 |
| service_name | keystone |
| service_type | identity |
| url | http://controller1:5000/v2.0 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne identity admin http://controller1:35357/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | d5d821b16b02482f9c66027da27be217 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | f41a28a082fc408c8648d385822103e6 |
| service_name | keystone |
| service_type | identity |
| url | http://controller1:35357/v2.0 |
+--------------+----------------------------------+
6.1创建域(默认domains)
6.2创建项目(project/tenants)
1
2
3
4
5
6
7
8
9
10
11
12
# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | default |
| enabled | True |
| id | c4d6ba1cb9424cbcaa32e6b9daeb4a19 |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
6.3创建管理员用户
1
2
3
4
5
6
7
8
9
10
11
# openstack user create --domain default --password-prompt admin
User Password:admin
Repeat User Password:admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | f04f9a6391ce4bb3840bc1dfa1181583 |
| name | admin |
+-----------+----------------------------------+
6.4创建管理员角色
1
2
3
4
5
6
7
# openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | c778dd4b4c864c3685db4d4feb0acd52 |
| name| admin |
+-------+----------------------------------+
6.5添加角色到项目和管理员用户
1
# openstack role add --project admin --user admin admin
7.1创建服务项目
1
2
3
4
5
6
7
8
9
10
11
12
# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 78b459d13b3041a6b06fd0b961bc26f1 |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
8.1创建非管理员项目(demo)
1
2
3
4
5
6
7
8
9
10
11
12
# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 77bbdcc40d8e4cd5abc08fb15585cb4e |
| is_domain | False |
| name | demo |
| parent_id | None |
+-------------+----------------------------------+
8.2创建非管理员用户
1
2
3
4
5
6
7
8
9
10
11
# openstack user create --domain default --password-prompt demo
User Password:demo
Repeat User Password:demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | de2f5efaee794b51b50c602cc9914742 |
| name | demo |
+-----------+----------------------------------+
8.3创建非管理员角色
1
2
3
4
5
6
7
# openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | e9e4bbf1608c4cd3b4fcde2575a5ded3 |
| name| user |
+-------+----------------------------------+
8.4添加角色到项目和管理员用户
1
# openstack role add --project demo --user demo user
9.1验证,取消环境变量
1
# unset OS_TOKEN OS_URL
9.2安全配置,移除admin_token_auth
1
2
3
4
5
6
7
8
9
10
11
12
13
# vi /usr/share/keystone/keystone-dist-paste.ini
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension user_crud_extension public_service
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension s3_extension crud_extension admin_service
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = sizelimit url_normalize request_id build_auth_context token_auth admin_token_auth json_body ec2_extension_v3 s3_extension simple_cert_extension revoke_extension federation_extension oauth1_extension endpoint_filter_extension service_v3
9.3使用管理员要求一个令牌
1
2
3
4
5
6
7
8
9
10
# openstack --os-auth-url http://controller1:35357/v3--os-project-domain-id default --os-user-domain-id default--os-project-name admin --os-username admin --os-auth-type passwordtoken issue
Password: admin
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-07-11T06:46:59.482835Z |
| id | 0139a994069a44b28030f0e1ad877eab |
| project_id | c4d6ba1cb9424cbcaa32e6b9daeb4a19 |
| user_id | f04f9a6391ce4bb3840bc1dfa1181583 |
+------------+----------------------------------+
9.4使用一般用户要求一个令牌
1
2
3
4
5
6
7
8
9
10
11
12
13
# openstack --os-auth-url http://controller1:5000/v3 \
--os-project-domain-id default --os-user-domain-id default \
--os-project-name demo --os-username demo --os-auth-type password \
token issue
Password: demo
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-07-11T06:49:35.051544Z |
| id | b265f81e99674727ab5d3ef270f105bc |
| project_id | 77bbdcc40d8e4cd5abc08fb15585cb4e |
| user_id | de2f5efaee794b51b50c602cc9914742 |
+------------+----------------------------------+
10.1配置客户端环境脚本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
# vi ~/admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller1:35357/v3
export OS_IDENTITY_API_VERSION=3
# vi ~/demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller1:5000/v3
export OS_IDENTITY_API_VERSION=3
10.2使用脚本并验证
1
2
3
4
5
6
7
8
9
10
# source admin-openrc.sh
# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-07-11T07:35:18.783300Z |
| id | e44e5283e4a94280b73094e7d520031e |
| project_id | c4d6ba1cb9424cbcaa32e6b9daeb4a19 |
| user_id | f04f9a6391ce4bb3840bc1dfa1181583 |
+------------+----------------------------------+
页:
[1]