在CentOS 6.6上安装多节点OpenStack ( part2 of 6 )
在CentOS 6.6上安装多节点OpenStack ( part2 of 6 )三、配置认证服务 0、OpenStack认证服务提供以下功能:用户管理:管理用户和用户的权限、跟踪用户行为。服务编目:提供OpenStack服务目录,包括服务项和API Endpoints。 OpenStack使用Keystone提供认证服务,只需要在控制节点(controller node)上配置认证服务,其他节点的OpenStack服务只需要在控制节点的认证服务上注册即可。 1、安装认证服务 (1)安装keystone和python-keystoneclient# yum install openstack-keystone python-keystoneclient (2)配置数据库连接认证服务使用数据库来存储信息,需要在keystone的配置文件中指定数据库的位置。这里将使用控制节点上的MySQL数据库,数据库用户名为keystone,密码为123456。# openstack-config --set /etc/keystone/keystone.conf databaseconnection mysql://keystone:123456@controller/keystone (3)创建数据库用户keystone,密码为123456。# mysql -u root -pEnter password: # 输入MySQL的root用户的密码123456。 mysql> CREATE DATABASEkeystone; mysql> GRANT ALLPRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456'; mysql> GRANT ALLPRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456'; mysql> exit (4)为认证服务创建数据库表# su -s /bin/sh -c "keystone-manage db_sync" keystone (5)定义一个授权令牌作为共享密钥,该共享密钥将在认证服务与OpenStack其他服务之间的交流中使用。使用openssl创建一个随机令牌,并把它存储在配置文件中。# ADMIN_TOKEN=$(openssl rand -hex 10) # echo $ADMIN_TOKEN1d15ab04f8e9d1c74fab # openssl产生的随机令牌,后面会用到! 我的实验是65a909e47b3b8a9275c6 # openstack-config --set /etc/keystone/keystone.conf DEFAULTadmin_token $ADMIN_TOKEN (6)Keystone默认使用PKI令牌,需要创建签名密钥和数字证书并限制权限。# keystone-manage pki_setup --keystone-user keystone--keystone-group keystoneGenerating RSA private key, 2048 bit longmodulus.....................................+++..................................................+++e is 65537 (0x10001)Generating RSA private key, 2048 bit longmodulus..................+++..................................................................+++e is 65537 (0x10001)Using configuration from/etc/keystone/ssl/certs/openssl.confCheck that the request matches thesignatureSignature okThe Subject's Distinguished Name is asfollowscountryName :PRINTABLE:'US'stateOrProvinceName :ASN.1 12:'Unset'localityName :ASN.1 12:'Unset'organizationName :ASN.1 12:'Unset'commonName :ASN.1 12:'www.example.com'Certificate is to be certified until Mar 2901:34:56 2025 GMT (3650 days) Write out database with 1 new entriesData Base Updated # chown -R keystone:keystone /etc/keystone/ssl # chmod -R o-rwx /etc/keystone/ssl (7)启动认证服务并将其配置为开机自动启动。# service openstack-keystone startStarting keystone: # chkconfig openstack-keystone on (8)(可选)创建计划任务,定期清空过期的令牌。# (crontab -l -u keystone 2>&1 | grep -q token_flush) ||echo '@hourly /usr/bin/keystone-manage token_flush>/var/log/keystone/keystone-tokenflush.log 2>&1' >>/var/spool/cron/keystone 检查计划任务配置:# crontab -l -u keystone@hourly /usr/bin/keystone-managetoken_flush >/var/log/keystone/keystone-tokenflush.log 2>&1 2、创建管理用户admin (1)配置环境变量 #export OS_SERVICE_TOKEN=1d15ab04f8e9d1c74fab1d15ab04f8e9d1c74fab是前面openssl rand -hex 10产生的随机令牌。 # exportOS_SERVICE_ENDPOINT=http://controller:35357/v2.0 (2)创建管理用户admin,密码为123456,邮箱为admin@localhost。# keystone user-create--name=admin --pass=123456 --email=admin@localhost (3)创建角色admin# keystone role-create--name=admin (4)创建租户admin# keystone tenant-create--name=admin --description="Admin Tenant" (5)将admin用户、admin角色和admin租户关联起来。# keystone user-role-add--user=admin --tenant=admin --role=admin (6)将admin用户、_member_角色和admin租户关联起来。# keystone user-role-add--user=admin --role=_member_ --tenant=admin 3、创建普通用户demo (1)创建普通用户demo,密码为123456,邮箱为demo@localhost。# keystone user-create--name=demo --pass=123456 --email=demo@localhost (2)创建租户demo# keystone tenant-create--name=demo --description="Demo Tenant" (3)将demo用户、_member_角色和demo租户关联起来。# keystone user-role-add--user=demo --role=_member_ --tenant=demo 4、创建租户service # keystone tenant-create--name=service --description="Service Tenant" 该租户将在安装和配置其他OpenStack服务时使用。 5、定义服务和API endpoints (1)创建认证服务的服务入口# keystoneservice-create --name=keystone --type=identity --description="OpenStackIdentity" (2)为认证服务指定API endpoint# keystoneendpoint-create --service-id=$(keystone service-list | awk '/ identity / {print$2}') --publicurl=http://controller:5000/v2.0--internalurl=http://controller:5000/v2.0--adminurl=http://controller:35357/v2.0 6、验证认证服务的安装 (1)清除环境变量OS_SERVICE_TOKEN和OS_SERVICE_ENDPOINT# unset OS_SERVICE_TOKENOS_SERVICE_ENDPOINT (2)使用admin用户(密码为123456)请求一个认证令牌。# keystone--os-username=admin --os-password=123456--os-auth-url=http://controller:35357/v2.0 token-get+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Property | Value |+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2015-04-01T03:46:32Z || id |MIIC8QYJKoZIhvcNAQcCoIIC4jCCAt4CAQExCTAHBgUrDgMCGjCCAUcGCSqGSIb3DQEHAaCCATgEggE0eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNS0wNC0wMVQwMjo0NjozMi43MDU5MjEiLCAiZXhwaXJlcyI6ICIyMDE1LTA0LTAxVDAzOjQ2OjMyWiIsICJpZCI6ICJwbGFjZWhvbGRlciJ9LCAic2VydmljZUNhdGFsb2ciOiBbXSwgInVzZXIiOiB7InVzZXJuYW1lIjogImFkbWluIiwgInJvbGVzX2xpbmtzIjogW10sICJpZCI6ICJmMjFkNjUwZDRhYmQ0NjZlYmExMGNkMjY2MGNlYTQwMiIsICJyb2xlcyI6IFtdLCAibmFtZSI6ICJhZG1pbiJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogW119fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAFfD-NloRGKKBZ+Pg8BNzadlgNSIEtWNshFjnr+bdk7b5287FqZrfq2kIZWq4xgunI6z3lDCdPfqSN78AY7eDRM4mjAsKPUyobxX52FKoWQGbkTSLCMvKnP4mXMUGavvWkFNNVhvsMV50h5a5RDu-Rh5v83WiJBqpfCmWk2qS3du32vAT9XLunkJqQInbur+eymNcpRQaNhdsj5PKI9t0P7p4NoZ-9O5lrolTNgHs7ntmYCOAnemDb0nrpABs7btt4uuq5NXqxb8k3dlSJzux30MNb6svqwBvfLoBPkuFZJiaceFJkYasJOIUL7XyP1baSN-h-ihg8LBlpLfO8y7+CA==|| user_id | f21d650d4abd466eba10cd2660cea402 |+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ (3)为租户请求授权,验证授权行为。(admin用户的密码为123456。)# keystone--os-username=admin --os-password=123456 --os-tenant-name=admin--os-auth-url=http://controller:35357/v2.0 token-get+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Property | Value |+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires| 2015-04-01T03:50:14Z || id |MIIE7AYJKoZIhvcNAQcCoIIE3TCCBNkCAQExCTAHBgUrDgMCGjCCA0IGCSqGSIb3DQEHAaCCAzMEggMveyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNS0wNC0wMVQwMjo1MDoxNC4zMjI5MDUiLCAiZXhwaXJlcyI6ICIyMDE1LTA0LTAxVDAzOjUwOjE0WiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIkFkbWluIFRlbmFudCIsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogIjAxZDRhNzg3Y2ZiMzRkZjJiZTVmZjI5YWIwYjE4MWUzIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo1MDAwL3YyLjAiLCAiaWQiOiAiODA1ZWI2OGE2MDdmNDA1OWE2NzE0ZmE5MDg3ZGQyMmYiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiYWRtaW4iLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogImYyMWQ2NTBkNGFiZDQ2NmViYTEwY2QyNjYwY2VhNDAyIiwgInJvbGVzIjogW3sibmFtZSI6ICJfbWVtYmVyXyJ9LCB7Im5hbWUiOiAiYWRtaW4ifV0sICJuYW1lIjogImFkbWluIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjlmZTJmZjllZTQzODRiMTg5NGE5MDg3OGQzZTkyYmFiIiwgImU4M2EwZDJhYjkzZjRjZDU4ZDNmZWUxMGJhNzQ0MTM5Il19fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAVFNmuWzTbuCzdGOb9EFyfgt+ozCcIAhZ1QTtg5piGKI3HW5SEl4jqxbBCVg+Gx2lDe19YZPB3glTdYv42MTDrupKucEqXY50j9MRr2wapOH0B9VcA6hdLUQrQ0mmrFt0K80yd90cHkX7JVzwn2lGdFBCMHhZtyPnn+PhPa0ztz6elqs2jV+K4J0MpPkfWyZ-T6b82AARcJplqkBsCNb8BJn5NSWoYsiEBXs5iooFmTTUDw7TfZRAox0q+ZtXg8383oCfrzucLb89K88ngWPO4DYcTi5gc+8BJ-c+XNavaAecdltfiuTlbxOdbMSQ62EmLVVUa1JbxZhpqC5sEFfdZg==|| tenant_id | 01d4a787cfb34df2be5ff29ab0b181e3 || user_id| f21d650d4abd466eba10cd2660cea402 |+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ (4)创建OpenStack RC文件,该文件用来设置环境变量。(admin用户的密码为123456。)# vi admin-openrc.shexport OS_USERNAME=adminexport OS_PASSWORD=123456export OS_TENANT_NAME=adminexport OS_AUTH_URL=http://controller:35357/v2.0 (5)使环境变量生效# source admin-openrc.sh (6)验证环境变量# keystone token-get+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Property | Value |+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires| 2015-04-01T03:56:13Z || id |MIIE7AYJKoZIhvcNAQcCoIIE3TCCBNkCAQExCTAHBgUrDgMCGjCCA0IGCSqGSIb3DQEHAaCCAzMEggMveyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNS0wNC0wMVQwMjo1NjoxMy41OTQ4MzgiLCAiZXhwaXJlcyI6ICIyMDE1LTA0LTAxVDAzOjU2OjEzWiIsICJpZCI6ICJwbGFjZWhvbGRlciIsICJ0ZW5hbnQiOiB7ImRlc2NyaXB0aW9uIjogIkFkbWluIFRlbmFudCIsICJlbmFibGVkIjogdHJ1ZSwgImlkIjogIjAxZDRhNzg3Y2ZiMzRkZjJiZTVmZjI5YWIwYjE4MWUzIiwgIm5hbWUiOiAiYWRtaW4ifX0sICJzZXJ2aWNlQ2F0YWxvZyI6IFt7ImVuZHBvaW50cyI6IFt7ImFkbWluVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjM1MzU3L3YyLjAiLCAicmVnaW9uIjogInJlZ2lvbk9uZSIsICJpbnRlcm5hbFVSTCI6ICJodHRwOi8vY29udHJvbGxlcjo1MDAwL3YyLjAiLCAiaWQiOiAiODA1ZWI2OGE2MDdmNDA1OWE2NzE0ZmE5MDg3ZGQyMmYiLCAicHVibGljVVJMIjogImh0dHA6Ly9jb250cm9sbGVyOjUwMDAvdjIuMCJ9XSwgImVuZHBvaW50c19saW5rcyI6IFtdLCAidHlwZSI6ICJpZGVudGl0eSIsICJuYW1lIjogImtleXN0b25lIn1dLCAidXNlciI6IHsidXNlcm5hbWUiOiAiYWRtaW4iLCAicm9sZXNfbGlua3MiOiBbXSwgImlkIjogImYyMWQ2NTBkNGFiZDQ2NmViYTEwY2QyNjYwY2VhNDAyIiwgInJvbGVzIjogW3sibmFtZSI6ICJfbWVtYmVyXyJ9LCB7Im5hbWUiOiAiYWRtaW4ifV0sICJuYW1lIjogImFkbWluIn0sICJtZXRhZGF0YSI6IHsiaXNfYWRtaW4iOiAwLCAicm9sZXMiOiBbIjlmZTJmZjllZTQzODRiMTg5NGE5MDg3OGQzZTkyYmFiIiwgImU4M2EwZDJhYjkzZjRjZDU4ZDNmZWUxMGJhNzQ0MTM5Il19fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAO+jGt8xXCoEBeSzJPrFh9kVNCNWbJtpfODjHUaPnrGCb15VsaxJD1zhAvQaOvZWvRzskUh8osa5CZYZG4yrQiiX14L3LF8mKiYl1CiDSgw6JwJbM8FRqbDlTIRlGybfwn-QG1jNplKPknZnRGBWleNYFErFwcBez3pWWNhQmfR1xXIsSF8VNByMYDQo-ozb-TwWJT45uEH97UDv89ODd8wl18XFYGQjWygB45QOEfwY6ziZsnDdB9urgFk80Y-yVXrddXNde4DXDsTZHdelBV4hybyv3iTQI0MNwcOurAmA6IE2KJYj70x-j9p+uGZbZJCNi8MdFKamNfYx3HvER7A==|| tenant_id | 01d4a787cfb34df2be5ff29ab0b181e3 || user_id| f21d650d4abd466eba10cd2660cea402 |+-----------+----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ (7)验证admin用户是否有权执行管理命令# keystone user-list # keystoneuser-role-list --user admin --tenant admin
页:
[1]