|
|
【N版】openstack——认证服务keystone
一.keystone介绍
1.1keystone
Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证、服务规则和服务令牌功能的模块。用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理。
用户认证:用户权限与用户行为跟踪
服务目录:提供一个服务目录,包括所有服务项与相关API的端点
主要涉及如下概念:
User: 用户
Project:项目(老版本中tenant:租户)
Token: 令牌
Role: 角色
1.2keystone配置
1.2.1创建库及用户
注:在这里为了方便,提前把之后要创建的库,以及用户和授权,都做好
[iyunv@linux-node1 ~]# mysql -uroot –p <- 登陆数据库 ->
MariaDB [(none)]> create database keystone; <- 创建keystone库 ->
MariaDB [(none)]> grant all privileges on keystone.*to keystone@'localhost' identified by 'keystone'; <- 创建keystone用户 ->
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on keystone.*to keystone@'%' identified by 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database glance; <- 创建glance库 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on glance.* toglance@'localhost' identified by 'glance';
Query OK, 0 rows affected (0.00 sec) <- 创建glance用户 ->
MariaDB [(none)]> grant all privileges on glance.* toglance@'%' identified by 'glance';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database nova; <- 创建nova库 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova.* tonova@'%' identified by 'nova';
Query OK, 0 rows affected (0.00 sec) <- 创建nova用户 ->
MariaDB [(none)]> grant all privileges on nova.* tonova@'localhost' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database nova_api; <- 创建nova_api库 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'localhost' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'%' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database neutron; <- 创建neutron库 ->
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'%' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec) <- 创建neutron用户 ->
MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'localhost' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database cinder; <- 创建cinder库 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'localhost' identified by 'cinder'; <- 创建cinder用户 ->
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'%' identified by 'cinder';
Query OK, 0 rows affected (0.00 sec)
1.2.2keystone配置文件
[iyunv@linux-node1 ~]# vim/etc/keystone/keystone.conf <- 编辑配置文件 ->
613 [database] <- 数据库设置->
640 connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
1458 [memcache] <- memcache设置 ->
1472 servers = 192.168.56.11:11211 <- memcache服务地址 ->
2655 provider = fernet <- 配置令牌 ->
2665 driver = memcache <- 选择driver为memcache默认是sql ->
[iyunv@linux-node1 ~]# grep '^[a-z]'/etc/keystone/keystone.conf <- 检查 ->
connection =mysql+pymysql://keystone:keystone@192.168.56.11/keystone
servers = 192.168.56.11:11211
provider = fernet
driver = memcache
1.2.3数据库,memcache配置
[iyunv@linux-node1 ~]# su -s /bin/sh -c"keystone-manage db_sync" keystone
<- 初始化数据库 ->
[iyunv@linux-node1 ~]# mysql -h 192.168.56.11-ukeystone -pkeystone -e "use keystone;show tables;" <- 检查表是否导入成功 ->
[iyunv@linux-node1 ~]# vim/etc/sysconfig/memcached <- 修改memcache配置文件 ->
OPTIONS="-l 192.168.56.11,::1"
[iyunv@linux-node1 ~]# systemctl restartmemcached <- 重启memcache ->
[iyunv@linux-node1 ~]# cd /etc/keystone/
[iyunv@linux-node1 keystone]# keystone-managefernet_setup --keystone-user keystone --keystone-group keystone <- 初始化fernet key ->
[iyunv@linux-node1 keystone]# keystone-managecredential_setup --keystone-user keystone --keystone-group keystone <- 初始化fernet key ->
[iyunv@linux-node1 keystone]# keystone-manage bootstrap--bootstrap-password admin \ <- 引导身份服务 ->
--bootstrap-admin-urlhttp://192.168.56.11:35357/v3/ \
--bootstrap-internal-urlhttp://192.168.56.11:35357/v3/ \
--bootstrap-public-urlhttp://192.168.56.11:5000/v3/ \
--bootstrap-region-id RegionOne
1.2.4配置apache服务
[iyunv@linux-node1 keystone]# vim/etc/httpd/conf/httpd.conf <- 编辑配置文件 ->
95 ServerName 192.168.56.11:80
[iyunv@linux-node1 ~]# ln -s/usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ <- 软连接配置文件 ->
[iyunv@linux-node1 ~]# systemctl enablehttpd.service <- 启动apache ->
[iyunv@linux-node1 ~]# systemctl start httpd.service
[iyunv@linux-node1 ~]# exportOS_USERNAME=admin <- 配置环境变量 ->
[iyunv@linux-node1 ~]# exportOS_PASSWORD=admin
[iyunv@linux-node1 ~]# exportOS_PROJECT_NAME=admin
[iyunv@linux-node1 ~]# exportOS_USER_DOMAIN_NAME=Default
[iyunv@linux-node1 ~]# exportOS_PROJECT_DOMAIN_NAME=Default
[iyunv@linux-node1 ~]# exportOS_AUTH_URL=http://192.168.56.11:35357/v3
[iyunv@linux-node1 ~]# exportOS_IDENTITY_API_VERSION=3
[iyunv@linux-node1 ~]# openstack user list <- 查看用户列表 ->
[iyunv@linux-node1 ~]# openstack role list <- 查看角色列表 ->
[iyunv@linux-node1 ~]# openstack project list <- 查看项目列表 ->
[iyunv@linux-node1 ~]# openstack endpointlist <- 查看端点列表 ->
1.2.5创建项目
[iyunv@linux-node1 ~]# openstack project create --domaindefault --description "Service Project" service <- 创建服务项目 ->
[iyunv@linux-node1 ~]# openstack project list <- 查看是否创建成功 ->
[iyunv@linux-node1 ~]# openstack project create --domaindefault --description "Demo Project" demo <- 创建demo项目 ->
[iyunv@linux-node1 ~]# openstack project list <- 查看是否创建成功 ->
[iyunv@linux-node1 ~]# openstack user create --domaindefault --password-prompt demo
User Password:demo
Repeat User Password:demo <- 创建demo用户,密码:demo ->
[iyunv@linux-node1 ~]# openstack user list <- 查看是否创建成功 ->
[iyunv@linux-node1 ~]# openstack role create user <- 创建user角色 ->
[iyunv@linux-node1 ~]# openstack role list <- 查看是否创建成功 ->
[iyunv@linux-node1 ~]# openstack role add --project demo--user demo user
<- 将demo用户加入到demo项目并且赋予user角色->
注:为了方便,以下操作将之后要用到的所有用户都创建好
[iyunv@linux-node1 ~]# openstack user create --domaindefault --password-prompt glance <- 创建glance用户,密码:glance ->
User Password:glance
[iyunv@linux-node1 ~]# openstack role add --projectservice --user glance admin
<- 将glance用户加入到service项目并且赋予admin角色->
[iyunv@linux-node1 ~]# openstack user create --domaindefault --password-prompt nova <- 创建nova用户,密码:nova ->
User Password:nova
[iyunv@linux-node1 ~]# openstack role add --projectservice --user nova admin
<- 将glance用户加入到service项目并且赋予admin角色->
[iyunv@linux-node1 ~]# openstack user create --domaindefault --password-prompt neutron <- 创建neutron用户,密码:neutron ->
User Password: neutron
[iyunv@linux-node1 ~]# openstack role add --projectservice --user neutron admin
<- 将glance用户加入到service项目并且赋予admin角色->
[iyunv@linux-node1 ~]# openstack user create --domaindefault --password-prompt cinder <- 创建cinder用户,密码:cinder ->
User Password:cinder
[iyunv@linux-node1 ~]# openstack role add --projectservice --user cinder admin
<- 将glance用户加入到service项目并且赋予admin角色->
1.3验证keystone
1.3.1验证用户
[iyunv@linux-node1 ~]# unset OS_AUTH_URL OS_PASSWORD <- 取消之前的环境变量 ->
[iyunv@linux-node1~]# openstack \
--os-auth-urlhttp://192.168.56.11:35357/v3 \
--os-project-domain-namedefault \
--os-user-domain-namedefault \
--os-project-nameadmin \
--os-usernameadmin token issue
<-验证admin用户,提示密码时输入admin出来如下界面证明admin用户没问题 ->
[iyunv@linux-node1keystone]# openstack \
--os-auth-urlhttp://192.168.56.11:35357/v3 \
--os-project-domain-namedefault \
--os-user-domain-namedefault \
--os-project-namedemo \
--os-usernamedemo token issue
<-验证demo用户,提示密码时输入demo出来如下界面证明demo用户没问题 ->
1.3.2创建环境变量脚本
[iyunv@linux-node1 ~]# vim admin-openstack <- admin环境变量 ->
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[iyunv@linux-node1 ~]# vim demo-openstack <- demo环境变量 ->
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[iyunv@linux-node1 ~]# source admin-openstack <- source环境变量 ->
[iyunv@linux-node1 ~]# source demo-openstack
1.4Keystone常见错误
401 #验证失败,keystone相关用户账户密码设置错误,时间不同步,或者输入的项目名称不对
403 #可能未初始化OS_token变量,需要使用source命令使其生效,也可能是配置的配置文件未生效,需要重启相关服务
409 #keystone创建用户,用户已存在
500 #服务器内部错误,服务配置有问题,看日志,检查配置
503 #keystone相关账户密码设置有问题,请将相关的glance账户删除,重新创建即可
服务故障 #相关服务没有起来
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2016-12-30 09:59:43
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡