|
|
keystone在openstack中充当认证作用
用户与认证:用户权限和用户行为跟踪
服务目录:提供一个服务目录,包括所有服务项和API端点
1、安装keystone
yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached -y
[root@controller ~]# systemctl enable memcached.service
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@controller ~]# systemctl start memcached.service
2、配置keystone配置文件
[root@controller keystone]# grep -n "^[a-Z]" /etc/keystone/keystone.conf
12:admin_token = ADMIN
107:verbose = true
495:connection = mysql://keystone:keystone@172.16.80.130/keystone
1313:servers = 172.16.80.130:11211
1718:driver = sql
1911:provider = uuid
1916:driver = memcache
3、导入数据库
[root@controller keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
4、检查导入结果
[root@controller keystone]# mysql -e 'use keystone;show tables;'
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| mapping |
| migrate_version |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+ 5、配置keystone的http服务
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller
[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller ~]# systemctl start httpd.service 6、注册keystone api服务,创建project.user,role
[root@controller ~]# export OS_TOKEN=ADMIN
[root@controller ~]# export OS_URL=http://172.16.80.130:35357/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
[root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | a5c2ef28a5d5402195e761761f438b15 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用
[root@controller ~]# openstack endpoint create --region RegionOne identity public http://172.16.80.130:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 0c199cc25852452d8b4a428edd4af515 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone |
| service_type | identity |
| url | http://172.16.80.130:5000/v2.0 |
+--------------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack endpoint create --region RegionOne identity internal http://172.16.80.130:5000/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 09a1cd321fd64049980096e7a940f6f8 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone |
| service_type | identity |
| url | http://172.16.80.130:5000/v2.0 |
+--------------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack endpoint create --region RegionOne identity admin http://172.16.80.130:35357/v2.0
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1b875e33729a4ea4aa9f1e3f5d28bfd1 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone |
| service_type | identity |
| url | http://172.16.80.130:35357/v2.0 |
+--------------+----------------------------------+
7、创建admin项目
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | default |
| enabled | True |
| id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| is_domain | False |
| name | admin |
| parent_id | None |
+-------------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack user create --domain default --password-prompt admin
User Password: 密码设定为123456
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | d1ea9577f35247a794f92598fbb6cd00 |
| name | admin |
+-----------+----------------------------------+
[root@controller ~]# openstack role create admin
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 0e98eecac3e94b22a51404a79848bdb7 |
| name | admin |
+-------+----------------------------------+
[root@controller ~]# openstack role add --project admin --user admin admin 8、创建一个普通用户demo,demo项目,角色为普通用户(uesr)
[root@controller ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 3653ec22551f472b94e9438bcd9097bf |
| is_domain | False |
| name | demo |
| parent_id | None |
+-------------+----------------------------------+
[root@controller ~]# openstack user create --domain default --password=demo demo
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | da1ed7fb5f494091a633afd6da29f900 |
| name | demo |
+-----------+----------------------------------+
[root@controller ~]# openstack role create user
+-------+----------------------------------+
| Field | Value |
+-------+----------------------------------+
| id | 770c40490791437d97481465f8dd7251 |
| name | user |
+-------+----------------------------------+
[root@controller ~]# openstack role add --project demo --user demo user
创建项目service
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 38e8f9eb1cb44d428f589703e663d995 |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
9、验证相关
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| d1ea9577f35247a794f92598fbb6cd00 | admin |
| da1ed7fb5f494091a633afd6da29f900 | demo |
+----------------------------------+-------+
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 3653ec22551f472b94e9438bcd9097bf | demo |
| 38e8f9eb1cb44d428f589703e663d995 | service |
| 8a3b7f9f1b2c4f7eaf7780d268e672d1 | admin |
+----------------------------------+---------+
[root@controller ~]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 0e98eecac3e94b22a51404a79848bdb7 | admin |
| 770c40490791437d97481465f8dd7251 | user |
+----------------------------------+-------+
[root@controller ~]#
[root@controller ~]#
[root@controller ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| 09a1cd321fd64049980096e7a940f6f8 | RegionOne | keystone | identity | True | internal | http://172.16.80.130:5000/v2.0 |
| 0c199cc25852452d8b4a428edd4af515 | RegionOne | keystone | identity | True | public | http://172.16.80.130:5000/v2.0 |
| 1b875e33729a4ea4aa9f1e3f5d28bfd1 | RegionOne | keystone | identity | True | admin | http://172.16.80.130:35357/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
[root@controller ~]#
[root@controller ~]#
[root@controller ~]# unset OS_TOKEN
[root@controller ~]# unset OS_URL
[root@controller ~]# openstack --os-auth-url http://172.16.80.130:35357/v3 \
> --os-project-domain-id default --os-user-domain-id default \
> --os-project-name admin --os-username admin --os-auth-type password \
> token issue
Password:
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-29T17:53:21.237891Z |
| id | 1d3fc859a41848a7a4af688e3f9efcd0 |
| project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| user_id | d1ea9577f35247a794f92598fbb6cd00 |
+------------+----------------------------------+
10、创建环境变量
[root@controller ~]# cat admin-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://172.16.80.130:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]#
[root@controller ~]# cat demo-openrc.sh
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://172.16.80.130:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]#
[root@controller ~]# source admin-openrc.sh
[root@controller ~]#
[root@controller ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-29T18:00:54.127266Z |
| id | 2e9bfe2f30b941e391a987784ad31daf |
| project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| user_id | d1ea9577f35247a794f92598fbb6cd00 |
+------------+----------------------------------+
[root@controller ~]#
[root@controller ~]#
[root@controller ~]# source demo-openrc.sh
[root@controller ~]#
[root@controller ~]# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-10-29T18:01:05.293502Z |
| id | f2b7f727e4d74aa88a315012f6f7d1f0 |
| project_id | 3653ec22551f472b94e9438bcd9097bf |
| user_id | da1ed7fb5f494091a633afd6da29f900 |
+------------+----------------------------------+ |
|
|
QQ群⑧:
窥视卡
雷达卡
发表于 2018-5-31 13:15:59
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
显身卡