1. 前言
在生产环境中,使用openstack已经有1年多的时间了,苦于一直没有时间,加上工作带来的懒惰,一直迟迟没有对openstack方面的知识做个总结,趁着年底,把过去一年多在生产环境中所遇到的一些常见运维操作做个总结。需要说明的是,相关的操作,基本都建立在openstack的官方文档和帮助,所以最好的方式莫过于看官方文档,此处只作为抛砖引玉之用,望须知。
2. 关于keystone
keystone是openstack中负责认证授权的服务,主要负责两方面的工作:1. 用户认证授权,2.目录catalog服务。总体而言,keystone承担着openstack中的注册表服务,即所有的用户都需要到keystone中注册其信息,所有openstack的服务,都需要将其catalog信息注册到keystone,以方便组件之间相互调用。
3. keystone开放用户
openstack中最小的资源单位集合是租户,即tenant,tenant是一系列资源的集合,包括计算资源,网络资源和存储资源,tenant一般来说是指公司,部门,或者个人,比如某个公司去申请阿里云,某个部门申请使用内部的openstack私有云资源等等,作为openstack云管理员,为用户开放访问权限,是一项基本的工作。此外tenant会得到一个默认计算的quota,存储的quota以及网络的quota,关于quota的调整,参考后续的博客。如下为创建user的过程,主要分为三个阶段:1.用户创建,2. 租户创建,3. 将用户加入到租户和角色
3.1 创建用户
[root@controller ~]# keystone user-create --name user1 --pass password --email user1@example.com --enabled true
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | user1@example.com |
| enabled | True |
| id | ce398fc13d224c63b9d90b3cc2b6d464 | #用户的id号
| name | user1 |
| username | user1 |
+----------+----------------------------------+
查看用户列表:
[root@controller ~]# keystone user-list
+----------------------------------+---------+---------+---------------------+
| id | name | enabled | email |
+----------------------------------+---------+---------+---------------------+
| bc5e46fc4204497185ae3ca6f8b7affb | admin | True | admin@example.com |
| ac86694e3053492f921e19aca9c9d646 | cinder | True | cinder@example.com |
| 0ed4f1c5af2a496a8d56e256d966ef9d | demo | True | demo@example.com |
| 0922aae9b7bf4f80a7811fd0c7db49c6 | glance | True | glance@example.com |
| 053262aa44ce430d91465417f045cead | neutron | True | neutron@example.com |
| b709f56c61114ce78768b34d76d5af90 | nova | True | nova@example.com |
| ce398fc13d224c63b9d90b3cc2b6d464 | user1 | True | user1@example.com | #刚创建的user,id号,后续需要使用
+----------------------------------+---------+---------+---------------------+
查看用户具体信息:
[root@controller ~]# keystone user-get ce398fc13d224c63b9d90b3cc2b6d464
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | user1@example.com |
| enabled | True |
| id | ce398fc13d224c63b9d90b3cc2b6d464 |
| name | user1 |
| username | user1 |
+----------+----------------------------------+ 小结: 用户管理相关操作包括:user-create,user-delete,user-update,user-list,user-get即增删改查,以及user-password-update修改用户密码等操作,其他的操作如tenant,role,service和endpoint相类似,举一反三。
3.2 创建租户
[root@controller ~]# keystone tenant-create --name companyA --description "Project For ComputeA" --enabled true
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Project For ComputeA |
| enabled | True |
| id | 7ff1dfb5a6f349958c3a949248e56236 | #tenant的id号,后续使用使用
| name | companyA |
+-------------+----------------------------------+
查看tenant列表:
[root@controller ~]# keystone tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| 842ab3268a2c47e6a4b0d8774de805ae | admin | True |
| 7ff1dfb5a6f349958c3a949248e56236 | companyA | True | #刚所创建的tenant
| 10d1465c00d049fab88dec1af0f56b1b | demo | True |
| 3b57a14f7c354a979c9f62b60f31a331 | service | True |
+----------------------------------+----------+---------+
查看tenant的详细信息:
[root@controller ~]# keystone tenant-get 7ff1dfb5a6f349958c3a949248e56236
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Project For ComputeA |
| enabled | True |
| id | 7ff1dfb5a6f349958c3a949248e56236 |
| name | companyA |
+-------------+----------------------------------+ 3.3 用户与租户角色关联
查看租户的id号
[root@controller ~]# keystone tenant-list
+----------------------------------+----------+---------+
| id | name | enabled |
+----------------------------------+----------+---------+
| 842ab3268a2c47e6a4b0d8774de805ae | admin | True |
| 7ff1dfb5a6f349958c3a949248e56236 | companyA | True | #tenant的id号
| 10d1465c00d049fab88dec1af0f56b1b | demo | True |
| 3b57a14f7c354a979c9f62b60f31a331 | service | True |
+----------------------------------+----------+---------+
查看角色的id号:
[root@controller ~]# keystone role-list
+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | #_member_角色的id号
| 7b0ceee10fb64960acb2b6f0b9247b4f | admin |
+----------------------------------+----------+
查看用户的id号:
[root@controller ~]# keystone user-role-add --user ce398fc13d224c63b9d90b3cc2b6d464 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 7ff1dfb5a6f349958c3a949248e56236
查看用户的关联信息:
[root@controller ~]# keystone user-role-list --user user1 --tenant companyA
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ce398fc13d224c63b9d90b3cc2b6d464 | 7ff1dfb5a6f349958c3a949248e56236 |
+----------------------------------+----------+----------------------------------+----------------------------------+
4. 总结
以上是keystone开放用户的过程,keystone的操作涉及到:user,tenant,role,service和endpoint,每个对象都有相应的增删改查的方法实现,查看keystone的命令即可,如keystone help user-create可以查看到user-create的具体用法。
5. keystone用法附录
[root@controller ~]# keystone -h
usage: keystone [--version] [--timeout <seconds>]
[--os-username <auth-user-name>]
[--os-password <auth-password>]
[--os-tenant-name <auth-tenant-name>]
[--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
[--os-region-name <region-name>]
[--os-identity-api-version <identity-api-version>]
[--os-token <service-token>]
[--os-endpoint <service-endpoint>]
[--os-cacert <ca-certificate>] [--insecure]
[--os-cert <certificate>] [--os-key <key>] [--os-cache]
[--force-new-token] [--stale-duration <seconds>]
<subcommand> ...
Pending deprecation: Command-line interface to the OpenStack Identity API.
This CLI is pending deprecation in favor of python-openstackclient. For a
Python library, continue using python-keystoneclient.
Positional arguments:
<subcommand>
catalog List service catalog, possibly filtered by service.
ec2-credentials-create #兼容于亚马逊的EC2
Create EC2-compatible credentials for user per tenant.
ec2-credentials-delete
Delete EC2-compatible credentials.
ec2-credentials-get
Display EC2-compatible credentials.
ec2-credentials-list
List EC2-compatible credentials for a user. #访问端点endpoint管理
endpoint-create Create a new endpoint associated with a service.
endpoint-delete Delete a service endpoint.
endpoint-get Find endpoint filtered by a specific attribute or
service type.
endpoint-list List configured service endpoints.
password-update Update own password.
role-create Create new role. #角色role的管理
role-delete Delete role.
role-get Display role details.
role-list List all roles.
service-create Add service to Service Catalog. #服务service的管理
service-delete Delete service from Service Catalog.
service-get Display service from Service Catalog.
service-list List all services in Service Catalog.
tenant-create Create new tenant. #租户tenant的管理
tenant-delete Delete tenant.
tenant-get Display tenant details.
tenant-list List all tenants.
tenant-update Update tenant name, description, enabled status.
token-get Display the current user token.
user-create Create new user #用户user的管理
user-delete Delete user.
user-get Display user details.
user-list List users.
user-password-update
Update user password.
user-role-add Add role to user. #用户角色和tenant的管理
user-role-list List roles granted to a user.
user-role-remove Remove role from user.
user-update Update user's name, email, and enabled status.
discover Discover Keystone servers, supported API versions and
extensions.
bootstrap Grants a new role to a new user on a new tenant, after
creating each.
bash-completion Prints all of the commands and options to stdout.
help Display help about this program or one of its
subcommands.
|
QQ群⑧:
YunVN网友
发表于 2018-6-1 11:04:09
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
千斤顶
悔悟卡
匿名卡
显身卡