之前介紹了OpenStack Swift的安裝部署,采用的都是tempauth認證模式,今天就來介紹一個新的組件,名為Keystone。
1. 簡介
本文將詳細描述Keystone的安裝部署流程,並給出一些簡單的使用實例。
Keystone是Openstack框架中的一個重要組成部分,負責身份認證、服務管理、服務規則和服務令牌的功能, 它實現了Openstack的Identity API。Keystone類似一個服務總線,或者說是整個Openstack框架的注冊表,其他服務通過Keystone來注冊其服務,任何服務之間相互的調用,都需要經過Keystone的身份驗證來獲得目標服務。Keystone包含兩個主要部件:驗證與服務目錄。
驗證部件提供了一套基於令牌的驗證服務,主要包含以下幾個概念:
- 租戶(Tenant):使用相關服務的一個組織(一個租戶可以代表一個客戶、賬號、公司、組織或項目),必須指定一個相應的租戶(Tenant)才可以申請OpenStack服務。在Swift中,一個租戶可以擁有一定的存儲空間,擁有多個容器,可以理解為一個公司擁有一大塊存儲空間。
- 用戶(User):表示擁有用戶名、密碼、郵箱等賬號信息的個人,用戶能夠申請並獲得訪問資源的授權。用戶擁有證書,可以與一個或多個租戶關聯。經過身份驗證后,會為每個關聯的租戶提供一個特定的令牌。一個用戶可以在不同的租戶中被分配不同的角色。以Swift為例,我們可以這樣理解:租戶是一個公司,擁有一大塊存儲空間,用戶是個人,是該公司的員工,能夠根據用戶的角色訪問公司的部分或全部存儲空間,當然這個員工可以同時在其他公司兼職,擁有其他公司的存儲空間;如果某個公司只有一個員工,即該員工擁有公司的全部存儲空間,此時的用戶就類似於金山快盤的用戶了。
- 證書(Credentials):為了給用戶提供一個令牌,需要用證書來唯一標識一個用戶的密碼或其它信息。
- 令牌(Token):一個令牌是一個任意比特的文本,用於與其它OpenStack服務來共享信息,Keystone以此來提供一個Central Location,以驗證訪問OpenStack服務的用戶。一個令牌可以是scoped或unscoped。一個scoped令牌代表為某個租戶驗證過的用戶,而unscoped令牌則僅代表一個用戶。令牌的有效期是有限的,可以隨時被撤回。
- 角色(Role):代表特定的租戶中的用戶操作權限,一個角色是應用於某個租戶的使用權限集合,以允許某個指定用戶訪問或使用特定操作。角色是使用權限的邏輯分組,它使得通用的權限可以簡單地分組並綁定到與某個指定租戶相關的用戶。
服務目錄部件(Service Catalog)提供了一套REST API服務端點列表並以此作為決策參考,主要包含以下幾個概念:
- 服務(Service):一個OpenStack服務,例如Nova、Swift、Glance或Keystone。一個服務可以擁有一個或多個端點,用戶可以通過它與OpenStack的服務或資源進行交互。
- 端點(Endpoint):一個可以通過網絡訪問的地址(例如一個URL),代表了OpenStack服務的API入口。端點也可以分組為模板,每個模板代表一組可用的OpenStack服務,這些服務是跨區域(regions)可用的,例如將多個Swift Proxy Server分別配置為不同的域(regionOne、regionTwo等)。
- 模板(Template):一個端點集合,代表一組可用的OpenStack服務端點。
2. 安裝部署
2.1 准備環境
| 環境類型 |
詳細信息 |
| 機器類型: |
PC物理機 |
| 操作系統: |
Ubuntu-11.10-desktop-64位 |
| 用戶類型: |
root |
| 數據庫: |
sqlite3 |
| IP地址: |
192.168.3.67 |
2.2 版本說明
如果你使用的是Ubuntu,那么也可以直接通過apt-get來安裝Keystone,不過本文介紹的是從git(https://github.com/openstack/keystone)上獲取Master分支的最新代碼來進行安裝部署。請務必確保各處安裝的Keystone與python-keystoneclient的版本統一,這在Keystone與其他服務(如Swift)整合使用時尤為重要,可關注后續文檔《Keystone與Swift(集群)整合使用說明》,你就會明白其中的道理了。
2.3 安裝軟件環境
首先,需要安裝Keystone所需的軟件環境(確保你的機器可以訪問互聯網),例如git用於獲取Keystone代碼,sqlite3作為本地數據庫。
| # apt-get install git python-dev sqlite3 libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev |
2.4 安裝Keystone
從git上獲取最新的Keystone Service代碼。
| # cd ~ # git clone https://github.com/openstack/keystone.git |
安裝Keystone的依賴項與主體程序(Keystone會被安裝到python的dist-packages中)。
| # cd ~/keystone # pip install -r tools/pip-requires # pip install -r tools/test-requires(本條命令可不執行) # python setup.py install |
文件~/keystone/tools/pip-requires中(內容如下所示)記錄了運行Keystone程序所需的依賴項,setup.py就是根據該文件來檢查依賴項並自動下載安裝的。其中指明了python-keystoneclient為依賴項,python-keystoneclient作為本地客戶端組件,用於訪問Keystone。python-keystoneclient與Keystone的版本需要統一,否則可能會出現版本兼容性問題,采用依賴項的方式安裝python-keystoneclient,可確保不會出現版本兼容性問題。
| # keystone dependencies pam>=0.1.4 WebOb==1.2.3 eventlet greenlet PasteDeploy paste routes sqlalchemy>=0.7.8,<=0.7.9 sqlalchemy-migrate>=0.7.2 passlib lxml iso8601>=0.1.4 python-keystoneclient>=0.2.1,<0.3 oslo.config>=1.1.0 |
文件~/keystone/tools/test-requires中(內容如下所示)記錄了Keystone動態開發與測試所需的依賴項。這些依賴項不是運行Keystone所必須的,所以可以不安裝(即不執行上面的命令:pip install -r tools/test-requires)。
| # Optional backend: SQL pysqlite
# Optional backend: Memcache python-memcached
# Optional backend: LDAP python-ldap==2.3.13 # authenticate against an existing LDAP server
# Testing coverage # computes code coverage percentages mox # mock object framework nose # for test discovery and console feedback nosexcover openstack.nose_plugin nosehtmloutput pylint # static code analysis pep8==1.3.3 # checks for PEP8 code style compliance Sphinx>=1.1.2 # required to build documentation unittest2 # backport of unittest lib in python 2.7 webtest # test wsgi apps without starting an http server distribute>=0.6.24
# for python-keystoneclient httplib2 # keystoneclient <0.2.1 requests>=1.0.0 # replaces httplib2 in keystoneclient >=0.2.1 keyring
# swift_auth test dependencies http://tarballs.openstack.org/swift/swift-master.tar.gz#egg=swift netifaces
# For translations processing Babel |
需要特別注意的是,安裝tools/test-requires依賴項時會自動下載swift-master.tar.gz包並重新安裝Swift。因此,如果電腦上已經安裝了Swift,就不可以再執行“pip install -r tools/test-requires”命令了(該命令會覆蓋掉之前安裝的Swift程序)。
如果你不小心覆蓋掉了之前安裝的Swift程序,也無需擔心,執行以下命令,重新安裝你的Swift程序即可。(假設Swift的源代碼在目錄~/swift/swift_1.7.6下,python-swiftclient的源代碼在目錄~/swift/python-swiftclient_1.2.0下)
| # cd ~/swift/swift_1.7.6 # python setup.py develop # cd ~/swift/python-swiftclient_1.2.0 # python setup.py develop |
2.5 配置Keystone
由於是從git上獲取的代碼,所以我們需要手動將代碼中的配置文件復制到系統中正確的目錄下。配置文件在~/keystone/etc目錄下,共有四個,包括default_catalog.templates、keystone.conf.sample、logging.conf.sample和policy.json。將這四個配置文件復制到/etc/keystone目錄下,並重命名(去掉“.sample”)。用戶需要注意下文中的紅色標注部分。
| # mkdir -p /etc/keystone # cp ~/keystone/etc/* /etc/keystone/ # cp mv /etc/keystone/keystone.conf.sample /etc/keystone/keystone.conf # cp mv /etc/keystone/logging.conf.sample /etc/keystone/logging.conf |
其中keystone.conf是核心配置文件,logging.conf是日志配置文件,default_catalog.templates是目錄模版文件,policy.json定義了Identity服務的訪問策略。我們需要修改核心配置文件/etc/keystone/keystone.conf。
| [DEFAULT] # A "shared secret" between keystone and other openstack services # admin_token = ADMIN # 注意該信息,admin_token參數是用來訪問Keystone服務的,即Keystone服務的Token。默認為ADMIN,當然也可以改成別的。客戶端可以使用該Token訪問Keystone服務、查看信息、創建其他服務等。
# The IP address of the network interface to listen on # bind_host = 0.0.0.0
# The port number which the public service listens on # public_port = 5000 # Keystone提供的認證授權服務監聽的端口,通常為公網(外網),也可以是內網。
# The port number which the public admin listens on # admin_port = 35357 # Keystone提供的認證授權、系統管理服務監聽的端口,通常為內網。除了認證授權功能外,用戶需要訪問該端口來進行管理員操作,如創建刪除Tenant、User、Role、Service、Endpoint等。
# The port number which the OpenStack Compute service listens on # compute_port = 8774
# Path to your policy definition containing identity actions # TODO(dolph): This config method will probably be deprecated during grizzly # policy_file = policy.json
# Rule to check if no matching policy definition is found # FIXME(dolph): This should really be defined as [policy] default_rule # policy_default_rule = admin_required
# === Logging Options === # Print debugging output # verbose = False
# Print more verbose output # (includes plaintext request logging, potentially including passwords) # debug = False
# Name of log file to output to. If not set, logging will go to stdout. # log_file = keystone.log
# The directory to keep log files in (will be prepended to --logfile) # log_dir = /var/log/keystone
# Use syslog for logging. # use_syslog = False
# syslog facility to receive log lines # syslog_log_facility = LOG_USER
# If this option is specified, the logging configuration file specified is # used and overrides any other logging options specified. Please see the # Python logging module documentation for details on logging configuration # files. # log_config = logging.conf
# A logging.Formatter log message format string which may use any of the # available logging.LogRecord attributes. # log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s
# Format string for %(asctime)s in log records. # log_date_format = %Y-%m-%d %H:%M:%S
# onready allows you to send a notification when the process is ready to serve # For example, to have it notify using systemd, one could set shell command: # onready = systemd-notify --ready # or a module with notify() method: # onready = keystone.common.systemd
[sql] # The SQLAlchemy connection string used to connect to the database # connection = sqlite:///keystone.db # 此處為數據庫參數,默認使用sqlite,並且指定數據庫文件的存放位置,keystone.db表示在主目錄下創建keystone.db文件,用於存放數據。也可以指定其他存儲位置,例如sqlite:////var/lib/keystone/keystone.db。 # 當然也可以使用mysql,如mysql://root:123456@192.168.3.67/keystone,其中192.168.3.67為數據庫地址,keystone為數據庫名稱,root為用戶名,123456為訪問密碼。需要事先安裝mysql,並且創建名為keystone的數據庫,設置用戶名密碼。
# the timeout before idle sql connections are reaped # idle_timeout = 200
[identity] # driver = keystone.identity.backends.sql.Identity
[catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) # driver = keystone.catalog.backends.sql.Catalog
# static, file-based backend (does *NOT* support any management commands) # driver = keystone.catalog.backends.templated.TemplatedCatalog
# template_file = default_catalog.templates
[token] # driver = keystone.token.backends.kvs.Token
# Amount of time a token should remain valid (in seconds) # expiration = 86400
[policy] # driver = keystone.policy.backends.sql.Policy
[ec2] # driver = keystone.contrib.ec2.backends.kvs.Ec2
[ssl] #enable = True #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #cert_required = True
[signing] # token_format = PKI # 此處需要特別注意,新版本中默認Token為PKI,因而需要為此設置PKI認證,較為麻煩,可改為UUID以方便使用,UUID是一個幾十位的隨機字符串。
token_format = UUID #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #key_size = 1024 #valid_days = 3650 #ca_password = None
[ldap] # url = ldap://localhost # user = dc=Manager,dc=example,dc=com # password = None # suffix = cn=example,cn=com # use_dumb_member = False # allow_subtree_delete = False # dumb_member = cn=dumb,dc=example,dc=com
# user_tree_dn = ou=Users,dc=example,dc=com # user_filter = # user_objectclass = inetOrgPerson # user_id_attribute = cn # user_name_attribute = sn # user_mail_attribute = email # user_pass_attribute = userPassword # user_enabled_attribute = enabled # user_enabled_mask = 0 # user_enabled_default = True # user_attribute_ignore = tenant_id,tenants # user_allow_create = True # user_allow_update = True # user_allow_delete = True
# tenant_tree_dn = ou=Groups,dc=example,dc=com # tenant_filter = # tenant_objectclass = groupOfNames # tenant_id_attribute = cn # tenant_member_attribute = member # tenant_name_attribute = ou # tenant_desc_attribute = desc # tenant_enabled_attribute = enabled # tenant_attribute_ignore = # tenant_allow_create = True # tenant_allow_update = True # tenant_allow_delete = True
# role_tree_dn = ou=Roles,dc=example,dc=com # role_filter = # role_objectclass = organizationalRole # role_id_attribute = cn # role_name_attribute = ou # role_member_attribute = roleOccupant # role_attribute_ignore = # role_allow_create = True # role_allow_update = True # role_allow_delete = True
[filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory
[filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory
[filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory
[filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory
[filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory
[filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory
[filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory
[filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory
[filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory
[filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory
[filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory
[filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory
[app:public_service] paste.app_factory = keystone.service:public_app_factory
[app:service_v3] paste.app_factory = keystone.service:v3_app_factory
[app:admin_service] paste.app_factory = keystone.service:admin_app_factory
[pipeline:public_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service
[pipeline:admin_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service
[pipeline:api_v3] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3
[app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory
[app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory
[pipeline:public_version_api] pipeline = stats_monitoring url_normalize xml_body public_version_service
[pipeline:admin_version_api] pipeline = stats_monitoring url_normalize xml_body admin_version_service
[composite:main] use = egg:Paste#urlmap /v2.0 = public_api /v3 = api_v3 / = public_version_api
[composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api /v3 = api_v3 / = admin_version_api |
2.6 查看Keystone幫助信息
在終端執行keystone-all --help、keystone-manage --help、keystone --help命令,即可查看Keystone的幫助信息。
執行keystone-all --help命令,查看Keystone服務端程序的幫助信息。
| # keystone-all --help usage: keystone-all [-h] [--version] [--debug] [--nodebug] [--verbose] [--noverbose] [--use-syslog] [--nouse-syslog] [--standard-threads] [--nostandard-threads] [--pydev-debug-port PYDEV_DEBUG_PORT] [--config-file PATH] [--log-config PATH] [--log-format FORMAT] [--log-date-format DATE_FORMAT] [--log-file PATH] [--log-dir LOG_DIR] [--syslog-log-facility SYSLOG_LOG_FACILITY] [--pydev-debug-host PYDEV_DEBUG_HOST] [--config-dir DIR]
optional arguments: -h, --help show this help message and exit --version show program's version number and exit --debug, -d Print debugging output (set logging level to DEBUG instead of default WARNING level). --nodebug The inverse of --debug --verbose, -v Print more verbose output (set logging level to INFO instead of default WARNING level). --noverbose The inverse of --verbose --use-syslog Use syslog for logging. --nouse-syslog The inverse of --use-syslog --standard-threads --nostandard-threads The inverse of --standard-threads --pydev-debug-port PYDEV_DEBUG_PORT --config-file PATH Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. The default files used are: ['/etc/keystone/keystone.conf'] --log-config PATH If this option is specified, the logging configuration file specified is used and overrides any other logging options specified. Please see the Python logging module documentation for details on logging configuration files. --log-format FORMAT A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. --log-date-format DATE_FORMAT Format string for %(asctime)s in log records. --log-file PATH Name of log file to output. If not set, logging will go to stdout. --log-dir LOG_DIR The directory in which to store log files. (will be prepended to --log-file) --syslog-log-facility SYSLOG_LOG_FACILITY syslog facility to receive log lines. --pydev-debug-host PYDEV_DEBUG_HOST --config-dir DIR Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are over-ridden. The set is parsed after the file(s), if any, specified via --config-file, hence over-ridden options in the directory take precedence. |
執行keystone-manage --help命令,查看Keystone管理程序的幫助信息。
| # keystone-manage --help usage: keystone-manage [db_sync|export_legacy_catalog|import_legacy|import_nova_auth|pki_setup]
optional arguments: -h, --help show this help message and exit --version show program's version number and exit --debug, -d Print debugging output (set logging level to DEBUG instead of default WARNING level). --nodebug The inverse of --debug --verbose, -v Print more verbose output (set logging level to INFO instead of default WARNING level). --noverbose The inverse of --verbose --use-syslog Use syslog for logging. --nouse-syslog The inverse of --use-syslog --standard-threads --nostandard-threads The inverse of --standard-threads --pydev-debug-port PYDEV_DEBUG_PORT --config-file PATH Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. The default files used are: ['/etc/keystone/keystone.conf'] --log-config PATH If this option is specified, the logging configuration file specified is used and overrides any other logging options specified. Please see the Python logging module documentation for details on logging configuration files. --log-format FORMAT A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. --log-date-format DATE_FORMAT Format string for %(asctime)s in log records. --log-file PATH Name of log file to output. If not set, logging will go to stdout. --log-dir LOG_DIR The directory in which to store log files. (will be prepended to --log-file) --syslog-log-facility SYSLOG_LOG_FACILITY syslog facility to receive log lines. --pydev-debug-host PYDEV_DEBUG_HOST --config-dir DIR Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are over-ridden. The set is parsed after the file(s), if any, specified via --config-file, hence over-ridden options in the directory take precedence.
Commands: {db_sync,export_legacy_catalog,import_legacy,import_nova_auth,pki_setup} Available commands db_sync Sync the database. export_legacy_catalog Export the service catalog from a legacy database. import_legacy Import a legacy database. import_nova_auth Import a dump of nova auth data into keystone. pki_setup Set up Key pairs and certificates for token signing and verification. |
執行keystone --help命令,查看Keystone客戶端程序的幫助信息。
| # keystone --help usage: keystone [--version] [--timeout <seconds>] [--os-username <auth-user-name>] [--os-password <auth-password>] [--os-tenant-name <auth-tenant-name>] [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>] [--os-region-name <region-name>] [--os-identity-api-version <identity-api-version>] [--os-token <service-token>] [--os-endpoint <service-endpoint>] [--os-cacert <ca-certificate>] [--insecure] [--os-cert <certificate>] [--os-key <key>] [--os-cache] [--force-new-token] [--stale-duration <seconds>] <subcommand> ...
Command-line interface to the OpenStack Identity API.
Positional arguments: <subcommand> catalog ec2-credentials-create Create EC2-compatible credentials for user per tenant ec2-credentials-delete Delete EC2-compatible credentials ec2-credentials-get Display EC2-compatible credentials ec2-credentials-list List EC2-compatible credentials for a user endpoint-create Create a new endpoint associated with a service endpoint-delete Delete a service endpoint endpoint-get endpoint-list List configured service endpoints password-update Update own password role-create Create new role role-delete Delete role role-get Display role details role-list List all roles service-create Add service to Service Catalog service-delete Delete service from Service Catalog service-get Display service from Service Catalog service-list List all services in Service Catalog tenant-create Create new tenant tenant-delete Delete tenant tenant-get Display tenant details tenant-list List all tenants tenant-update Update tenant name, description, enabled status token-get user-create Create new user user-delete Delete user user-get Display user details. user-list List users user-password-update Update user password user-role-add Add role to user user-role-list List roles granted to a user user-role-remove Remove role from user user-update Update user's name, email, and enabled status discover Discover Keystone servers, supported API versions and extensions. bootstrap Grants a new role to a new user on a new tenant, after creating each. bash-completion Prints all of the commands and options to stdout. help Display help about this program or one of its subcommands.
Optional arguments: --version Shows the client version and exits --timeout <seconds> Set request timeout (in seconds) --os-username <auth-user-name> Name used for authentication with the OpenStack Identity service. Defaults to env[OS_USERNAME] --os-password <auth-password> Password used for authentication with the OpenStack Identity service. Defaults to env[OS_PASSWORD] --os-tenant-name <auth-tenant-name> Tenant to request authorization on. Defaults to env[OS_TENANT_NAME] --os-tenant-id <tenant-id> Tenant to request authorization on. Defaults to env[OS_TENANT_ID] --os-auth-url <auth-url> Specify the Identity endpoint to use for authentication. Defaults to env[OS_AUTH_URL] --os-region-name <region-name> Defaults to env[OS_REGION_NAME] --os-identity-api-version <identity-api-version> Defaults to env[OS_IDENTITY_API_VERSION] or 2.0 --os-token <service-token> Specify an existing token to use instead of retrieving one via authentication (e.g. with username & password). Defaults to env[OS_SERVICE_TOKEN] --os-endpoint <service-endpoint> Specify an endpoint to use instead of retrieving one from the service catalog (via authentication). Defaults to env[OS_SERVICE_ENDPOINT] --os-cacert <ca-certificate> Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT] --insecure Explicitly allow keystoneclient to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution. --os-cert <certificate> Defaults to env[OS_CERT] --os-key <key> Defaults to env[OS_KEY] --os-cache Use the auth token cache. Defaults to env[OS_CACHE] --force-new-token If the keyring is available and in use, token will always be stored and fetched from the keyring until the token has expired. Use this option to request a new token and replace the existing one in the keyring. --stale-duration <seconds> Stale duration (in seconds) used to determine whether a token has expired when retrieving it from keyring. This is useful in mitigating process or network delays. Default is 30 seconds.
See "keystone help COMMAND" for help on a specific command. |
2.7 同步數據庫並運行Keystone
同步數據庫schema,Keystone會自動連接數據庫,完成Table創建等工作。
| # keystone-manage db_sync |
然后,sqlite3數據庫會創建文件~/keystone.db(視上文中的配置文件而定),我們可以查看數據庫中的Table。首先使用sqlite3 ~/keystone.db命令打開數據庫,然后使用.table命令查看所有Table,包括Tenant、User、Role、Service、Endpoint等。
| # sqlite3 ~/keystone.db SQLite version 3.7.7 2011-06-23 19:49:22 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .table credential migrate_version token domain policy user ec2_credential role user_domain_metadata endpoint service user_tenant_membership metadata tenant sqlite>.exit # |
至此,我們已經成功地完成了Keystone服務的安裝與配置,完事具備,可以啟動Keystone服務了。
| # keystone-all |
2.8 導入環境變量
為了訪問Keystone服務,客戶端需要導入環境變量,當然也可以選擇在執行訪問Keystone的命令時加上相關參數。在本文檔所描述的部署環境中,Keystone客戶端與服務端處在同一台PC上。導入環境變量的方式有兩種:
1. 在終端使用export命令,這種方式使得該環境變量的有效范圍僅限於本終端。
| # export SERVICE_TOKEN=ADMIN # export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0 |
這里需要解釋一下:
- “SERVICE_ENDPOINT”是Keystone的Endpoint,即API入口。其中,“192.168.3.67”為安裝Keystone服務的機器的IP,“35357”為Keystone提供的認證授權和系統管理服務監聽的端口(通常為內網),用戶需要訪問該端口來進行管理員操作,如創建刪除Tenant、User、Role、Service、Endpoint等,這在《配置Keystone》章節中已進行了說明。
- “SERVICE_TOKEN”就是Keystone服務的Token,在《配置Keystone》章節中也已進行了說明。
2. 修改~/.bashrc文件,在文件尾部添加如下內容。(該文件包含當前用戶Bash Shell的環境變量信息)
| export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0 |
然后執行如下命令,以使修改生效。一旦生效,終生有效哦親!
| # . ~/.bashrc |
針對上述環境變量作如下說明:
- SERVICE_TOKEN變量表示訪問Keystone服務時使用的Token,與配置文件keystone.conf中的信息相對應,默認為ADMIN。
- SERVICE_ENDPOINT變量表示Keystone服務的接入口,其中IP地址表明Keystone服務的安裝位置,35357為默認訪問端口。
於是,客戶端就可以使用名為ADMIN的Token,通過給定的訪問地址http://192.168.3.67:35357/v2.0來訪問Keystone服務了。
3. 使用實例
3.1 初次查看Keystone中的信息
首先,我們分別執行以下命令,通過訪問Keystone服務來查看幾個重要數據庫Table的內容,包括Tenant、User、Role、Service和Endpoint。當然,結果必然是空的,因為我們還沒有添加任何Tenant、User、Role、Service以及Endpoint,但結果已經證明Keystone已經在正常工作了。
| # keystone tenant-list |
|
|
| # keystone user-list |
|
|
| # keystone role-list |
|
|
| # keystone service-list |
|
|
| # keystone endpoint-list |
|
|
3.2 手動添加自定義的信息
下面,我們將按照自己的要求來手動添加Tenant、User、Role、Service、Endpoint等信息。
我們將創建名稱為adminTenant的Tenant(租戶)、名稱為admin的User(用戶)以及名稱為adminRole的Role(角色),並將它們關聯起來。最終的結果表現為:一個名叫admin的用戶,其擁有名為adminRole的角色身份,並且能夠使用名為adminTennant的租戶。
1. 創建Tenant,租戶名為adminTenant,描述信息為Admin Tenant。請記住該命令生成的Tenant id,下面添加User時需要用到。
| # keystone tenant-create --name adminTenant --description "Admin Tenant" --enabled true |
| +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 4803098ff0b44f13bb33e7c9665e59d4 | | name | adminTenant | +-------------+----------------------------------+ |
2. 創建User,用戶名為admin,密碼為openstack。請記住該命令生成的User id,下面的關聯命令需要用到。
| # keystone user-create --tenant_id 4803098ff0b44f13bb33e7c9665e59d4 --name admin --pass openstack --enabled true |
| +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | c2c40638681041aca9625869c260ba51 | | name | admin | | tenantId | 4803098ff0b44f13bb33e7c9665e59d4 | +----------+----------------------------------+ |
3. 創建Role,角色名為adminRole。請記住該命令生成的Role id,下面的關聯命令需要用到。
| # keystone role-create --name adminRole |
| +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 675c497fdf314e74a3f4bd6e1710d45d | | name | adminRole | +----------+----------------------------------+ |
至此,我們已經創建了一個Ttenant,一個Uuser以及一個Rrole,它們的id分別是:
| tenant_id:4803098ff0b44f13bb33e7c9665e59d4 user_id:c2c40638681041aca9625869c260ba51 role_id:675c497fdf314e74a3f4bd6e1710d45d |
4. 最后,我們要使用上述三個id,並通過下面的命令來將三者關聯起來。
| # keystone user-role-add --user-id c2c40638681041aca9625869c260ba51 --tenant-id 4803098ff0b44f13bb33e7c9665e59d4 --role-id 675c497fdf314e74a3f4bd6e1710d45d |
此時,讓我們再使用list命令查看一下Tenant、User、Role、Service和Endpoint的信息。
| # keystone tenant-list |
| +----------------------------------+-------------+---------+ | id | name | enabled | +----------------------------------+-------------+---------+ | 4803098ff0b44f13bb33e7c9665e59d4 | adminTenant | True | +----------------------------------+-------------+---------+ |
| # keystone user-list |
| +----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | c2c40638681041aca9625869c260ba51 | admin | True | | +----------------------------------+-------+---------+-------+ |
| # keystone role-list |
| +----------------------------------+-----------+ | id | name | +----------------------------------+-----------+ | 675c497fdf314e74a3f4bd6e1710d45d | adminRole | +----------------------------------+-----------+ |
| # keystone service-list |
|
|
| # keystone endpoint-list |
|
|
3.3 訪問Keystone獲取Token
上面已經完成了Tenant、User和Role的創建,並將三者關聯起來,於是我們就可以使用User的用戶名和密碼來訪問Keystone,獲取用於訪問Tenant的Token了。我們將使用curl命令來訪問Keyston以獲取授權,該命令需要給定四個參數,即tenantName(租戶名)、username(用戶名)、password(用戶密碼)以及認證授權申請地址(http://192.168.3.67:35357/v2.0/tokens或http://192.168.3.67:5000/v2.0/tokens都可以)。此外,返回信息會以json格式展現。
先嘗試使用錯誤的密碼進行訪問,結果獲取授權失敗。返回信息中給出了相關錯誤提示信息。
| # curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "xxx"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool |
| % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 219 100 116 100 103 2547 2262 --:--:-- --:--:-- --:--:-- 2577 { "error": { "code": 401, "message": "The request you have made requires authentication.", "title": "Not Authorized" } } |
然后使用正確的密碼訪問(http://192.168.3.67:35357/v2.0/tokens),結果成功獲取授權。返回信息中包含了我們所需的Token,同時也顯示了與本次請求相關的Tenant、User以及Role的信息。我們可以看到,Token的id為55e9889a646e467693f2e11b58ccf78d,其授權通過的時間為2013-03-15T12:42:00.096694,其授權過期的時間為2013-03-16T12:42:00Z。
| # curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool |
| % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 618 100 509 100 109 8811 1886 --:--:-- --:--:-- --:--:-- 8929 { "access": { "metadata": { "is_admin": 0, "roles": [ "675c497fdf314e74a3f4bd6e1710d45d" ] }, "serviceCatalog": [], "token": { "expires": "2013-03-16T12:42:00Z", "id": "55e9889a646e467693f2e11b58ccf78d", "issued_at": "2013-03-15T12:42:00.096694", "tenant": { "description": "Admin Tenant", "enabled": true, "id": "4803098ff0b44f13bb33e7c9665e59d4", "name": "adminTenant" } }, "user": { "id": "c2c40638681041aca9625869c260ba51", "name": "admin", "roles": [ { "name": "adminRole" } ], "roles_links": [], "username": "admin" } } } |
再試一下認證授權地址http://192.168.3.67:5000/v2.0/tokens,同樣成功獲取授權。
| # curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:5000/v2.0/tokens | python -mjson.tool |
| % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 618 100 509 100 109 9030 1933 --:--:-- --:--:-- --:--:-- 9254 { "access": { "metadata": { "is_admin": 0, "roles": [ "675c497fdf314e74a3f4bd6e1710d45d" ] }, "serviceCatalog": [], "token": { "expires": "2013-04-05T07:36:56Z", "id": "bfe30305790c46e2a4b5bfc80060246b", "issued_at": "2013-04-04T07:36:56.283627", "tenant": { "description": "Admin Tenant", "enabled": true, "id": "4803098ff0b44f13bb33e7c9665e59d4", "name": "adminTenant" } }, "user": { "id": "c2c40638681041aca9625869c260ba51", "name": "admin", "roles": [ { "name": "adminRole" } ], "roles_links": [], "username": "admin" } } } |
上述使用實例闡述了Keystone的基本操作,並且表明Keystone正確地為我們提供了身份驗證與授權服務。以后的文檔將延續該主題,介紹Keystone與Swift的聯合部署,我們將使用Keystone為Swift提供身份驗證與授權服務。
4. 參考鏈接
4.1 官方鏈接
- Installing Keystone
http://docs.openstack.org/developer/keystone/installing.html
- Setting up a Keystone development environment
http://docs.openstack.org/developer/keystone/setup.html
- Configuring Keystone
http://docs.openstack.org/developer/keystone/configuration.html
- keystone.conf
http://docs.openstack.org/trunk/openstack-compute/install/yum/content/keystone-conf-file.html
- Setting up tenants, users, and roles
http://docs.openstack.org/trunk/openstack-compute/install/yum/content/setting-up-tenants-users-and-roles.html
- OpenStack/Keystone - GitHub
https://github.com/openstack/keystone
4.2 非官方鏈接
- OpenStack Hands on lab 1: Keystone安裝
http://liangbo.me/index.php/2012/03/27/11/
- OpenStack安裝 - keystone
http://articles.csdn.net/shangwuzhuanqu/OpenStackzhuanqu/jishufenxiangyemia/2012/0820/2808852.html
- OpenStack Essex版安裝 - keystone
http://blog.csdn.net/nocturne1210/article/details/7877307
- OpenStack Keystone的理解
http://blog.csdn.net/xiangmin2587/article/details/8224042
- OpenStack Identity(Keystone)身份服務體系結構與中間件
http://blog.sina.com.cn/s/blog_6a9ae9e501014w3p.html
- OpenStack Keystone install - border / keystone.conf
https://gist.github.com/border/4070200
- OpenStack雲第三天
http://www.linuxidc.com/Linux/2012-12/75424.htm