認證服務keystone部署
一:安裝和配置服務
1.建庫建用戶
mysql -u root -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '密碼';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '密碼';
flush privileges;
2.安裝httpdweb服務器
yum install openstack-keystone httpd mod_wsgi -y
3.編輯/etc/keystone/keystone.conf
創建秘鑰
# openssl rand -hex 10
ada2c9751d94be18d74a
#vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = ada2c9751d94be18d74a #建議用命令制作token:openssl rand -hex 10
[database]
connection = mysql+pymysql://keystone:liuyao@controller/keystone
[token]
provider = fernet
#學習博客
#Token Provider:UUID, PKI, PKIZ, or Fernet #http://blog.csdn.net/miss_yang_cloud/article/details/49633719
4.同步修改到數據庫
#su -s /bin/sh -c "keystone-manage db_sync" keystone
5.初始化fernet keys
#keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6.配置apache服務
編輯:/etc/httpd/conf/httpd.conf
ServerName controller
編輯:/etc/httpd/conf.d/wsgi-keystone.conf
新增配置
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
7.啟動服務:
systemctl enable httpd.service
systemctl start httpd.service
二:創建服務實體和訪問端點
1.實現配置管理員環境變量,用於獲取后面創建的權限
export OS_TOKEN=ada2c9751d94be18d74a #此token是上面生成的
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
2.基於上一步給的權限,創建認證服務實體(目錄服務)
#openstack service create \
--name keystone --description "OpenStack Identity" identity
3.基於上一步建立的服務實體,創建訪問該實體的三個api端點
openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3
三:創建域,租戶,用戶,角色,把四個元素關聯到一起
建立一個公共的域名:
#openstack domain create --description "Default Domain" default
管理員:admin
openstack project create --domain default \
--description "Admin Project" admin
openstack user create --domain default \
--password-prompt admin
openstack role create admin
openstack role add --project admin --user admin admin
普通用戶:demo
openstack project create --domain default \
--description "Demo Project" demo
openstack user create --domain default \
--password-prompt demo
openstack role create user
openstack role add --project demo --user demo user
為后續的服務創建統一租戶service
解釋:后面每搭建一個新的服務都需要在keystone中執行四種操作:1.建租戶 2.建用戶 3.建角色 4.做關聯
后面所有的服務公用一個租戶service,都是管理員角色admin,所以實際上后續的服務安裝關於keysotne
的操作只剩2,4
openstack project create --domain default \
--description "Service Project" service
四:驗證操作:
編輯:/etc/keystone/keystone-paste.ini
在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三個地方
移走:admin_token_auth
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2016-08-17T08:29:18.528637Z |
| id | gAAAAABXtBJO-mItMcPR15TSELJVB2iwelryjAGGpaCaWTW3YuEnPpUeg799klo0DaTfhFBq69AiFB2CbFF4CE6qgIKnTauOXhkUkoQBL6iwJkpmwneMo5csTBRLAieomo4z2vvvoXfuxg2FhPUTDEbw-DPgponQO-9FY1IAEJv_QV1qRaCRAY0 |
| project_id | 9783750c34914c04900b606ddaa62920 |
| user_id | 8bc9b323a3b948758697cb17da304035 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
五:新建客戶端腳本文件
管理員:admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=liuyao
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
普通用戶demo:demo-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=liuyao
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
效果:
source admin-openrc
[root@controller01 ~]# openstack token issue