Keystone介紹
Keystone作用
用戶與認證:用戶權限與用戶行為跟蹤:
服務目錄:提供一個服務目錄,包括所有服務項與相關Api的端點,它是個注冊中心
服務目錄名字介紹
Service
Service即服務,如Nova、Glance、Swift。根據前三個概念(User,Tenant和Role)一個服務可以確認當前用戶是否具有訪問其資源的權限。
但是當一個user嘗試着訪問其租戶內的service時,他必須知道這個service是否存在以及如何訪問這個service,這里通常使用一些不同的名稱表示不同的服務。
Endpoint
Endpoint,翻譯為“端點”,我們可以理解它是一個服務暴露出來的訪問點,如果需要訪問一個服務,則必須知道他的endpoint。
因此,在keystone中包含一個endpoint模板,這個模板提供了所有存在的服務endpoints信息。
一個endpointtemplate包含一個URLs列表,列表中的每個URL都對應一個服務實例的訪問地址,並且具有public、private和admin這三種權限。
public url可以被全局訪問;private url只能被局域網訪問;admin url被從常規的訪問中分離。
用戶認證名字介紹
Token
Token是訪問資源的鑰匙。它是通過Keystone驗證后的返回值,在之后的與其他服務交互中只需要攜帶Token值即可。
每個Token都有一個有效期,Token只在有效期內是有效的。
Role
Role即角色,Roles代表一組用戶可以訪問的資源權限,例如Nova中的虛擬機、Glance中的鏡像。
Users可以被添加到任意一個全局的或租戶的角色中。在全局的role中,用戶的role權限作用於所有的租戶,即可以對所有的租戶執行role規定的權限;
在租戶內的role中,用戶僅能在當前租戶內執行role規定的權限。
Tenant
Tenant即租戶,現在改成了項目。它是各個服務中的一些可以訪問的資源集合。例如,在Nova中一個tenant可以是一些機器,
在Swift和Glance中一個tenant可以是一些鏡像存儲,在Neutron中一個tenant可以是一些網絡資源。Users默認的總是綁定到某些tenant上。
User
User即用戶,他們代表可以通過keystone進行訪問的人或程序。Users通過認證信息(credentials,如密碼、API Keys等)進行驗證。
一個項目可以有多個用戶
一個用戶可以屬於一個或多個項目
用戶對項目和操作權限由用戶在項目中的角色決定
KeyStone安裝和配置
1、安裝keystone包
以前版本,把token放在了數據庫里,keystone 的token表會越來越大,幾千萬行,后面就響應很慢了,你可以truncate這個表,但是不要在創建虛擬機的時候截斷表
現在改成了可以把token放在memcache里面,讀的更快,同時memcached里也可以設置過期時間
python-memcached是使用python連接memcached的,因為連接過去,keystone會返回一個token。
httpd這個包用來運行keystone的服務,mod_wsgi 它是python的一個模塊,有了它,就可以讓keystone在apache運行為什么現在用到了memcached呢
[root@linux-node1 ~]# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: mirrors.163.com * epel: mirror01.idc.hinet.net * extras: mirrors.163.com * updates: mirrors.163.com Package 1:openstack-keystone-9.2.0-1.el7.noarch already installed and latest version Package httpd-2.4.6-45.el7.centos.x86_64 already installed and latest version Package mod_wsgi-3.4-12.el7_0.x86_64 already installed and latest version Package memcached-1.4.33-2.el7.x86_64 already installed and latest version Package python-memcached-1.54-3.el7.noarch already installed and latest version Nothing to do [root@linux-node1 ~]#
2、更改keystone配置文件
keystone是管理認證的,我想在里面創建用戶,如果像rabbitmq有個默認用戶也行
現在是沒有用戶,怎么連上去創建用戶呢,這里就用到了admin_token
使用admin_token不用任何用戶就可以連接上keystone,先配置下admin_token
我們使用一個隨機的值替換默認的admin,手動隨機一個字符串
[root@linux-node1 ~]# openssl rand -hex 10 d6f70f7738e69f57a839 [root@linux-node1 ~]#
更改keystone配置文件/etc/keystone/keystone.conf
[database]模塊下,更改數據庫連接,如下
配置memcached連接配置
keystone中memcache的作用
把用戶名密碼驗證之后生成token,放在memcache里面的,來提高性能
其實你的memcache也可以安裝在任意一台機器上,解耦
[token]模塊下,配置令牌提供者,fernet方式比uuid更安全,配置driver為memcache,表示把另外放在memcache空間里
檢查下配置,顯示行號
[root@linux-node1 ~]# grep -n '^[a-Z]' /etc/keystone/keystone.conf 13:admin_token = d6f70f7738e69f57a839 549:connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone 1252:servers = 192.168.56.11:11211 2005:provider = fernet 2010:driver = memcache [root@linux-node1 ~]#
3、同步數據庫執行建表操作
[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@linux-node1 ~]#
為什么要切換到keystone用戶下執行這個命令呢
如果你上面不切換到keystone用戶執行,也能執行成功,但是這個log文件屬主就是root了
后面啟動keystone服務,它要寫這個日志文件,root屬主的文件它無法寫入,就啟動不成功了
上面命令執行完畢,日志屬主都是keystone用戶下的了。
[root@linux-node1 ~]# cd /var/log/keystone/ [root@linux-node1 keystone]# ll total 8 -rw-r--r-- 1 keystone keystone 6964 Feb 16 21:32 keystone.log [root@linux-node1 keystone]# tail -10 keystone.log 2017-02-16 21:32:31.820 6028 INFO migrate.versioning.api [-] 2 -> 3... 2017-02-16 21:32:31.835 6028 INFO migrate.versioning.api [-] done 2017-02-16 21:32:31.835 6028 INFO migrate.versioning.api [-] 3 -> 4... 2017-02-16 21:32:31.879 6028 INFO migrate.versioning.api [-] done 2017-02-16 21:32:31.879 6028 INFO migrate.versioning.api [-] 4 -> 5... 2017-02-16 21:32:31.902 6028 INFO migrate.versioning.api [-] done 2017-02-16 21:32:31.927 6028 INFO migrate.versioning.api [-] 0 -> 1... 2017-02-16 21:32:31.947 6028 INFO migrate.versioning.api [-] done 2017-02-16 21:32:31.947 6028 INFO migrate.versioning.api [-] 1 -> 2... 2017-02-16 21:32:31.975 6028 INFO migrate.versioning.api [-] done
當然你也可以以root執行,然后chown這個日志文件給keystone。
[root@linux-node1 ~]# mysql -ukeystone -pkeystone -e "use keystone;show tables;" +------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | local_user | | mapping | | migrate_version | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+ [root@linux-node1 ~]#
下面是keystone服務的日志文件默認路徑,注意它的屬組權限
[root@linux-node1 ~]# cd /var/log/keystone/ [root@linux-node1 keystone]# ll total 8 -rw-r--r-- 1 keystone keystone 4340 Feb 17 17:22 keystone.log [root@linux-node1 keystone]#
[root@linux-node1 keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@linux-node1 keystone]#
root@linux-node1 keystone]# cd /etc/keystone/ [root@linux-node1 keystone]# ls -l total 100 -rw-r----- 1 root keystone 2303 Sep 22 20:06 default_catalog.templates drwx------ 2 keystone keystone 22 Feb 17 17:28 fernet-keys -rw-r----- 1 root keystone 73171 Feb 17 17:22 keystone.conf -rw-r----- 1 root keystone 2400 Sep 22 20:06 keystone-paste.ini -rw-r----- 1 root keystone 1046 Sep 22 20:06 logging.conf -rw-r----- 1 keystone keystone 9699 Sep 22 20:06 policy.json -rw-r----- 1 keystone keystone 665 Sep 22 20:06 sso_callback_template.html [root@linux-node1 keystone]#
tree方式查看一下
[root@linux-node1 keystone]# tree . ├── default_catalog.templates ├── fernet-keys │ ├── 0 │ └── 1 ├── keystone.conf ├── keystone-paste.ini ├── logging.conf ├── policy.json └── sso_callback_template.html 1 directory, 8 files [root@linux-node1 keystone]#
[root@linux-node1 ~]# systemctl start memcached.service [root@linux-node1 ~]# systemctl enable memcached Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service. [root@linux-node1 keystone]# netstat -antp | grep 11211 tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 12264/memcached tcp6 0 0 ::1:11211 :::* LISTEN 12264/memcached [root@linux-node1 keystone]# ps aux | grep memcached memcach+ 12264 0.0 0.0 333840 1212 ? Ssl 20:43 0:00 /usr/bin/memcached -p 11211 -u memcached -m 64 -c 1024 -l 127.0.0.1,::1 root 12345 0.0 0.0 112644 964 pts/0 S+ 20:45 0:00 grep --colour=auto memcached [root@linux-node1 keystone]#
[root@linux-node1 keystone]# rpm -ql memcached /etc/sysconfig/memcached /usr/bin/memcached /usr/bin/memcached-tool /usr/lib/systemd/system/memcached.service /usr/share/doc/memcached-1.4.33 /usr/share/doc/memcached-1.4.33/AUTHORS /usr/share/doc/memcached-1.4.33/CONTRIBUTORS /usr/share/doc/memcached-1.4.33/COPYING /usr/share/doc/memcached-1.4.33/ChangeLog /usr/share/doc/memcached-1.4.33/NEWS /usr/share/doc/memcached-1.4.33/README.md /usr/share/doc/memcached-1.4.33/new_lru.txt /usr/share/doc/memcached-1.4.33/protocol.txt /usr/share/doc/memcached-1.4.33/readme.txt /usr/share/doc/memcached-1.4.33/threads.txt /usr/share/man/man1/memcached-tool.1.gz /usr/share/man/man1/memcached.1.gz [root@linux-node1 keystone]#
[root@linux-node1 keystone]# cat /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 127.0.0.1,::1" [root@linux-node1 keystone]#
[root@linux-node1 keystone]# telnet 192.168.56.11 11211 Trying 192.168.56.11... telnet: connect to address 192.168.56.11: Connection refused
[root@linux-node1 ~]# cat /etc/sysconfig/memcached PORT="11211" USER="memcached" MAXCONN="1024" CACHESIZE="64" OPTIONS="-l 0.0.0.0" [root@linux-node1 ~]#
[root@linux-node1 ~]# netstat -antp Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 4916/beam.smp tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1181/httpd tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1615/mysqld tcp 0 0 0.0.0.0:11211 0.0.0.0:* LISTEN 2006/memcached tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1181/httpd tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1745/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1160/sshd tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 4916/beam.smp tcp 0 0 0.0.0.0:35357 0.0.0.0:* LISTEN 1181/httpd tcp 0 0 127.0.0.1:4369 127.0.0.1:33788 ESTABLISHED 1653/epmd tcp 0 52 192.168.56.11:22 192.168.56.1:50037 ESTABLISHED 1910/sshd: root@pts tcp 0 0 192.168.56.11:4369 192.168.56.11:60206 TIME_WAIT - tcp 0 0 127.0.0.1:54935 127.0.0.1:4369 TIME_WAIT - tcp 0 0 127.0.0.1:33788 127.0.0.1:4369 ESTABLISHED 4916/beam.smp tcp 0 0 192.168.56.11:4369 192.168.56.11:47835 TIME_WAIT - tcp 0 0 192.168.56.11:4369 192.168.56.11:33010 TIME_WAIT - tcp 0 57 192.168.56.11:15672 192.168.56.1:51799 ESTABLISHED 4916/beam.smp tcp6 0 0 :::5672 :::* LISTEN 4916/beam.smp tcp6 0 0 :::22 :::* LISTEN 1160/sshd [root@linux-node1 ~]#
可以通過IPv4地址訪問了
[root@linux-node1 keystone]# telnet 127.0.0.1 11211 Trying 127.0.0.1... Connected to 127.0.0.1. Escape character is '^]'. ^] telnet> quit Connection closed. [root@linux-node1 keystone]#
為了防止后期一些服務監聽再IPv6上的干擾,可以禁用掉系統默認的IPv6
[root@linux-node1 ~]# vim /etc/sysctl.conf [root@linux-node1 ~]# cat /etc/sysctl.conf # sysctl settings are defined through files in # /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/. # # Vendors settings live in /usr/lib/sysctl.d/. # To override a whole file, create a new file with the same in # /etc/sysctl.d/ and put new settings there. To override # only specific settings, add a file with a lexically later # name in /etc/sysctl.d/ and put new settings there. # # For more information, see sysctl.conf(5) and sysctl.d(5). net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 [root@linux-node1 ~]# sysctl -p net.ipv6.conf.all.disable_ipv6 = 1 net.ipv6.conf.default.disable_ipv6 = 1 [root@linux-node1 ~]#
早期keystone自己單獨可以啟動,但是性能不好。后面就使用apache運行keystone服務了
使用apache代理keystone,這里面有2個虛擬主機的配置
5000 正常的api來訪問 35357 admin用戶管理訪問的端口
[root@linux-node1 keystone]# touch /etc/httpd/conf.d/wsgi-keystone.conf [root@linux-node1 keystone]# vim /etc/httpd/conf.d/wsgi-keystone.conf [root@linux-node1 keystone]# cat /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> [root@linux-node1 keystone]#
修改主配置文件,95行改成如下內容
必須要配置httpd的ServerName,不配置的話apache能啟動,但是keystone服務不能起來
[root@linux-node1 keystone]# vim /etc/httpd/conf/httpd.conf [root@linux-node1 keystone]# grep -n "^ServerName" /etc/httpd/conf/httpd.conf 95:ServerName 192.168.56.11:80 [root@linux-node1 keystone]#
[root@linux-node1 keystone]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@linux-node1 keystone]# systemctl start httpd.service [root@linux-node1 keystone]#
查看監聽情況,5000和35357端口已經起來了
[root@linux-node1 keystone]# netstat -lntp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:25672 0.0.0.0:* LISTEN 3455/beam.smp tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 1965/mysqld tcp 0 0 127.0.0.1:11211 0.0.0.0:* LISTEN 12264/memcached tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN 1/systemd tcp 0 0 0.0.0.0:4369 0.0.0.0:* LISTEN 1/systemd tcp 0 0 192.168.122.1:53 0.0.0.0:* LISTEN 1337/dnsmasq tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 1153/sshd tcp 0 0 0.0.0.0:15672 0.0.0.0:* LISTEN 3455/beam.smp tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1277/master tcp6 0 0 :::5000 :::* LISTEN 12556/httpd tcp6 0 0 :::5672 :::* LISTEN 3455/beam.smp tcp6 0 0 ::1:11211 :::* LISTEN 12264/memcached tcp6 0 0 :::111 :::* LISTEN 1/systemd tcp6 0 0 :::80 :::* LISTEN 12556/httpd tcp6 0 0 :::22 :::* LISTEN 1153/sshd tcp6 0 0 ::1:25 :::* LISTEN 1277/master tcp6 0 0 :::35357 :::* LISTEN 12556/httpd [root@linux-node1 keystone]#
[root@linux-node1 ~]# tail -f /var/log/keystone/keystone.log 2017-02-17 17:22:11.743 7983 INFO migrate.versioning.api [-] done 2017-02-17 17:22:11.743 7983 INFO migrate.versioning.api [-] 96 -> 97... 2017-02-17 17:22:11.754 7983 INFO migrate.versioning.api [-] done 2017-02-17 17:28:10.672 8128 INFO keystone.token.providers.fernet.utils [-] [fernet_tokens] key_repository does not appear to exist; attempting to create it 2017-02-17 17:28:10.673 8128 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0 2017-02-17 17:28:10.674 8128 INFO keystone.token.providers.fernet.utils [-] Starting key rotation with 1 key files: ['/etc/keystone/fernet-keys/0'] 2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Current primary key is: 0 2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Next primary key will be: 1 2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Promoted key 0 to be the primary: 1 2017-02-17 17:28:10.676 8128 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0
[root@linux-node1 ~]# vim /etc/keystone/keystone.conf [root@linux-node1 ~]# grep -n "#debug" /etc/keystone/keystone.conf 118:#debug = false 403:#debug_cache_backend = false 1008:#debug_level = <None> [root@linux-node1 ~]#
在keystone創建域、項目、用戶和角色
先查看之前配置文件里配置的admin_token
[root@linux-node1 ~]# grep -n "^admin_token" /etc/keystone/keystone.conf 13:admin_token = d6f70f7738e69f57a839 [root@linux-node1 ~]#
1、添加環境變量
你在當前窗口設置了環境變量,也一定要在當前窗口操作
5000端口是給消費者調用的,35357是給管理者用的,管理鏈接
v3是v3版本,這里寫這個非常有出處,以后升級便於找出問題,對於一些版本依賴的服務很友好
前面連接v3版本的資源。如果你升級,新建個目錄v4,這樣既保存了v3版本的東西,就有新的v4
便於找出問題,也是架構設計的優點
[root@linux-node1 ~]# export OS_TOKEN=d6f70f7738e69f57a839 [root@linux-node1 ~]# export OS_URL=http://192.168.56.11:35357/v3 [root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3 [root@linux-node1 ~]#
2.、創建域default
[root@linux-node1 ~]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | name | default | +-------------+----------------------------------+ [root@linux-node1 ~]#
3、創建 admin 項目
這個admin的項目可以管理所有的雲主機
[root@linux-node1 ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | e88437b3330145e1a713469130b4c3cd | | is_domain | False | | name | admin | | parent_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | +-------------+----------------------------------+ [root@linux-node1 ~]#
生產環境密碼一定要設置復雜
[root@linux-node1 ~]# openstack user create --domain default --password-prompt admin User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | bf3591b757704f8c8166e3294a62efb7 | | name | admin | +-----------+----------------------------------+ [root@linux-node1 ~]#
[root@linux-node1 ~]# openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 62a941ebad834b398e9eef009c2b6eaa | | name | admin | +-----------+----------------------------------+ [root@linux-node1 ~]#
6、添加admin角色到 admin 項目和用戶上
[root@linux-node1 ~]# openstack role add --project admin --user admin admin [root@linux-node1 ~]#
上面我們創建的角色都是openstack有的,提前定義好的,不是我們隨便創建的,在這里可以看到
[root@linux-node1 ~]# cd /etc/keystone/ [root@linux-node1 keystone]# ls default_catalog.templates keystone.conf logging.conf sso_callback_template.html fernet-keys keystone-paste.ini policy.json [root@linux-node1 keystone]# cat policy.json { "admin_required": "role:admin or is_admin:1", "service_role": "role:service", "service_or_admin": "rule:admin_required or rule:service_role", "owner" : "user_id:%(user_id)s", "admin_or_owner": "rule:admin_required or rule:owner",
繼續創建一個普通用戶,后面使用普通用戶進行虛擬機的創建
一般情況下我們應該使用無特權的項目和用戶。
作為例子,本指南創建 demo 項目和用戶。
7、創建demo 項目
[root@linux-node1 keystone]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | ef1575c568a4416c81f4855ae5cfd8eb | | is_domain | False | | name | demo | | parent_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | +-------------+----------------------------------+ [root@linux-node1 keystone]#
8、創建demo 用戶
[root@linux-node1 keystone]# openstack user create --domain default --password-prompt demo User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | 7a01e2bd239844f183abbb4b0b960647 | | name | demo | +-----------+----------------------------------+ [root@linux-node1 keystone]#
[root@linux-node1 keystone]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 5fdf92e7547b4f9aa346f88942ce36b0 | | name | user | +-----------+----------------------------------+ [root@linux-node1 keystone]#
10、添加 user角色到 demo 項目和用戶
[root@linux-node1 keystone]# openstack role add --project demo --user demo user [root@linux-node1 keystone]#
keystone服務創建服務目錄相關
keystone除了服務認證的作用,還有服務目錄的作用
keystone本身也要在上面注冊
1、創建service項目,里面可以包含服務
[root@linux-node1 keystone]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | fc29ee0a1c7145de99885bb4a3bef9c1 | | is_domain | False | | name | service | | parent_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | +-------------+----------------------------------+ [root@linux-node1 keystone]#
提前為每個服務創建用戶,密碼都是和本服務用戶名一致
2、創建glance用戶
[root@linux-node1 ~]# openstack user create --domain default --password-prompt glance User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | fc2b7770e8394568922b0ef18672b45c | | name | glance | +-----------+----------------------------------+ [root@linux-node1 ~]#
root@linux-node1 ~]# openstack role add --project service --user glance admin [root@linux-node1 ~]#
[root@linux-node1 ~]# openstack user create --domain default --password-prompt nova User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | b14137c43aa9474d86331593db43fe1f | | name | nova | +-----------+----------------------------------+ [root@linux-node1 ~]# openstack role add --project service --user nova admin [root@linux-node1 ~]#
[root@linux-node1 ~]# openstack user create --domain default --password-prompt neutron User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 | | enabled | True | | id | ff1bea210abb4d89b27ab96fd6d6b2d9 | | name | neutron | +-----------+----------------------------------+ [root@linux-node1 ~]# openstack role add --project service --user neutron admin [root@linux-node1 ~]#
創建服務實體和API端點
在你的Openstack環境中,認證服務管理服務目錄。服務使用這個目錄來決定您的環境中可用的服務。
創建服務實體和身份認證服務:
6、創建keystone服務,類型是identify
[root@linux-node1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 4c0cdee367d14a66aa3921fe68e4b63e | | name | keystone | | type | identity | +-------------+----------------------------------+ [root@linux-node1 ~]#
7、創建認證服務的 API 端點,公共的,內部的,管理的
只有這個keystone比較特殊,其它的服務端口都是一樣的
public url可以被全局訪問
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 1d91a71ed4254789ad3c6fed96ec6375 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | 4c0cdee367d14a66aa3921fe68e4b63e | | service_name | keystone | | service_type | identity | | url | http://192.168.56.11:5000/v3 | +--------------+----------------------------------+ [root@linux-node1 ~]#
private url只能被局域網訪問
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 525ca6f2b5bc426d82410f551d3568ff | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | 4c0cdee367d14a66aa3921fe68e4b63e | | service_name | keystone | | service_type | identity | | url | http://192.168.56.11:5000/v3 | +--------------+----------------------------------+ [root@linux-node1 ~]#
管理員使用的
[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 7b561693fd7947a0b6c05e6f8f42d964 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | 4c0cdee367d14a66aa3921fe68e4b63e | | service_name | keystone | | service_type | identity | | url | http://192.168.56.11:35357/v3 | +--------------+----------------------------------+ [root@linux-node1 ~]#
[root@linux-node1 ~]# openstack user --help Command "user" matches: user create user delete user list user password set user set user show [root@linux-node1 ~]# openstack endpoint --help Command "endpoint" matches: endpoint create endpoint delete endpoint list endpoint set endpoint show [root@linux-node1 ~]#
8、 檢查上面創建結果
[root@linux-node1 ~]# openstack service list +----------------------------------+----------+----------+ | ID | Name | Type | +----------------------------------+----------+----------+ | 4c0cdee367d14a66aa3921fe68e4b63e | keystone | identity | +----------------------------------+----------+----------+ [root@linux-node1 ~]# openstack endpoint list +--------------------+-----------+--------------+--------------+---------+-----------+--------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +--------------------+-----------+--------------+--------------+---------+-----------+--------------------+ | 1d91a71ed4254789ad | RegionOne | keystone | identity | True | public | http://192.168.56. | | 3c6fed96ec6375 | | | | | | 11:5000/v3 | | 525ca6f2b5bc426d82 | RegionOne | keystone | identity | True | internal | http://192.168.56. | | 410f551d3568ff | | | | | | 11:5000/v3 | | 7b561693fd7947a0b6 | RegionOne | keystone | identity | True | admin | http://192.168.56. | | c05e6f8f42d964 | | | | | | 11:35357/v3 | +--------------------+-----------+--------------+--------------+---------+-----------+--------------------+ [root@linux-node1 ~]#
[root@linux-node1 ~]# mysql -ukeystone -pkeystone Welcome to the MariaDB monitor. Commands end with ; or \g. Your MariaDB connection id is 8 Server version: 5.5.52-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> select * from keystone.endpoint; +----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+ | id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id | +----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+ | 1d91a71ed4254789ad3c6fed96ec6375 | NULL | public | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:5000/v3 | {} | 1 | RegionOne | | 525ca6f2b5bc426d82410f551d3568ff | NULL | internal | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:5000/v3 | {} | 1 | RegionOne | | 7b561693fd7947a0b6c05e6f8f42d964 | NULL | admin | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:35357/v3 | {} | 1 | RegionOne | +----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+ 3 rows in set (0.00 sec) MariaDB [(none)]>
MariaDB [(none)]> select * from keystone.user; +----------------------------------+-------+---------+--------------------+ | id | extra | enabled | default_project_id | +----------------------------------+-------+---------+--------------------+ | 7a01e2bd239844f183abbb4b0b960647 | {} | 1 | NULL | | b14137c43aa9474d86331593db43fe1f | {} | 1 | NULL | | bf3591b757704f8c8166e3294a62efb7 | {} | 1 | NULL | | fc2b7770e8394568922b0ef18672b45c | {} | 1 | NULL | | ff1bea210abb4d89b27ab96fd6d6b2d9 | {} | 1 | NULL | +----------------------------------+-------+---------+--------------------+ 5 rows in set (0.00 sec) MariaDB [(none)]> select * from keystone.service; +----------------------------------+----------+---------+-----------------------------------------------------------+ | id | type | enabled | extra | +----------------------------------+----------+---------+-----------------------------------------------------------+ | 4c0cdee367d14a66aa3921fe68e4b63e | identity | 1 | {"description": "OpenStack Identity", "name": "keystone"} | +----------------------------------+----------+---------+-----------------------------------------------------------+ 1 row in set (0.00 sec) MariaDB [(none)]>
9、使用用戶連接keystone驗證
[root@linux-node1 ~]# unset OS_TOKEN [root@linux-node1 ~]# unset OS_URL [root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:35357/v3 \ > --os-project-domain-name default --os-user-domain-name default \ > --os-project-name admin --os-username admin token issue Password: +------------+--------------------------------------------------------------------------------------------+ | Field | Value | +------------+--------------------------------------------------------------------------------------------+ | expires | 2017-02-17T15:30:40.804805Z | | id | gAAAAABYpwkRR5dn3jc8jhGy24mhmkYnQD6pgQoi9pTkP-mSOdbB3G5CELvuoSE4p_8wvAl4-TZunia45moMdCP0iB | | | RfWDOoov7ong5KtXa4OdWupiajXm3n49tZvqVFJ760R7LbGZ1I1oGST8cUHsoeVlqze9iIDoTCt9dw6D0-lix- | | | 5wMHwc0 | | project_id | e88437b3330145e1a713469130b4c3cd | | user_id | bf3591b757704f8c8166e3294a62efb7 | +------------+--------------------------------------------------------------------------------------------+ [root@linux-node1 ~]#
測試demo 用戶,請求認證令牌,也成功
[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:5000/v3 \ > --os-project-domain-name default --os-user-domain-name default \ > --os-project-name demo --os-username demo token issue Password: +------------+--------------------------------------------------------------------------------------------+ | Field | Value | +------------+--------------------------------------------------------------------------------------------+ | expires | 2017-02-17T15:34:15.267032Z | | id | gAAAAABYpwnnB8SFrZCQMa_d_4vHcKMQoAmt34F1rnIAz4fMsIG1Hr1c1wbGE3TAKBbQW4T-YHZt61P5EKAoopPJK- | | | bhXZZHZO6huiVIPvytzN3rd0N-zSf-xdKDWZ0SiGAciDCbyjfzm0i4DFhEnkA9buxAaFL8eTpWvPoknCBg- | | | klLB35Pw1A | | project_id | ef1575c568a4416c81f4855ae5cfd8eb | | user_id | 7a01e2bd239844f183abbb4b0b960647 | +------------+--------------------------------------------------------------------------------------------+ [root@linux-node1 ~]#
10、創建 OpenStack 客戶端環境腳本
設置2個環境變量腳本,以后想用的話,source一下就行了,再次獲取下token,就不用像以前輸入這么長了
[root@linux-node1 ~]# cat admin-openstack.sh export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://192.168.56.11:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@linux-node1 ~]# cat demo-openstack.sh export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://192.168.56.11:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
通過腳本加載環境變量,獲取token
[root@linux-node1 ~]# source admin-openstack.sh [root@linux-node1 ~]# openstack token issue +------------+--------------------------------------------------------------------------------------------+ | Field | Value | +------------+--------------------------------------------------------------------------------------------+ | expires | 2017-02-17T15:47:48.365307Z | | id | gAAAAABYpw0Ua2MqIA4X7zouPtRHzKmd9TSKG5tcX76c1rv40CDYJX1nZZUjDvMl0884721zaFlFOARPm2jDGkrqir | | | b5X6qNnVCQGUSiasm853HZge2m1ZBGw6GOMbFiG0SAABIUvl7E3Or8kzHWnLBJ8Ls6AfP350tlR8zH7kUVwV8-2CKp | | | NQY | | project_id | e88437b3330145e1a713469130b4c3cd | | user_id | bf3591b757704f8c8166e3294a62efb7 | +------------+--------------------------------------------------------------------------------------------+ [root@linux-node1 ~]#