openstack--3--控制節點安裝配置keystone


Keystone介紹


 

Keystone作用

用戶與認證:用戶權限與用戶行為跟蹤:

服務目錄:提供一個服務目錄,包括所有服務項與相關Api的端點,它是個注冊中心

 

 

用戶認證包括:User,Tenant,Token,Role
服務目錄包括:Service,Endpoint

 

服務目錄名字介紹

Service
Service即服務,如Nova、Glance、Swift。根據前三個概念(User,Tenant和Role)一個服務可以確認當前用戶是否具有訪問其資源的權限。
但是當一個user嘗試着訪問其租戶內的service時,他必須知道這個service是否存在以及如何訪問這個service,這里通常使用一些不同的名稱表示不同的服務。

Endpoint 

 Endpoint,翻譯為“端點”,我們可以理解它是一個服務暴露出來的訪問點,如果需要訪問一個服務,則必須知道他的endpoint。
因此,在keystone中包含一個endpoint模板,這個模板提供了所有存在的服務endpoints信息。
一個endpointtemplate包含一個URLs列表,列表中的每個URL都對應一個服務實例的訪問地址,並且具有public、private和admin這三種權限。
public url可以被全局訪問;private url只能被局域網訪問;admin url被從常規的訪問中分離。

 

用戶認證名字介紹

Token
Token是訪問資源的鑰匙。它是通過Keystone驗證后的返回值,在之后的與其他服務交互中只需要攜帶Token值即可。
每個Token都有一個有效期,Token只在有效期內是有效的。

Role
  Role即角色,Roles代表一組用戶可以訪問的資源權限,例如Nova中的虛擬機、Glance中的鏡像。
Users可以被添加到任意一個全局的或租戶的角色中。在全局的role中,用戶的role權限作用於所有的租戶,即可以對所有的租戶執行role規定的權限;
在租戶內的role中,用戶僅能在當前租戶內執行role規定的權限。

Tenant
  Tenant即租戶,現在改成了項目。它是各個服務中的一些可以訪問的資源集合。例如,在Nova中一個tenant可以是一些機器,
在Swift和Glance中一個tenant可以是一些鏡像存儲,在Neutron中一個tenant可以是一些網絡資源。Users默認的總是綁定到某些tenant上。

User
  User即用戶,他們代表可以通過keystone進行訪問的人或程序。Users通過認證信息(credentials,如密碼、API Keys等)進行驗證。

一個項目可以有多個用戶
一個用戶可以屬於一個或多個項目
用戶對項目和操作權限由用戶在項目中的角色決定

 

 

 

 

KeyStone安裝和配置


 

1、安裝keystone包

以前版本,把token放在了數據庫里,keystone 的token表會越來越大,幾千萬行,后面就響應很慢了,你可以truncate這個表,但是不要在創建虛擬機的時候截斷表
現在改成了可以把token放在memcache里面,讀的更快,同時memcached里也可以設置過期時間
python-memcached是使用python連接memcached的,因為連接過去,keystone會返回一個token。
httpd這個包用來運行keystone的服務,mod_wsgi 它是python的一個模塊,有了它,就可以讓keystone在apache運行為什么現在用到了memcached呢

[root@linux-node1 ~]# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirrors.163.com
 * epel: mirror01.idc.hinet.net
 * extras: mirrors.163.com
 * updates: mirrors.163.com
Package 1:openstack-keystone-9.2.0-1.el7.noarch already installed and latest version
Package httpd-2.4.6-45.el7.centos.x86_64 already installed and latest version
Package mod_wsgi-3.4-12.el7_0.x86_64 already installed and latest version
Package memcached-1.4.33-2.el7.x86_64 already installed and latest version
Package python-memcached-1.54-3.el7.noarch already installed and latest version
Nothing to do
[root@linux-node1 ~]# 

  

 

2、更改keystone配置文件

keystone是管理認證的,我想在里面創建用戶,如果像rabbitmq有個默認用戶也行
現在是沒有用戶,怎么連上去創建用戶呢,這里就用到了admin_token
使用admin_token不用任何用戶就可以連接上keystone,先配置下admin_token
我們使用一個隨機的值替換默認的admin,手動隨機一個字符串

[root@linux-node1 ~]# openssl rand -hex 10
d6f70f7738e69f57a839
[root@linux-node1 ~]# 

 

更改keystone配置文件/etc/keystone/keystone.conf

把13行admin_token配置成一個上面隨機值,也可以自己定義。不要太簡單即可
另外配置文件必須頂頭寫,在admin_token前面不要有空格

 

[database]模塊下,更改數據庫連接,如下

 

配置memcached連接配置

keystone中memcache的作用
把用戶名密碼驗證之后生成token,放在memcache里面的,來提高性能
其實你的memcache也可以安裝在任意一台機器上,解耦

 

 

[token]模塊下,配置令牌提供者,fernet方式比uuid更安全,配置driver為memcache,表示把另外放在memcache空間里

 

檢查下配置,顯示行號

[root@linux-node1 ~]# grep -n  '^[a-Z]'  /etc/keystone/keystone.conf
13:admin_token = d6f70f7738e69f57a839
549:connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
1252:servers = 192.168.56.11:11211
2005:provider = fernet
2010:driver = memcache
[root@linux-node1 ~]# 

  

 

3、同步數據庫執行建表操作

初始化身份認證服務的數據庫:
[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@linux-node1 ~]# 
 

為什么要切換到keystone用戶下執行這個命令呢
如果你上面不切換到keystone用戶執行,也能執行成功,但是這個log文件屬主就是root了
后面啟動keystone服務,它要寫這個日志文件,root屬主的文件它無法寫入,就啟動不成功了
上面命令執行完畢,日志屬主都是keystone用戶下的了。

[root@linux-node1 ~]# cd /var/log/keystone/
[root@linux-node1 keystone]# ll
total 8
-rw-r--r-- 1 keystone keystone 6964 Feb 16 21:32 keystone.log
[root@linux-node1 keystone]# tail -10 keystone.log 
2017-02-16 21:32:31.820 6028 INFO migrate.versioning.api [-] 2 -> 3... 
2017-02-16 21:32:31.835 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.835 6028 INFO migrate.versioning.api [-] 3 -> 4... 
2017-02-16 21:32:31.879 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.879 6028 INFO migrate.versioning.api [-] 4 -> 5... 
2017-02-16 21:32:31.902 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.927 6028 INFO migrate.versioning.api [-] 0 -> 1... 
2017-02-16 21:32:31.947 6028 INFO migrate.versioning.api [-] done
2017-02-16 21:32:31.947 6028 INFO migrate.versioning.api [-] 1 -> 2... 
2017-02-16 21:32:31.975 6028 INFO migrate.versioning.api [-] done

當然你也可以以root執行,然后chown這個日志文件給keystone。

 
 
檢查驗證上述操作是否建表成功,使用keystone用戶查看,還可以檢查登錄是否正確
[root@linux-node1 ~]# mysql -ukeystone -pkeystone -e "use keystone;show tables;"
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+
[root@linux-node1 ~]# 

 下面是keystone服務的日志文件默認路徑,注意它的屬組權限

[root@linux-node1 ~]# cd /var/log/keystone/
[root@linux-node1 keystone]# ll
total 8
-rw-r--r-- 1 keystone keystone 4340 Feb 17 17:22 keystone.log
[root@linux-node1 keystone]# 
 
 
 
4、初始化Fernet keys,創建證書
[root@linux-node1 keystone]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@linux-node1 keystone]# 
上述命令執行完,它會創建下面這個目錄fernet-keys,同時注意keyston.conf的文件權限
root@linux-node1 keystone]# cd /etc/keystone/
[root@linux-node1 keystone]# ls -l
total 100
-rw-r----- 1 root     keystone  2303 Sep 22 20:06 default_catalog.templates
drwx------ 2 keystone keystone    22 Feb 17 17:28 fernet-keys
-rw-r----- 1 root     keystone 73171 Feb 17 17:22 keystone.conf
-rw-r----- 1 root     keystone  2400 Sep 22 20:06 keystone-paste.ini
-rw-r----- 1 root     keystone  1046 Sep 22 20:06 logging.conf
-rw-r----- 1 keystone keystone  9699 Sep 22 20:06 policy.json
-rw-r----- 1 keystone keystone   665 Sep 22 20:06 sso_callback_template.html
[root@linux-node1 keystone]# 

tree方式查看一下

[root@linux-node1 keystone]# tree
.
├── default_catalog.templates
├── fernet-keys
│   ├── 0
│   └── 1
├── keystone.conf
├── keystone-paste.ini
├── logging.conf
├── policy.json
└── sso_callback_template.html

1 directory, 8 files
[root@linux-node1 keystone]# 

  

 
5、memcache啟動並更改配置
[root@linux-node1 ~]# systemctl start memcached.service
[root@linux-node1 ~]# systemctl enable memcached
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@linux-node1 keystone]# netstat -antp | grep 11211
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      12264/memcached     
tcp6       0      0 ::1:11211               :::*                    LISTEN      12264/memcached   

[root@linux-node1 keystone]# ps aux | grep memcached
memcach+  12264  0.0  0.0 333840  1212 ?        Ssl  20:43   0:00 /usr/bin/memcached -p 11211 -u memcached -m 64 -c 1024 -l 127.0.0.1,::1
root      12345  0.0  0.0 112644   964 pts/0    S+   20:45   0:00 grep --colour=auto memcached
[root@linux-node1 keystone]# 
 
找它的配置文件
[root@linux-node1 keystone]# rpm -ql memcached
/etc/sysconfig/memcached
/usr/bin/memcached
/usr/bin/memcached-tool
/usr/lib/systemd/system/memcached.service
/usr/share/doc/memcached-1.4.33
/usr/share/doc/memcached-1.4.33/AUTHORS
/usr/share/doc/memcached-1.4.33/CONTRIBUTORS
/usr/share/doc/memcached-1.4.33/COPYING
/usr/share/doc/memcached-1.4.33/ChangeLog
/usr/share/doc/memcached-1.4.33/NEWS
/usr/share/doc/memcached-1.4.33/README.md
/usr/share/doc/memcached-1.4.33/new_lru.txt
/usr/share/doc/memcached-1.4.33/protocol.txt
/usr/share/doc/memcached-1.4.33/readme.txt
/usr/share/doc/memcached-1.4.33/threads.txt
/usr/share/man/man1/memcached-tool.1.gz
/usr/share/man/man1/memcached.1.gz
[root@linux-node1 keystone]# 
 
下面是它默認配置,你可以更改
[root@linux-node1 keystone]# cat /etc/sysconfig/memcached 
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 127.0.0.1,::1"
[root@linux-node1 keystone]# 
memcached沒監聽在ipv4上,導致無法通過192.168.56.11這個地址連接,需要修改,否則后面通過密碼認證會報500錯誤
[root@linux-node1 keystone]# telnet 192.168.56.11 11211
Trying 192.168.56.11...
telnet: connect to address 192.168.56.11: Connection refused
 
更改memcached監聽地址,改為全部網絡接口上
[root@linux-node1 ~]# cat /etc/sysconfig/memcached 
PORT="11211"
USER="memcached"
MAXCONN="1024"
CACHESIZE="64"
OPTIONS="-l 0.0.0.0"
[root@linux-node1 ~]# 
 
重啟memcached服務,這樣11211就監聽再了ipv4端口上了
[root@linux-node1 ~]# netstat -antp 
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:25672           0.0.0.0:*               LISTEN      4916/beam.smp       
tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      1181/httpd          
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1615/mysqld         
tcp        0      0 0.0.0.0:11211           0.0.0.0:*               LISTEN      2006/memcached      
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1181/httpd          
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1745/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1160/sshd           
tcp        0      0 0.0.0.0:15672           0.0.0.0:*               LISTEN      4916/beam.smp       
tcp        0      0 0.0.0.0:35357           0.0.0.0:*               LISTEN      1181/httpd          
tcp        0      0 127.0.0.1:4369          127.0.0.1:33788         ESTABLISHED 1653/epmd           
tcp        0     52 192.168.56.11:22        192.168.56.1:50037      ESTABLISHED 1910/sshd: root@pts 
tcp        0      0 192.168.56.11:4369      192.168.56.11:60206     TIME_WAIT   -                   
tcp        0      0 127.0.0.1:54935         127.0.0.1:4369          TIME_WAIT   -                   
tcp        0      0 127.0.0.1:33788         127.0.0.1:4369          ESTABLISHED 4916/beam.smp       
tcp        0      0 192.168.56.11:4369      192.168.56.11:47835     TIME_WAIT   -                   
tcp        0      0 192.168.56.11:4369      192.168.56.11:33010     TIME_WAIT   -                   
tcp        0     57 192.168.56.11:15672     192.168.56.1:51799      ESTABLISHED 4916/beam.smp       
tcp6       0      0 :::5672                 :::*                    LISTEN      4916/beam.smp       
tcp6       0      0 :::22                   :::*                    LISTEN      1160/sshd           
[root@linux-node1 ~]# 

可以通過IPv4地址訪問了

[root@linux-node1 keystone]# telnet 127.0.0.1 11211
Trying 127.0.0.1...
Connected to 127.0.0.1.
Escape character is '^]'.
^]
telnet> quit
Connection closed.
[root@linux-node1 keystone]# 

為了防止后期一些服務監聽再IPv6上的干擾,可以禁用掉系統默認的IPv6

[root@linux-node1 ~]# vim /etc/sysctl.conf 
[root@linux-node1 ~]# cat /etc/sysctl.conf 
# sysctl settings are defined through files in
# /usr/lib/sysctl.d/, /run/sysctl.d/, and /etc/sysctl.d/.
#
# Vendors settings live in /usr/lib/sysctl.d/.
# To override a whole file, create a new file with the same in
# /etc/sysctl.d/ and put new settings there. To override
# only specific settings, add a file with a lexically later
# name in /etc/sysctl.d/ and put new settings there.
#
# For more information, see sysctl.conf(5) and sysctl.d(5).
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[root@linux-node1 ~]# sysctl -p
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
[root@linux-node1 ~]# 

 

 
6、配置apache

早期keystone自己單獨可以啟動,但是性能不好。后面就使用apache運行keystone服務了

使用apache代理keystone,這里面有2個虛擬主機的配置

5000 正常的api來訪問 35357 admin用戶管理訪問的端口

創建下面文件並配置如下
[root@linux-node1 keystone]# touch /etc/httpd/conf.d/wsgi-keystone.conf
[root@linux-node1 keystone]# vim /etc/httpd/conf.d/wsgi-keystone.conf
[root@linux-node1 keystone]# cat /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>
[root@linux-node1 keystone]# 

 

修改主配置文件,95行改成如下內容

必須要配置httpd的ServerName,不配置的話apache能啟動,但是keystone服務不能起來

[root@linux-node1 keystone]# vim /etc/httpd/conf/httpd.conf 
[root@linux-node1 keystone]# grep -n "^ServerName" /etc/httpd/conf/httpd.conf
95:ServerName 192.168.56.11:80
[root@linux-node1 keystone]# 

  

7、啟動啟動keystone服務
啟動apache服務就相當於啟動了keystone
[root@linux-node1 keystone]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@linux-node1 keystone]# systemctl start httpd.service
[root@linux-node1 keystone]# 

查看監聽情況,5000和35357端口已經起來了

[root@linux-node1 keystone]# netstat -lntp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:25672           0.0.0.0:*               LISTEN      3455/beam.smp       
tcp        0      0 0.0.0.0:3306            0.0.0.0:*               LISTEN      1965/mysqld         
tcp        0      0 127.0.0.1:11211         0.0.0.0:*               LISTEN      12264/memcached     
tcp        0      0 0.0.0.0:111             0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 0.0.0.0:4369            0.0.0.0:*               LISTEN      1/systemd           
tcp        0      0 192.168.122.1:53        0.0.0.0:*               LISTEN      1337/dnsmasq        
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      1153/sshd           
tcp        0      0 0.0.0.0:15672           0.0.0.0:*               LISTEN      3455/beam.smp       
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN      1277/master         
tcp6       0      0 :::5000                 :::*                    LISTEN      12556/httpd         
tcp6       0      0 :::5672                 :::*                    LISTEN      3455/beam.smp       
tcp6       0      0 ::1:11211               :::*                    LISTEN      12264/memcached     
tcp6       0      0 :::111                  :::*                    LISTEN      1/systemd           
tcp6       0      0 :::80                   :::*                    LISTEN      12556/httpd         
tcp6       0      0 :::22                   :::*                    LISTEN      1153/sshd           
tcp6       0      0 ::1:25                  :::*                    LISTEN      1277/master         
tcp6       0      0 :::35357                :::*                    LISTEN      12556/httpd         
[root@linux-node1 keystone]# 
 
查看日志,沒報錯即可
[root@linux-node1 ~]# tail -f /var/log/keystone/keystone.log 
2017-02-17 17:22:11.743 7983 INFO migrate.versioning.api [-] done
2017-02-17 17:22:11.743 7983 INFO migrate.versioning.api [-] 96 -> 97... 
2017-02-17 17:22:11.754 7983 INFO migrate.versioning.api [-] done
2017-02-17 17:28:10.672 8128 INFO keystone.token.providers.fernet.utils [-] [fernet_tokens] key_repository does not appear to exist; attempting to create it
2017-02-17 17:28:10.673 8128 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0
2017-02-17 17:28:10.674 8128 INFO keystone.token.providers.fernet.utils [-] Starting key rotation with 1 key files: ['/etc/keystone/fernet-keys/0']
2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Current primary key is: 0
2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Next primary key will be: 1
2017-02-17 17:28:10.675 8128 INFO keystone.token.providers.fernet.utils [-] Promoted key 0 to be the primary: 1
2017-02-17 17:28:10.676 8128 INFO keystone.token.providers.fernet.utils [-] Created a new key: /etc/keystone/fernet-keys/0
 
啟動如果有問題可以打開debug
[root@linux-node1 ~]# vim /etc/keystone/keystone.conf 
[root@linux-node1 ~]# grep -n "#debug" /etc/keystone/keystone.conf
118:#debug = false
403:#debug_cache_backend = false
1008:#debug_level = <None>
[root@linux-node1 ~]# 

  

 

 

在keystone創建域、項目、用戶和角色


 

 

 先查看之前配置文件里配置的admin_token

[root@linux-node1 ~]# grep -n "^admin_token" /etc/keystone/keystone.conf
13:admin_token = d6f70f7738e69f57a839
[root@linux-node1 ~]# 

 

1、添加環境變量

你在當前窗口設置了環境變量,也一定要在當前窗口操作
5000端口是給消費者調用的,35357是給管理者用的,管理鏈接
v3是v3版本,這里寫這個非常有出處,以后升級便於找出問題,對於一些版本依賴的服務很友好
前面連接v3版本的資源。如果你升級,新建個目錄v4,這樣既保存了v3版本的東西,就有新的v4
便於找出問題,也是架構設計的優點

[root@linux-node1 ~]# export OS_TOKEN=d6f70f7738e69f57a839
[root@linux-node1 ~]# export OS_URL=http://192.168.56.11:35357/v3
[root@linux-node1 ~]# export OS_IDENTITY_API_VERSION=3
[root@linux-node1 ~]# 

 

2.、創建域default

[root@linux-node1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| name        | default                          |
+-------------+----------------------------------+
[root@linux-node1 ~]# 

 


3、創建 admin 項目

這個admin的項目可以管理所有的雲主機

[root@linux-node1 ~]# openstack project create --domain default   --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled     | True                             |
| id          | e88437b3330145e1a713469130b4c3cd |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 1b7cf039119d4f8a8e82baaa6f4c2469 |
+-------------+----------------------------------+
[root@linux-node1 ~]# 

  

4、創建 admin 用戶

生產環境密碼一定要設置復雜

[root@linux-node1 ~]# openstack user create --domain default  --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled   | True                             |
| id        | bf3591b757704f8c8166e3294a62efb7 |
| name      | admin                            |
+-----------+----------------------------------+
[root@linux-node1 ~]# 

  

5、創建 admin 角色
[root@linux-node1 ~]# openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 62a941ebad834b398e9eef009c2b6eaa |
| name      | admin                            |
+-----------+----------------------------------+
[root@linux-node1 ~]# 

  

6、添加admin角色到 admin 項目和用戶上

[root@linux-node1 ~]# openstack role add --project admin --user admin admin
[root@linux-node1 ~]# 

上面我們創建的角色都是openstack有的,提前定義好的,不是我們隨便創建的,在這里可以看到

[root@linux-node1 ~]# cd /etc/keystone/
[root@linux-node1 keystone]# ls
default_catalog.templates  keystone.conf       logging.conf  sso_callback_template.html
fernet-keys                keystone-paste.ini  policy.json
[root@linux-node1 keystone]# cat policy.json 
{
    "admin_required": "role:admin or is_admin:1",
    "service_role": "role:service",
    "service_or_admin": "rule:admin_required or rule:service_role",
    "owner" : "user_id:%(user_id)s",
    "admin_or_owner": "rule:admin_required or rule:owner",

  

繼續創建一個普通用戶,后面使用普通用戶進行虛擬機的創建

一般情況下我們應該使用無特權的項目和用戶。
作為例子,本指南創建 demo 項目和用戶。

 

7、創建demo 項目

[root@linux-node1 keystone]# openstack project create --domain default  --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled     | True                             |
| id          | ef1575c568a4416c81f4855ae5cfd8eb |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 1b7cf039119d4f8a8e82baaa6f4c2469 |
+-------------+----------------------------------+
[root@linux-node1 keystone]# 

 

8、創建demo 用戶

[root@linux-node1 keystone]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled   | True                             |
| id        | 7a01e2bd239844f183abbb4b0b960647 |
| name      | demo                             |
+-----------+----------------------------------+
[root@linux-node1 keystone]# 

  

 

9、創建 user 角色
[root@linux-node1 keystone]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 5fdf92e7547b4f9aa346f88942ce36b0 |
| name      | user                             |
+-----------+----------------------------------+
[root@linux-node1 keystone]# 

 

10、添加 user角色到 demo 項目和用戶

[root@linux-node1 keystone]# openstack role add --project demo --user demo user
[root@linux-node1 keystone]# 

 

 

keystone服務創建服務目錄相關


 

keystone除了服務認證的作用,還有服務目錄的作用
keystone本身也要在上面注冊

1、創建service項目,里面可以包含服務

[root@linux-node1 keystone]# openstack project create --domain default  --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled     | True                             |
| id          | fc29ee0a1c7145de99885bb4a3bef9c1 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 1b7cf039119d4f8a8e82baaa6f4c2469 |
+-------------+----------------------------------+
[root@linux-node1 keystone]# 

 

 

提前為每個服務創建用戶,密碼都是和本服務用戶名一致 

2、創建glance用戶

[root@linux-node1 ~]# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled   | True                             |
| id        | fc2b7770e8394568922b0ef18672b45c |
| name      | glance                           |
+-----------+----------------------------------+
[root@linux-node1 ~]# 

  

3、把glance用戶加入到service項目,同時給它admin角色
root@linux-node1 ~]# openstack role add --project service --user glance admin
[root@linux-node1 ~]# 

  

nova服務
4、創建nova用戶,並加入service項目,同時給它admin角色
[root@linux-node1 ~]# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled   | True                             |
| id        | b14137c43aa9474d86331593db43fe1f |
| name      | nova                             |
+-----------+----------------------------------+
[root@linux-node1 ~]# openstack role add --project service --user nova admin
[root@linux-node1 ~]# 

  

5、創建neutron用戶,並接入Service項目,同時給它admin角色
[root@linux-node1 ~]# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 1b7cf039119d4f8a8e82baaa6f4c2469 |
| enabled   | True                             |
| id        | ff1bea210abb4d89b27ab96fd6d6b2d9 |
| name      | neutron                          |
+-----------+----------------------------------+
[root@linux-node1 ~]# openstack role add --project service --user neutron admin
[root@linux-node1 ~]# 

  

 

創建服務實體和API端點

在你的Openstack環境中,認證服務管理服務目錄。服務使用這個目錄來決定您的環境中可用的服務。
創建服務實體和身份認證服務:

6、創建keystone服務,類型是identify

[root@linux-node1 ~]# openstack service create  --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 4c0cdee367d14a66aa3921fe68e4b63e |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+
[root@linux-node1 ~]# 

  

 

7、創建認證服務的 API 端點,公共的,內部的,管理的

只有這個keystone比較特殊,其它的服務端口都是一樣的 

public url可以被全局訪問

[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 1d91a71ed4254789ad3c6fed96ec6375 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 4c0cdee367d14a66aa3921fe68e4b63e |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:5000/v3     |
+--------------+----------------------------------+
[root@linux-node1 ~]# 

 

private url只能被局域網訪問

[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity internal http://192.168.56.11:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 525ca6f2b5bc426d82410f551d3568ff |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 4c0cdee367d14a66aa3921fe68e4b63e |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:5000/v3     |
+--------------+----------------------------------+
[root@linux-node1 ~]# 

管理員使用的

[root@linux-node1 ~]# openstack endpoint create --region RegionOne identity admin http://192.168.56.11:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 7b561693fd7947a0b6c05e6f8f42d964 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 4c0cdee367d14a66aa3921fe68e4b63e |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:35357/v3    |
+--------------+----------------------------------+
[root@linux-node1 ~]# 

  

關於創建的對象的增刪改查操作。 后面跟id,創建錯了可以通過id刪除
[root@linux-node1 ~]# openstack user --help
Command "user" matches:
  user create
  user delete
  user list
  user password set
  user set
  user show
[root@linux-node1 ~]# openstack endpoint --help
Command "endpoint" matches:
  endpoint create
  endpoint delete
  endpoint list
  endpoint set
  endpoint show
[root@linux-node1 ~]# 

  

8、 檢查上面創建結果

[root@linux-node1 ~]# openstack service list
+----------------------------------+----------+----------+
| ID                               | Name     | Type     |
+----------------------------------+----------+----------+
| 4c0cdee367d14a66aa3921fe68e4b63e | keystone | identity |
+----------------------------------+----------+----------+
[root@linux-node1 ~]# openstack endpoint list
+--------------------+-----------+--------------+--------------+---------+-----------+--------------------+
| ID                 | Region    | Service Name | Service Type | Enabled | Interface | URL                |
+--------------------+-----------+--------------+--------------+---------+-----------+--------------------+
| 1d91a71ed4254789ad | RegionOne | keystone     | identity     | True    | public    | http://192.168.56. |
| 3c6fed96ec6375     |           |              |              |         |           | 11:5000/v3         |
| 525ca6f2b5bc426d82 | RegionOne | keystone     | identity     | True    | internal  | http://192.168.56. |
| 410f551d3568ff     |           |              |              |         |           | 11:5000/v3         |
| 7b561693fd7947a0b6 | RegionOne | keystone     | identity     | True    | admin     | http://192.168.56. |
| c05e6f8f42d964     |           |              |              |         |           | 11:35357/v3        |
+--------------------+-----------+--------------+--------------+---------+-----------+--------------------+
[root@linux-node1 ~]# 
其實上面創建操作都是寫數據庫,查詢操作也是查詢數據庫
[root@linux-node1 ~]# mysql -ukeystone -pkeystone
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 5.5.52-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> select * from keystone.endpoint;
+----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+
| id                               | legacy_endpoint_id | interface | service_id                       | url                           | extra | enabled | region_id |
+----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+
| 1d91a71ed4254789ad3c6fed96ec6375 | NULL               | public    | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:5000/v3  | {}    |       1 | RegionOne |
| 525ca6f2b5bc426d82410f551d3568ff | NULL               | internal  | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:5000/v3  | {}    |       1 | RegionOne |
| 7b561693fd7947a0b6c05e6f8f42d964 | NULL               | admin     | 4c0cdee367d14a66aa3921fe68e4b63e | http://192.168.56.11:35357/v3 | {}    |       1 | RegionOne |
+----------------------------------+--------------------+-----------+----------------------------------+-------------------------------+-------+---------+-----------+
3 rows in set (0.00 sec)

MariaDB [(none)]> 
 
全部都在數據庫里存着的
MariaDB [(none)]> select * from keystone.user;
+----------------------------------+-------+---------+--------------------+
| id                               | extra | enabled | default_project_id |
+----------------------------------+-------+---------+--------------------+
| 7a01e2bd239844f183abbb4b0b960647 | {}    |       1 | NULL               |
| b14137c43aa9474d86331593db43fe1f | {}    |       1 | NULL               |
| bf3591b757704f8c8166e3294a62efb7 | {}    |       1 | NULL               |
| fc2b7770e8394568922b0ef18672b45c | {}    |       1 | NULL               |
| ff1bea210abb4d89b27ab96fd6d6b2d9 | {}    |       1 | NULL               |
+----------------------------------+-------+---------+--------------------+
5 rows in set (0.00 sec)

MariaDB [(none)]> select * from keystone.service;
+----------------------------------+----------+---------+-----------------------------------------------------------+
| id                               | type     | enabled | extra                                                     |
+----------------------------------+----------+---------+-----------------------------------------------------------+
| 4c0cdee367d14a66aa3921fe68e4b63e | identity |       1 | {"description": "OpenStack Identity", "name": "keystone"} |
+----------------------------------+----------+---------+-----------------------------------------------------------+
1 row in set (0.00 sec)

MariaDB [(none)]> 

  

 

9、使用用戶連接keystone驗證

不使用admin_token,需要取消環境變量里的設置
下面成功獲取token信息,表示通過admin用戶連接成功
[root@linux-node1 ~]# unset OS_TOKEN
[root@linux-node1 ~]# unset OS_URL
[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:35357/v3 \
>   --os-project-domain-name default --os-user-domain-name default \
>   --os-project-name admin --os-username admin token issue
Password: 
+------------+--------------------------------------------------------------------------------------------+
| Field      | Value                                                                                      |
+------------+--------------------------------------------------------------------------------------------+
| expires    | 2017-02-17T15:30:40.804805Z                                                                |
| id         | gAAAAABYpwkRR5dn3jc8jhGy24mhmkYnQD6pgQoi9pTkP-mSOdbB3G5CELvuoSE4p_8wvAl4-TZunia45moMdCP0iB |
|            | RfWDOoov7ong5KtXa4OdWupiajXm3n49tZvqVFJ760R7LbGZ1I1oGST8cUHsoeVlqze9iIDoTCt9dw6D0-lix-     |
|            | 5wMHwc0                                                                                    |
| project_id | e88437b3330145e1a713469130b4c3cd                                                           |
| user_id    | bf3591b757704f8c8166e3294a62efb7                                                           |
+------------+--------------------------------------------------------------------------------------------+
[root@linux-node1 ~]# 

測試demo 用戶,請求認證令牌,也成功  

[root@linux-node1 ~]# openstack --os-auth-url http://192.168.56.11:5000/v3 \
>   --os-project-domain-name default --os-user-domain-name default \
>   --os-project-name demo --os-username demo token issue
Password: 
+------------+--------------------------------------------------------------------------------------------+
| Field      | Value                                                                                      |
+------------+--------------------------------------------------------------------------------------------+
| expires    | 2017-02-17T15:34:15.267032Z                                                                |
| id         | gAAAAABYpwnnB8SFrZCQMa_d_4vHcKMQoAmt34F1rnIAz4fMsIG1Hr1c1wbGE3TAKBbQW4T-YHZt61P5EKAoopPJK- |
|            | bhXZZHZO6huiVIPvytzN3rd0N-zSf-xdKDWZ0SiGAciDCbyjfzm0i4DFhEnkA9buxAaFL8eTpWvPoknCBg-        |
|            | klLB35Pw1A                                                                                 |
| project_id | ef1575c568a4416c81f4855ae5cfd8eb                                                           |
| user_id    | 7a01e2bd239844f183abbb4b0b960647                                                           |
+------------+--------------------------------------------------------------------------------------------+
[root@linux-node1 ~]# 

  

 

10、創建 OpenStack 客戶端環境腳本

設置2個環境變量腳本,以后想用的話,source一下就行了,再次獲取下token,就不用像以前輸入這么長了

[root@linux-node1 ~]# cat admin-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@linux-node1 ~]# cat demo-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

通過腳本加載環境變量,獲取token

[root@linux-node1 ~]# source admin-openstack.sh 
[root@linux-node1 ~]# openstack token issue
+------------+--------------------------------------------------------------------------------------------+
| Field      | Value                                                                                      |
+------------+--------------------------------------------------------------------------------------------+
| expires    | 2017-02-17T15:47:48.365307Z                                                                |
| id         | gAAAAABYpw0Ua2MqIA4X7zouPtRHzKmd9TSKG5tcX76c1rv40CDYJX1nZZUjDvMl0884721zaFlFOARPm2jDGkrqir |
|            | b5X6qNnVCQGUSiasm853HZge2m1ZBGw6GOMbFiG0SAABIUvl7E3Or8kzHWnLBJ8Ls6AfP350tlR8zH7kUVwV8-2CKp |
|            | NQY                                                                                        |
| project_id | e88437b3330145e1a713469130b4c3cd                                                           |
| user_id    | bf3591b757704f8c8166e3294a62efb7                                                           |
+------------+--------------------------------------------------------------------------------------------+
[root@linux-node1 ~]# 

  

  

以后每次執行openstack相關命令都要執行source一次環境變量!!!

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM