OpenStack部署之添加身份認證服務
這一章描述如何在控制節點上安裝和配置OpenStack身份認證服務,代碼名稱keystone。出於性能原因,這個配置部署Apache HTTP服務處理查詢並使用Memcached存儲tokens而不用SQL數據庫。
前提條件
在你配置 OpenStack 身份認證服務前,你必須創建一個數據庫和管理員令牌。
登錄MySQL,創建 keystone 數據庫並對"keystone"數據庫授予恰當的權限:
[root@Controller-Node ~]# mysql -uroot -p123456 -e "Create database keystone;" [root@Controller-Node ~]# mysql -uroot -p123456 -e "grant all privileges on keystone.* to 'keystone'@'%' identified by 'keystone'" [root@Controller-Node ~]# mysql -uroot -p123456 -e "grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'keystone'" [root@Controller-Node ~]#
一、安裝並配置組件
1.運行命令安裝相關包
[root@Controller-Node ~]# yum install openstack-keystone httpd mod_wsgi -y
2.編輯文件 /etc/keystone/keystone.conf 並完成如下操作.
[root@Controller-Node ~]# vim /etc/keystone/keystone.conf [database] connection = mysql://keystone:keystone@10.20.9.13/keystone [token] provider=fernet
3.同步認證服務數據庫.
[root@Controller-Node ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@Controller-Node ~]# mysql -uroot -p Enter password: MariaDB [(none)]> show databases; +--------------------+ | Database | +--------------------+ | information_schema | | keystone | | mysql | | performance_schema | +--------------------+ 4 rows in set (0.00 sec)
4.初始化Fernetkey倉庫
[root@Controller-Node ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@Controller-Node ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5.引導認證服務(密碼為123456,在這設置的)
keystone-manage bootstrap --bootstrap-password 123456 \ --bootstrap-admin-url http://10.20.9.13:35357/v3/ \ --bootstrap-internal-url http://10.20.9.13:5000/v3/ \ --bootstrap-public-url http://10.20.9.13:5000/v3/ \ --bootstrap-region-id RegionOne 執行如下: [root@Controller-Node ~]# keystone-manage bootstrap --bootstrap-password 123456 \ > --bootstrap-admin-url http://10.20.9.13:35357/v3/ \ > --bootstrap-internal-url http://10.20.9.13:5000/v3/ \ > --bootstrap-public-url http://10.20.9.13:5000/v3/ \ > --bootstrap-region-id RegionOne [root@Controller-Node ~]#
二、配置Apache服務器
1.編輯/etc/httpd/conf/httpd.conf並配置ServerName選項,使之參考控制節點
[root@Controller-Node ~]# vim /etc/httpd/conf/httpd.conf ServerName 10.20.9.13:80
2.給/usr/share/keystone/wsgi-keystone.conf文件創建一個鏈接
[root@Controller-Node ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3.完成安裝,啟動Apache服務器並設置開機啟動
[root@Controller-Node ~]# systemctlenable httpd.service
[root@Controller-Node ~]# systemctl start httpd.service
4.配置管理賬戶
$ export OS_USERNAME=admin $ export OS_PASSWORD=123456 $ export OS_PROJECT_NAME=admin $ export OS_USER_DOMAIN_NAME=Default $ export OS_PROJECT_DOMAIN_NAME=Default $ export OS_AUTH_URL=http://10.20.9.13:35357/v3 $ export OS_IDENTITY_API_VERSION=3
三、創建項目、用戶和角色
1.創建服務
#openstack project create --domain default --description "Service Project" service [root@Controller-Node ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 13a653102f284955b0851ad277c99691 | | is_domain | False | | name | service | | parent_id | default | +-------------+----------------------------------+ [root@Controller-Node ~]#
2.創建demo項目
普通的任務不應該使用具有特權的項目和用戶。作為示例,本指南創建一個demo項目和用戶
#openstack project create --domain default --description "Demo Project" demo [root@Controller-Node ~]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 681e7fe667e74326b781c9d2107b04e6 | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+ [root@Controller-Node ~]#
3.設置demo密碼為demo
#openstack user create --domain default --password-prompt demo [root@Controller-Node ~]# openstack user create --domain default --password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | f32cf3d3347d4c0ea805311397bc44d0 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@Controller-Node ~]#
4.創建user角色
#openstack role create user [root@Controller-Node ~]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 579b5a803cde48b19c3e531d6a97fadb | | name | user | +-----------+----------------------------------+ [root@Controller-Node ~]#
5.將user角色添加到demo項目和用戶中
#openstack role add --project demo --user demo user
[root@Controller-Node ~]# openstack role add --project demo --user demo user
四、驗證操作
出於安全性的原因,禁用掉暫時的認證令牌機制
1.編輯/etc/keystone/keystone-paste.ini文件,並從[pipeline:public_api], [pipeline:admin_api], 和[pipeline:api_v3]選項中刪除admin_token_auth
2.取消設置臨時的OS_AUTH_URL和OS_PASSWORD環境變量:
[root@Controller-Node ~]# unset OS_AUTH_URL OS_PASSWORD
3.使用admin用戶,請求一個認證令牌(密碼123456);
openstack --os-auth-url http://10.20.9.13:35357/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name admin --os-username admin token issue 執行如下: [root@Controller-Node ~]# openstack --os-auth-url http://10.20.9.13:35357/v3 \ > --os-project-domain-name default --os-user-domain-name default \ > --os-project-name admin --os-username admin token issue Password: +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-09T07:19:44+0000 | | id | gAAAAABbvEiA4RjUdYMbpajULcMQLCGQ8ooP4hGEXkiTyxVXwOL3DFJzZTQKld8IAsgqB-SyFgZqPqedr2vTku8WvwKOl1dB1Tf6eViNmZsdgFQcwJS6ywVkXTDi5fA7Cg6oLAdF- | | | AQiX25iaGdA1YUO2RWXPQjZu9F4c4HS9Oy2qogGDFQVt2M | | project_id | 6effb77cf0ba48a7a65a2c2235bbb726 | | user_id | 4483b19e82e94d9888962f09b05ef178 | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@Controller-Node ~]#
4.用demo用戶、請求驗證令牌(密碼為上面設置的demo)
openstack --os-auth-url http://10.20.9.13:5000/v3 \ --os-project-domain-name default --os-user-domain-name default \ --os-project-name demo --os-username demo token issue 執行如下: [root@Controller-Node ~]# openstack --os-auth-url http://10.20.9.13:5000/v3 \ > --os-project-domain-name default --os-user-domain-name default \ > --os-project-name demo --os-username demo token issue Password: +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-09T07:21:40+0000 | | id | gAAAAABbvEj0ymfdS3cGYifJj9SCQEsDWkK7gexsdfu9wPWq7ilBiT6UWPoDv3AIF65IVtQG5X8XQT3wJ1wNq6sNmGGf7_kWNmVq7YmdxlsjMxetq1IY-_lla9Pho- | | | 3KlsYkRS1sTiSTwihlKVJKl_5_7c3INV-EbHCXlHGRLVUrr35R8ok71Vc | | project_id | 681e7fe667e74326b781c9d2107b04e6 | | user_id | f32cf3d3347d4c0ea805311397bc44d0 | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@Controller-Node ~]#
五、創建OpenStack客戶端環境腳本
在前面章節中,我們使用環境變量和命令的組合來配置認證服務,為了更加高效和方便,我們創建一個腳本方便以后的操作。這些腳本包括一些公共的操作,但是也支持自定義的操作。
創建腳本
1.創建並編輯admin-openrc.sh文件,並添加以下內容:
export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://10.20.9.13:35357/v3 export OS_IDENTITY_API_VERSION=3
2.編輯文件 demo-openrc.sh 並添加如下內容:
export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=demo export OS_TENANT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://10.20.9.13:5000/v3 export OS_IDENTITY_API_VERSION=3
3. 使用腳本
加載腳本文件更新環境變量:
[root@Controller-Node ~]# . admin-openrc.sh
4.請求一個認證令牌
[root@Controller-Node ~]# openstack token issue +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-09T07:30:46+0000 | | id | gAAAAABbvEsWBtoHWT5Ww8OyZ-DriQuSL6GlWhkL4LqCk_LfYVWxChafe5dHjEu9ZsrY9jdym8UtidF9SlfZGDrDrC1E_nRBitxFWkKZRVoXYFgAtCMgt8rC_zoH3Yy_suAeIpgS4u_oJFSurRiHM- | | | rWf9IVPPJD-F2lRUUBSf37ft87xp6jWxE | | project_id | 6effb77cf0ba48a7a65a2c2235bbb726 | | user_id | 4483b19e82e94d9888962f09b05ef178 | +------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+ [root@Controller-Node ~]#
到此、OpenStack添加身份認證服務部署完成。
參考文檔:https://docs.openstack.org/liberty/zh_CN/install-guide-rdo/keystone.html