https://docs.openstack.org/keystone/latest/ 官方文檔
domain是認證邊界,項目、用戶屬於域,然后通過角色把用戶和項目關聯起來。
openstack role add --project demo(項目名) --user demo(用戶名) user(角色名)
domain
An Identity API v3 entity. Represents a collection of projects, groups and users that defines administrative boundaries for managing OpenStack Identity entities.
身份驗證服務使用域,項目,用戶和角色的組合(domain, projects, users, and roles)。
keystone令牌三種生成方式 Fernet認證原理
source /opt/stack/devstack/openrc 使用demo租戶(即項目)、demo用戶: # source /home/devstack/openrc demo demo
if [[ -n "$1" ]]; then
OS_USERNAME=$1
fi
if [[ -n "$2" ]]; then
OS_PROJECT_NAME=$2
fi
從這可以看出openrc后跟的第一個參數是用戶名,第二個參數是項目名 source /opt/stack/devstack/openrc admin admin
/bin/systemctl restart apache2
openstack service create --name SERVICE_NAME --description SERVICE_DESCRIPTION SERVICE_TYPE //創建catalog openstack catalog list
region 更像是一個地理上的概念,每個region有自己獨立的endpoint,regions之間完全隔離,但是多個regions之間共享同一個keystone和dashboard。
2.創建服務實體和API端點
openstack service create --name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne identity public http://controller:5000/v3
openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
三、創建域、項目、用戶和角色 ,創建項目和用戶的時候需要指定域,但是創建角色不需要指定域
1.創建域default
openstack domain create --description "Default Domain" default
2.創建admin項目
openstack project create --domain default --description "Admin Project" admin
3.創建admin用戶
openstack user create --domain default --password-prompt admin #提示輸入admin密碼
4.創建admin角色
openstack role create admin
5.添加admin角色到admin項目和用戶上
openstack role add --project admin --user admin admin
6.創建service項目
openstack project create --domain default --description "Service Project" service
7.創建demo項目
openstack project create --domain default --description "Demo Project" demo
8.創建demo用戶
openstack user create --domain default --password-prompt demo #提示輸入demo用戶密碼
9.創建user角色
openstack role create user
10.添加user角色到demo項目和用戶
openstack role add --project demo --user demo user
用戶(User)
查看用戶列表
openstack user list
創建用戶
openstack user create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--print-empty] [--noindent] [--prefix PREFIX]
[--domain <domain>] [--project <project>]
[--project-domain <project-domain>]
[--password <password>] [--password-prompt]
[--email <email-address>]
[--description <description>]
[--enable | --disable] [--or-show]
<name>
!!!!!一般使用中只要寫出自己需要的參數就好
刪除用戶
openstack user delete <用戶名或者用戶id都可以,以下也是一樣,為了簡單下面只使用user-id>
顯示用戶詳細信息
openstack user show <user-id>
更新用戶的信息
openstack user set [-h] [--name <name>] [--domain <domain>]
[--project <project>]
[--project-domain <project-domain>]
[--password <password>] [--password-prompt]
[--email <email-address>]
[--description <description>] [--enable | --disable]
<user>
賦予用戶一個角色
openstack role add --project demo(項目名) --user demo(用戶名) user(角色名)
查看用戶與角色的對應關系---顯示的表格是id
openstack role assignment list
刪除用戶的一個角色
openstack user-role-remove --user-id <user-id> --role-id <role-id>
[--tenant-id <tenant-id>]
更新用戶信息
openstack role remove [-h] [--domain <domain> | --project <project>]
[--user <user> | --group <group>]
[--group-domain <group-domain>]
[--project-domain <project-domain>]
[--user-domain <user-domain>] [--inherited]
[--role-domain <role-domain>]
<role>
項目(project)
顯示工程列表
openstack project list
創建工程
openstack project create name
刪除工程
openstack project delete <project-id>
更新工程信息
openstack project-update [--name <project_name>][--domain <domain>]
[--description <project-description>]
[--enabled <true|false>]
<project-id>
顯示工程詳細信息
openstack project show<project-id>
角色(Role)
顯示角色列表
openstack role list
創建角色
openstack role create name
刪除角色
openstack role delete <role-id>
顯示角色詳細信息
openstack role show <role-id>
服務(Service)
顯示服務列表
openstack service list
創建服務
openstack service create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--print-empty] [--noindent] [--prefix PREFIX]
[--name <name>] [--description <description>]
[--enable | --disable]
<type>
刪除服務
openstack service delete <service-id>
顯示服務詳細信息
openstack service show <service-id>
URL(Endpoint)
顯示Endpoint列表
openstack endpoint list
創建Endpoint
openstack endpoint create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--print-empty] [--noindent]
[--prefix PREFIX] [--region <region-id>]
[--enable | --disable]
<service> <interface> <url>
刪除Endpoint
openstack endpoint delete <endpoint-id>
顯示Endpoint詳細信息
openstack endpoint show <service-id>
Catalog
列出catalog
openstack catalog list
root@devstack2019:/usr/local/lib/python2.7/dist-packages/openstack# openstack region list
+-----------+---------------+-------------+
| Region | Parent Region | Description |
+-----------+---------------+-------------+
| RegionOne | None | |
+-----------+---------------+-------------+
root@devstack2019:/usr/local/lib/python2.7/dist-packages/openstack# openstack region create --name RegionTwo
usage: openstack region create [-h] [-f {json,shell,table,value,yaml}]
[-c COLUMN] [--max-width <integer>]
[--fit-width] [--print-empty] [--noindent]
[--prefix PREFIX] [--parent-region <region-id>]
[--description <description>]
<region-id>
openstack region create: error: unrecognized arguments: --name
root@devstack2019:/usr/local/lib/python2.7/dist-packages/openstack# openstack region create RegionTwo
+---------------+-----------+
| Field | Value |
+---------------+-----------+
| description | |
| enabled | True |
| parent_region | None |
| region | RegionTwo |
+---------------+-----------+
root@devstack2019:/usr/local/lib/python2.7/dist-packages/openstack#