目錄
openstack之認證服務keystone的安裝
一,openstack服務安裝的通用步驟
1,創庫授權
2,在keystone創建用戶,關聯角色
3,在keystone上創建服務,注冊api
4,安裝服務相關的軟件包
5,修改配置
- 數據庫的連接
- keystone的認證授權信息
- rabbitmq的連接信息
- 其他服務的連接配置
6,同步數據庫,創建表
7,啟動服務
二,keystone的簡介
1,keystone是openstack的身份服務,可以簡單理解為“與權限有關”的組件
2,keystone集成的功能:
- 管理身份驗證(managing authentication):驗證用戶身份
- 授權(authorization):基於角色role的授權管理
- 服務目錄(catalog of services):簡單來說就是記錄了后端服務地址的目錄。類似於電話本
三,keystone的安裝(僅在控制節點執行)
1,創建keystone庫並授權
create databases keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
2,安裝keystone相關的軟件包
yum -y install openstack-keystone httpd mod_wsgi #apache的拓展模塊wsgi,作用是httpd訪問python代碼是需要的模塊
3,修改keystone.conf
一,直接修改
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
vim /etc/keystone/keystone.conf
#修改一下幾項
[DEFAULT] #定義初始管理令牌的值:
...
admin_token = ADMIN_TOKEN #t版的不需要修改該項
[database] #配置數據庫訪問:
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token] # 配置Fernet UUID令牌的提供者
...
provider = fernet #fernet為生成token字符串的一種方法
二,openstack-config修改(兩種方法都可以)
yum install openstack-utils -y
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
4,同步數據庫
su -s /bin/sh -c "keystone-manage db_sync" keystone #切換到keystone身份執行keystone-manage db_sync命令
5,初始化Fernet keys
#這是新版本的OpenStack的新功能,在Train版本下,keystone不再使用簡單的字符串作為臨時token,而是使用下面創建的fernet的用戶來運行keystone。同時,keystone也不再對管理員用戶和普通用戶的服務端點區分使用不同的端口5000和35357,而是只使用5000端口不再使用35357端口。
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
#執行后/etc/keystone/目錄下會生成一個fernet-keys目錄
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
6,配置及啟動httpd服務
1,新版官網配置方法,本實驗用的該方法配置
echo 'ServerName controller' >> /etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#啟動httpd服務
# systemctl enable httpd.service
# systemctl start httpd.service
2,老版配置方法
echo 'ServerName controller' >> /etc/httpd/conf/httpd.conf
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
#啟動httpd服務
# systemctl enable httpd.service
# systemctl start httpd.service
7,執行環境變量
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
8,創建service項目及角色
#在上面的初始化Fernet密鑰存儲時候已經創建了default域、admin項目和admin用戶。(下面的3條命令必須要進行上面的初始化環境變量之后才能執行成功)
[root@controller ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
[root@controller ~]# openstack project list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4c0a56c8e5444a73a1eb0a4e3cb3d4a7 | admin |
+----------------------------------+-------+
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| c5d3016e0873403487102264a4ba09e4 | admin |
+----------------------------------+-------+
9,創建域,項目,用戶,角色等
一,創建域(該步驟可以省略,本次實驗未進行此步驟)
# 創建了example域,簡單理解就是公有雲上的大區,華北區,華南區等等
openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2f4f80574fd84fe6ba9067228ae0a50c |
| name | example |
| tags | [] |
+-------------+----------------------------------+
二,創建項目
#上面步驟已經證實有default域存在,所以在default域下創建service即可
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 695024d064f84bcfa5a48170b4519fad |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
三,創建角色與關聯用戶
#創建用戶
[root@controller ~]# openstack user create --domain default --password ADMIN_PASS myuser
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 84a0c3edd86a416a9c5bf0196e724843 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#創建角色
[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 8ec87a64484944d88e93d2a59f55bfe0 |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
#關聯角色與用戶
openstack role add --project service --user myuser myrole #為service項目指定用戶角色
四,驗證keystone服務
1,驗證默認admin用戶的keystone服務
unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue #密碼為:ADMIN_PASS
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T09:41:18+0000 |
| id | gAAAAABeAyCuDHlhlbOL-JfSZp7r00O04-9_46jds7MKM-bTmHcxfyETreTkEg43cg8DLzPS_ktkRxFZ3rO-jZD8L3o7maFtaPN1g-uzfALr6lnCbL7mgDTAjyJgayjJRSNFzvQ7-SlqOHa59miW7CojG2qrazVY2eQuQbzK-HCYRLK2m8ygLy4 |
| project_id | 4c0a56c8e5444a73a1eb0a4e3cb3d4a7 |
| user_id | c5d3016e0873403487102264a4ba09e4 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#
2,驗證myuser用戶的keystone服務
openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name service --os-username myuser token issue
#密碼為ADMIN_PASS
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T09:51:23+0000 |
| id | gAAAAABeAyMLS0gKUC_u33WJOQVpom0aT0-QB1XP6Q1RiPW16obhaYFNVD8xLBOJHSyG2DIlXwD7u56LyuNMCLek8NmEnMpCAcbX8MejxcN0DFk9euEClDwQzfUvFYJcxdStMdBPdjfWac9XDq_32K-lEDQtgogqkzct4GuI_ws2jL-nxnJ9apk |
| project_id | 695024d064f84bcfa5a48170b4519fad |
| user_id | 84a0c3edd86a416a9c5bf0196e724843 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
五,創建客戶端環境變量腳本
為了提高客戶端操作的效率,OpenStack支持簡單的客戶端環境腳本,也稱為OpenRC文件。
如需切換用戶,source 相對應的XXX.openrc文件即可
1,驗證admin客戶端
vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
source admin-openrc
openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T09:58:24+0000 |
| id | gAAAAABeAySwb2okuaQkMF11C4ko1ZqW0XN8vZnwhjBwomHhjDOxSPEJSXdyXM52M6QVMSIeqfHOy6yml8CxzN5hSIpR8NaBoUyRNQThPScYsZw0-6TqCha9HmqgLgsdsTNdZELLjPnIxlhCbSnjmPQgB_-0H2D7NZri72OmfIEq2bzI5PX3iDM |
| project_id | 4c0a56c8e5444a73a1eb0a4e3cb3d4a7 |
| user_id | c5d3016e0873403487102264a4ba09e4 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#驗證結果與步驟四 命令行執行相同
2,驗證myuser
vim myuser-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=service
export OS_USERNAME=myuser
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
source myuser-openrc
openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T10:02:55+0000 |
| id | gAAAAABeAyW_aaBMwaHmhxgBl88IpwDBSj_4TvMGTmWRtlCf7vakyxT-_tADfb0clHthdoC1S0kyoYYtBe0Bw31zNqfl3OlnoCc5wwGVp2hchysgdpTCWKMkgmD5N2wip0u-KsPBvIDZcKvxzizf7bOvr1bZWp0IS55qHHGAVjTwv7GlQ7P3Uy0 |
| project_id | 695024d064f84bcfa5a48170b4519fad |
| user_id | 84a0c3edd86a416a9c5bf0196e724843 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#驗證結果與步驟四 命令行執行相同
#測試通過套接字訪問5000端口
[root@controller ~]# curl http://controller:5000
{"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://controller:5000/v3/", "rel": "self"}]}]}}
至此,keystone安裝完畢