2.0.keystone認證服務
1)用戶與認證:用戶權限與用戶行為跟蹤
User 用戶
Tenant 租戶
Token 令牌
Role 角色
2)服務目錄:提供一個服務目錄,包括所有服務項與相關API的端點
Service 服務
Endpoint 端點
2.1.在控制節點創建keystone相關數據庫
1)創建keystone數據庫並授權
# 登錄mysql,密碼為空
mysql -u root -p # 創建 keystone 數據庫 CREATE DATABASE keystone; # 對``keystone``數據庫授予恰當的權限 grant all on keystone.* to keystone@'localhost' identified by 'keystone'; grant all on keystone.* to keystone@'%' identified by 'keystone';
flush privileges;
2.2.在控制節點安裝keystone相關軟件包
1)安裝keystone相關軟件包
# 配置Apache服務,使用帶有“mod_wsgi”的HTTP服務器來相應認證服務請求,端口為5000和35357, 默認情況下,Kestone服務仍然監聽這些端口
yum install openstack-keystone httpd mod_wsgi -y
yum install openstack-keystone python-keystoneclient openstack-utils -y
# 下面使用的快速配置方法需要安裝Openstack-utils才可以實現
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone openstack-config --set /etc/keystone/keystone.conf token provider fernet
# keystone不需要啟動,通過httpd服務進行調用
2.3.初始化同步keystone數據庫
1)同步keystone數據庫(44張)
su -s /bin/sh -c "keystone-manage db_sync" keystone
2)同步完成進行連接測試
mysql keystone -e 'show tables'
2.4.初始化Fernet令牌庫
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
2.5.配置啟動Apache(httpd)
1)修改httpd主配置文件
# 編輯``/etc/httpd/conf/httpd.conf`` 文件,配置``ServerName`` 選項為控制節點
sed -i "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf
2)配置虛擬主機
# 用下面的內容創建文件 /etc/httpd/conf.d/wsgi-keystone.conf,確保5000,和35357端口沒被占用
echo ' Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> ' >/etc/httpd/conf.d/wsgi-keystone.conf
3)啟動httpd並配置開機自啟動
systemctl start httpd.service systemctl status httpd.service netstat -anptl|grep httpd systemctl enable httpd.service systemctl list-unit-files |grep httpd.service ss -ntl | grep -E "5000|35357"
# 如果http起不來,需要關閉 selinux 或者安裝 yum install openstack-selinux
2.6.初始化keystone認證服務
1)創建 keystone 用戶,初始化的服務實體和API端點(賬號:密碼=>admin:admin)
keystone-manage bootstrap --bootstrap-password admin --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
2)臨時配置管理員賬戶的相關變量進行管理
# 編輯環境變量的配置文件 vim openrc echo ' export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=default export OS_PROJECT_DOMAIN_NAME=default export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 ' > admin_openrc # 使環境變量生效 source admin_openrc
# 查看
env|grep OS_
echo 'source admin_openrc' >> ~/.bashrc
# 查看keystone實例相關信息
openstack endpoint list
openstack project list
openstack user list
# 刪除endpoint
openstack endpoint delete [ID]
2.7.創建keystone的一般實例
1)創建一個名為example的keystone域
# 以下命令會在project表中創建名為example的項目
openstack domain create --description "An Example Domain" example
2)為keystone系統環境創建名為service的項目提供服務
# 用於常規(非管理)任務,需要使用無特權用戶
# 以下命令會在project表中創建名為service的項目
openstack project create --domain default --description "Service Project" service
3)創建myproject項目和對應的用戶及角色
# 作為一般用戶(非管理員)的項目,為普通用戶提供服務
# 以下命令會在project表中創建名為myproject項目
openstack project create --domain default --description "Demo Project" myproject
4)在默認域創建myuser用戶
# 使用--password選項為直接配置明文密碼,使用--password-prompt選項為交互式輸入密碼
# 以下命令會在local_user表增加myuser用戶
openstack user create --domain default --password-prompt myuser # 交互式輸入密碼 # openstack user create --domain default --password=myuser myuser # 直接創建用戶和密碼
5)在role表創建myrole角色
openstack role create myrole
6)將myrole角色添加到myproject項目中和myuser用戶組中
# 以下命令無返回,數據表操作不太明顯
openstack role add --project myproject --user myuser myrole
2.8.驗證操作keystone是否安裝成功
1)去除環境變量
# 關閉臨時認證令牌機制,獲取 token,驗證keystone配置成功
unset OS_AUTH_URL OS_PASSWORD
env |grep OS_
2)作為管理員用戶去請求一個認證的token
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin --os-password admin token issue
3)使用普通用戶獲取認證token
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser --os-password myuser token issue
2.9.創建OpenStack客戶端環境腳本
1)創建admin用戶的環境管理腳本
mkdir /server/tools -p && cd /server/tools vim keystone-admin-pass.sh ---------------------------------- export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ---------------------------------- env |grep OS_
2)創建普通用戶myuser的客戶端環境變量腳本
vim keystone-myuser-pass.sh ------------------------------- export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=myuser export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 -------------------------------
3)測試環境管理腳本
# 使用腳本加載相關客戶端配置,以便快速使用特定租戶和用戶運行客戶端
source keystone-admin-pass.sh
4)請求認證令牌
openstack token issue
~~~至此,keystone安裝完畢~~~