一、Keystone服務概述
在Openstack框架中,keystone(Openstack Identity Service)的功能是負責驗證身份、校驗服務規則和發布服務令牌的,它實現了Openstack的Identity API.keystone可分解為兩個功能:權限管理和服務目錄。
https://www.cnblogs.com/mh20131118/p/12942346.html
https://www.cnblogs.com/linuxk/p/9282996.html
二、Keystone運維操作
1、keystone運維案例
# 環境配置
source /etc/keystone/admin-openrc.sh
# 創建 hqs用戶
openstack user create --password ps1234 --email hqs@example.com --domain demo hqs
# 創建acme項目
openstack project create --domain demo acme
# 創建角色
openstack role create compute-user
# 綁定用戶和項目權限
# 添加的用戶需要分配一定的權限,需要把用戶關聯綁定到對應的項目和角色
openstack role add --user hqs --project acme compute-user
# 用戶列表查詢
[root@controller ~]# openstack user list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0f217182b5af448c988f5464c706a337 | admin |
| 1579d0526c8b4cf0ba1158960054fde0 | neutron |
| 408d6f8e000847a3a9a0f799a1ea2ef6 | hqs |
| 560d1dca91184856822e3750ea2f4afb | nova |
| 5ca7355fbe4f4b87b352a72f9c4b4a66 | cinder |
| 93443c8fc497495e8bb9033a1a52fc1d | demo |
| d5bcfce4e83d4ef696bcd87599399429 | swift |
| e255b170101c41d3b839dbb013daef02 | glance |
+----------------------------------+---------+
# 查詢hqs用戶詳細信息
[root@controller ~]# openstack user show hqs
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 90f55d85d1824e2ca27318eefc57535e |
| email | hqs@example.com |
| enabled | True |
| id | 408d6f8e000847a3a9a0f799a1ea2ef6 |
| name | hqs |
+-----------+----------------------------------+
# 查詢當前openstack平台所有項目
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 015510f69fd74453a700a529b7bee827 | demo |
| 168c9d9e5cf448c2a3dab6335590566a | service |
| 386dbfcf77e444c7872e4e23d5829fcc | admin |
| b66f515463e54b229b1d61d9313717ff | acme |
+----------------------------------+---------+
# 查詢acme項目詳情
[root@controller ~]# openstack project show acme
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 90f55d85d1824e2ca27318eefc57535e |
| enabled | True |
| id | b66f515463e54b229b1d61d9313717ff |
| is_domain | False |
| name | acme |
| parent_id | 90f55d85d1824e2ca27318eefc57535e |
+-------------+----------------------------------+
# 查詢所有keystone角色
[root@controller ~]# openstack role list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 0190945cf6a84b60bb2f4631f85c30fa | compute-user |
| 4c438257d4a24e4aa4d4fcbeff248bce | user |
| d8ac2f3e57664b7abee701d82c9bbf16 | admin |
+----------------------------------+--------------+
# 查詢compute-user角色詳細信息
[root@controller ~]# openstack role show compute-user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 0190945cf6a84b60bb2f4631f85c30fa |
| name | compute-user |
+-----------+----------------------------------+
# 查看平台所有服務所使用的端點地址
[root@controller ~]# openstack endpoint list
+------------+-----------+--------------+--------------+---------+-----------+---------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+------------+-----------+--------------+--------------+---------+-----------+---------------+
| 14f90cb0cb | RegionOne | nova | compute | True | internal | http://contro |
....
2、域管理
Domain(域):管理多租戶。
openstack
domain create Create new domain # 創建域
domain delete Delete domain(s) # 刪除域
domain list List domains # 查看域列表信息
domain set Set domain properties # 域更新
domain show Display domain details # 查看域詳細信息
# 創建域
[root@controller ~]# openstack domain create --description "hqs Domain" hqs
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | hqs Domain |
| enabled | True |
| id | 6b44bea170004507960b643cf686ee9b |
| name | hqs |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
# 查看域列表信息
[root@controller ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+--------------------+
| 6b44bea170004507960b643cf686ee9b | hqs | True | hqs Domain |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+--------------------+
# 更新域
# 語法:
openstack domain set [--options] <domain-name>
--name <name> New domain name # 新名字
--description <description> # 新的描述
New domain description
--enable Enable domain # 啟用域
--disable Disable domain # 禁用域
[root@controller ~]# openstack domain set --description "test test test" --name hqs-domain hqs
# 查詢域詳情
[root@controller ~]# openstack domain show hqs-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | test test test |
| enabled | True |
| id | 6b44bea170004507960b643cf686ee9b |
| name | hqs-domain |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
# 刪除域(只能刪除disable的域)
[root@controller ~]# openstack domain set --disable hqs-domain
[root@controller ~]# openstack domain delete hqs-domain
2、租戶管理
Project(租戶):個人或服務可訪問的資源集合,在一個Project(Tenant)中可以包含多個User,每一個User都會根據權限的划分來使用Project(Tenant)中的資源,即其包含的用戶根據權限使用資源。
# 語法
openstack
project create Create new project # 租戶創建
project delete Delete project(s) # 租戶刪除
project list List projects # 查看租戶列表信息
project purge Clean resources associated with a project # 清理與租戶相關的資源
project set Set project properties # 更新租戶信息
project show Display project details # 查看租戶的詳情
# 創建名為acme的租戶
[root@controller ~]# openstack project create --domain default acme
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 2c5bd1d63cee43b7a8d4308392527320 |
| is_domain | False |
| name | acme |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
# 查看租戶列表
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 2c5bd1d63cee43b7a8d4308392527320 | acme |
| 4188570a34464b938ed3fa7e08681df8 | admin |
| e3a549077f354998aa1a75677cfde62e | project |
+----------------------------------+---------+
# 更新租戶信息
[root@controller ~]# openstack project set --description "best of all" acme
# 查看租戶詳情
[root@controller ~]# openstack project show acme
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | best of all |
| domain_id | default |
| enabled | True |
| id | 2c5bd1d63cee43b7a8d4308392527320 |
| is_domain | False |
| name | acme |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
# 刪除租戶
[root@controller ~]# openstack project delete acme
3、用戶管理
用戶(User):訪問OpenStack的對象。任何使用 openstack 的實體,可以是用戶、系統或服務。
用戶擁有證書(credentials),且可能分配給一個或多個租戶。經過驗證后,會為每個單獨的租戶提供一個特定的令牌。
# 語法
openstack
user create Create new user # 創新新用戶
user delete Delete user(s) # 刪除用戶
user list List users # 查看用戶列表
user password set Change current user password # 修改用戶密碼
user set Set user properties # 更新用戶信息
user show Display user details # 查看用戶詳情
# 創建新用戶
openstack user create [--options] <name>
--domain <domain> Default domain (name or ID) # 所屬的域
--project <project> Default project (name or ID) # 所屬租戶
--project-domain <project-domain>
Domain the project belongs to (name or ID). This can
be used in case collisions between project names
exist.
--password <password> Set user password # 設置用戶密碼
--password-prompt Prompt interactively for password # 交互式提示輸入密碼
--email <email-address> # 設置用戶郵箱
Set user email address
--description <description> # 用戶描述
User description
--enable Enable user (default) # 啟用用戶
--disable Disable user # 禁用用戶
[root@controller ~]# openstack user create --password my123 --email alice@qq.com --domain Default alice
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | alice@qq.com |
| enabled | True |
| id | 4ab2796d0ed448b8b3fc0d1090e0da21 |
| name | alice |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
# 查看用戶列表
[root@controller ~]# openstack user list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| f4f16d960e0643d7b5a35db152c87dae | admin |
| 81238b556a444c8f80cb3d7dc72a24d3 | glance |
| e0d6a46f9b1744d8a7ab0332ab45d59c | placement |
| 2f5041ed122d4a50890c34ea02881b47 | nova |
| 67bd1f9c48174e3e96bb41e0f76687ca | neutron |
| b9a2bdfcbf3b445ab0db44c9e35af678 | cinder |
| 4ab2796d0ed448b8b3fc0d1090e0da21 | alice |
+----------------------------------+-----------+
# 更新用戶信息
[root@controller ~]# openstack user set --description "good gay" --disable alice
# 查看用戶詳情
[root@controller ~]# openstack user show alice
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| description | good gay |
| domain_id | default |
| email | alice@qq.com |
| enabled | False |
| id | 4ab2796d0ed448b8b3fc0d1090e0da21 |
| name | alice |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
# 刪除用戶
[root@controller ~]# openstack user delete alice
4、角色管理
角色(Role):用於划分權限,管理用戶可以訪問資源的權限。可以通過給User指定Role,使User獲得Role對應的操作權限。
Keystone返回給User的Token包含了Role列表,被訪問的Services會判斷訪問它的User和User提供的Token中所包含的Role。
# 語法
openstack
role add Adds a role assignment to a user or group on the system, a domain, or a project # 授權
role assignment list List role assignments # 列出角色分配
role create Create new role # 創建角色
role delete Delete role(s) # 刪除角色
role list List roles # 查看角色列表
role remove Removes a role assignment from system/domain/project : user/group # 刪除角色分配
role set Set role properties # 修改角色屬性
role show Display role details # 查看角色詳情
# 先准備用戶和租戶
[root@controller ~]# openstack user create --password my123 --email alice@qq.com --domain Default alice
[root@controller ~]# openstack project create --domain default acme
# 創建角色
[root@controller ~]# openstack role create compute-user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | f589e27a13a04266ab8026f7856e4c1b |
| name | compute-user |
| options | {} |
+-------------+----------------------------------+
# 授權——綁定用戶和租戶權限
[root@controller ~]# openstack role add --user alice --project acme compute-user
# 查看角色列表
[root@controller ~]# openstack role list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 47670bbd6cc1472ab42db560637c7ebe | reader |
| 5eee0910aeb844a1b82f48100da7adc9 | admin |
| 700ec993d3cf456fa591c03e72f37856 | user |
| bc2c8147bbd643629a020a6bd9591eca | member |
| f589e27a13a04266ab8026f7856e4c1b | compute-user |
+----------------------------------+--------------+
# 列出角色分配
[root@controller ~]# openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| f589e27a13a04266ab8026f7856e4c1b | 1358f0164e244d00845330583322b6cd | | 260ff6919a8e48b5980ef7df4b8e0885 | | | False |
| 5eee0910aeb844a1b82f48100da7adc9 | 2f5041ed122d4a50890c34ea02881b47 | | e3a549077f354998aa1a75677cfde62e | | | False |
...略
# 修改角色
openstack role set [--domain <domain>] [--name <name>] <role>
--domain <domain> Domain the role belongs to (name or ID) # 修改域
--name <name> Set role name # 修改角色名
[root@controller ~]# openstack role set --name pc-user compute-user
# 刪除角色
[root@controller ~]# openstack role delete pc-user
5、服務管理
服務(service):Openstack中運行的組件服務。用戶可以通過Endpoint訪問資源和執行操作。
# 語法
openstack
service create Create new service # 創建服務
service delete Delete service(s) # 刪除服務
service list List services # 查看服務列表
service set Set service properties # 修改服務
service show Display service details # 查詢服務詳情
# 創建名為test,類型為test的服務
[root@controller ~]# openstack service create --name test test
+---------+----------------------------------+
| Field | Value |
+---------+----------------------------------+
| enabled | True |
| id | 94e2e3193373420e90ef73365ba8d137 |
| name | test |
| type | test |
+---------+----------------------------------+
# 查看服務列表
[root@controller ~]# openstack service list
+----------------------------------+-----------+-----------+
| ID | Name | Type |
+----------------------------------+-----------+-----------+
| 324a07034ea4453692570e3edf73cf2c | glance | image |
| 459c365a11c74e5894b718b5406022a8 | neutron | network |
| 5d25b4ed1443497599707e043866eaae | keystone | identity |
| 90dc0dcf9879493d98144b481ea0df2b | cinderv3 | volumev3 |
| 94e2e3193373420e90ef73365ba8d137 | test | test |
| da038496edf04ce29d7d3d6b8e647755 | placement | placement |
| e7cccf0a4d2549139801ac51bb8546db | nova | compute |
+----------------------------------+-----------+-----------+
# 修改服務
openstack service set [--options] <service>
--type <type> New service type (compute, image, identity, volume,
etc) # 新服務類型
--name <service-name> New service name # 新服務名
--description <description> New service description # 新服務描述
--enable Enable service # 啟用服務
--disable Disable service # 禁用服務
[root@controller ~]# openstack service set --name docker --type k8s test
# 查詢服務詳情
[root@controller ~]# openstack service show docker
+---------+----------------------------------+
| Field | Value |
+---------+----------------------------------+
| enabled | True |
| id | 94e2e3193373420e90ef73365ba8d137 |
| name | docker |
| type | k8s |
+---------+----------------------------------+
# 服務刪除
[root@controller ~]# openstack service delete docker
6、端點(訪問地址)管理
端點(Endpoint):Service暴露的網絡訪問地址,通過網絡來訪問和定位某個Openstack service的地址,通常是一個URL。分為三類
- admin url:管理員用戶使用,端口35357
- internal url:openstack內部組件間互相通信(內部訪問),端口5000
- public url:其他用戶訪問(全局訪問),端口5000
# 語法
openstack
endpoint create Create new endpoint # 創建端點
endpoint delete Delete endpoint(s) # 刪除端點
endpoint list List endpoints # 查看端點列表
endpoint set Set endpoint properties # 修改端點
endpoint show Display endpoint details # 查看端點詳情
endpoint group add project Add a project to an endpoint group # 添加項目到端點組
endpoint group create Create new endpoint group # 創建新端點組
endpoint group delete Delete endpoint group(s) # 刪除端點組
endpoint group list List endpoint groups # 查看端點組列表
endpoint group remove project Remove project from endpoint group # 項目從端點組移除
endpoint group set Set endpoint group properties # 修改端點組
endpoint group show Display endpoint group details # 端點組詳情
endpoint add project Associate a project to an endpoint # 端點關聯項目
endpoint remove project Dissociate a project from an endpoint # 項目和端點解除關聯
# 創建端點
openstack endpoint create [--region <region-id>] # 新端點域ID
[--enable | --disable] # 禁用/啟用
<service> <interface> <url> # 服務、接口類型、url地址
# 創建案例:
[root@controller ~]# openstack endpoint create --region RegionOne glance public http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne glance internal http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne glance internal http://controller:9292/test
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1524c4a185a548a890aaa5699f0aa979 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 324a07034ea4453692570e3edf73cf2c |
| service_name | glance |
| service_type | image |
| url | http://controller:9292/test |
+--------------+----------------------------------+
# 刪除端點
[root@controller ~]# openstack endpoint delete 1524c4a185a548a890aaa5699f0aa979
# 查看端點列表
[root@controller ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| 0d31919afb564c8aa52ec5eddf474a55 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3 |
| 1d59d497c89c4fa9b8789d685fab9fe5 | RegionOne | neutron | network | True | public | http://controller:9696
...略
# 查看端點詳情
[root@controller ~]# openstack endpoint show 702df46845be40fb9e75fb988314ee90
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 702df46845be40fb9e75fb988314ee90 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5d25b4ed1443497599707e043866eaae |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+