Openstack-Keystone-身份驗證

Openstack-Keystone-身份驗證

教程大綱

      

1. keystone的服務組件介紹
2. keystone的安裝部署

3. keystone V3的新特性

1.建立keystone的數據庫並受權訪問連接

mysql -u root -p -e "create database keystone;"

mysql -u root -p -e "grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'keystone';"

mysql -u root -p -e "grant all privileges on keystone.* to 'keystone'@'%' identified by 'keystone';"

2. 安裝keystone支持安裝包

 

 yum install openstack-keystone httpd mod_wsgi memcached python-memcached

3.修改keystone的配置文件

建立一個隨機token的值 命令爲

$ openssl rand -hex 10

13:   admin_token = 7b016f6702c9ac4cbd6e

124:  verbose = true

549:  connection = mysql://keystone:keystone@192.168.100.40/keystone

1252: servers = 192.168.100.40:11211

1773:  driver = sql

2005:  provider = fernet

2010:  driver = memcache  

4.同步keystone的數據庫

 su -s /bin/sh -c "keystone-manage db_sync" keystone

5.初始化fernet

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

6.開啓memcahed 的服務 

  systemctl enable memcached.service

   systemctl  start  memcached.service

7.建立配置apache服務wsgi-keyston.config

/etc/httpd/conf.d/wsgi-keystone.conf 

Listen 5000  #5000的端口是給正常的API來訪問的。

Listen 35357 #35357端口是給admin的管理來用的。

<VirtualHost *:5000>

    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-public

    WSGIScriptAlias / /usr/bin/keystone-wsgi-public

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>

        Require all granted

    </Directory>

</VirtualHost>

<VirtualHost *:35357>  

    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-admin

    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>

        Require all granted

    </Directory>

</VirtualHost>

8.修改http的服務的http.conf 的ServerName 地址   

   ServerName 192.168.100.40:80

9.啓動httpd服務

# systemctl enable httpd.service
# systemctl start httpd.service

10.設置keyston的環境變量

export OS_TOKEN=ef33d18ffbd5a54dac62  

export OS_URL=http://192.168.100.40:35357/v3

export OS_IDENTITY_API_VERSION=3

11.建立admin的demo用戶組和用戶角色並受權

keyston建立用戶（默認用戶時domian）

   openstack domain create --description "Default Domain" default

  

  建立一個admin的項目

   openstack project create --domain default --description "Admin Project" admin

  建立admin的用戶

   openstack user create --domain default --password-prompt admin

  建立admin的角色

   openstack role create admin

  將admin用戶添加admin組賦予admin角色

   openstack role add --project admin --user admin admin

  建立普通用戶demo

   openstack project create --domain default --description "Demo Project" demo

  爲demo 建立用戶名和密碼

   openstack user create --domain default --password=demo demo

  

  建立一個普通用戶的角色

    openstack role create user

  將demo角色加入demo 組賦予user普通用戶

    openstack role add --project demo --user demo user

  建立service項目服務加入進去

    openstack project create --domain default --description "Service Project" service

添加keystone的服務

    openstack service create --name keystone --description "Openstack Identity" identity

12.建立api節點和endpoint（斷點） public 、admin、internal

public 5000端口

openstack endpoint create --region RegionOne \

  identity public http://192.168.100.40:5000/v3

internal 5000端口

openstack endpoint create --region RegionOne \

  identity internal http://192.168.100.40:5000/v3

Admin  35357 端口

openstack endpoint create --region RegionOne \

  identity admin http://192.168.100.40:35357/v3

13.測試查看

查看全部的用戶組

    openstack user list

查看全部的用戶

    openstack role list

查看全部的工程

    openstack project list

查看全部的endpoint 服務

   openstack endpoint list

14.去OS_TOKEN 和OS_URL 環境變量

    unset OS_TOKEN

    unset OS_URL

15.demo和admin驗證token的返回值

 openstack --os-auth-url http://192.168.100.40:5000/v3 \

  --os-project-domain-name default --os-user-domain-name default \

  --os-project-name demo --os-username demo token issue

輸入demo的密碼：

openstack --os-auth-url http://192.168.100.40:35357/v3 \

--os-project-domain-name default --os-user-domain-name default \

--os-project-name admin --os-username admin token issue

數據admin的密碼：

16.配置keyston的環境變量，方便執行操做

Admin的環境變量的配置

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=admin

export OS_AUTH_URL=http://192.168.100.40:35357/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2   這個是在驗證glance命令是l 版後面加上

Demo 的環境的配置

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=demo

export OS_AUTH_URL=http://192.168.100.40:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

執行時     添加執行權限 用時 source admin-openrc.sh

請觀看視屏

視屏會在騰訊課堂和優酷、56視屏網站中上傳。請你們搜索中祥課堂便可觀看