OpenStack Keystone安裝部署流程

時間 2019-11-13

標籤 openstack keystone 安裝部署流程简体版

原文原文鏈接

以前介紹了OpenStack Swift的安裝部署，採用的都是tempauth認證模式，今天就來介紹一個新的組件，名爲Keystone。php

1. 簡介

　　本文將詳細描述Keystone的安裝部署流程，並給出一些簡單的使用實例。html

　　Keystone是Openstack框架中的一個重要組成部分，負責身份認證、服務管理、服務規則和服務令牌的功能，它實現了Openstack的Identity API。Keystone相似一個服務總線，或者說是整個Openstack框架的註冊表，其餘服務經過Keystone來註冊其服務，任何服務之間相互的調用，都須要通過Keystone的身份驗證來得到目標服務。Keystone包含兩個主要部件：驗證與服務目錄。node

　　驗證部件提供了一套基於令牌的驗證服務，主要包含如下幾個概念：python

租戶（Tenant）：使用相關服務的一個組織（一個租戶能夠表明一個客戶、帳號、公司、組織或項目），必須指定一個相應的租戶（Tenant）才能夠申請OpenStack服務。在Swift中，一個租戶能夠擁有必定的存儲空間，擁有多個容器，能夠理解爲一個公司擁有一大塊存儲空間。
用戶（User）：表示擁有用戶名、密碼、郵箱等帳號信息的我的，用戶可以申請並得到訪問資源的受權。用戶擁有證書，能夠與一個或多個租戶關聯。通過身份驗證後，會爲每一個關聯的租戶提供一個特定的令牌。一個用戶能夠在不一樣的租戶中被分配不一樣的角色。以Swift爲例，咱們能夠這樣理解：租戶是一個公司，擁有一大塊存儲空間，用戶是我的，是該公司的員工，可以根據用戶的角色訪問公司的部分或所有存儲空間，固然這個員工能夠同時在其餘公司兼職，擁有其餘公司的存儲空間；若是某個公司只有一個員工，即該員工擁有公司的所有存儲空間，此時的用戶就相似於金山快盤的用戶了。
證書（Credentials）：爲了給用戶提供一個令牌，須要用證書來惟一標識一個用戶的密碼或其它信息。
令牌（Token）：一個令牌是一個任意比特的文本，用於與其它OpenStack服務來共享信息，Keystone以此來提供一個Central Location，以驗證訪問OpenStack服務的用戶。一個令牌能夠是scoped或unscoped。一個scoped令牌表明爲某個租戶驗證過的用戶，而unscoped令牌則僅表明一個用戶。令牌的有效期是有限的，能夠隨時被撤回。
角色（Role）：表明特定的租戶中的用戶操做權限，一個角色是應用於某個租戶的使用權限集合，以容許某個指定用戶訪問或使用特定操做。角色是使用權限的邏輯分組，它使得通用的權限能夠簡單地分組並綁定到與某個指定租戶相關的用戶。

　　服務目錄部件（Service Catalog）提供了一套REST API服務端點列表並以此做爲決策參考，主要包含如下幾個概念：mysql

服務（Service）：一個OpenStack服務，例如Nova、Swift、Glance或Keystone。一個服務能夠擁有一個或多個端點，用戶能夠經過它與OpenStack的服務或資源進行交互。
端點（Endpoint）：一個能夠經過網絡訪問的地址（例如一個URL），表明了OpenStack服務的API入口。端點也能夠分組爲模板，每一個模板表明一組可用的OpenStack服務，這些服務是跨區域（regions）可用的，例如將多個Swift Proxy Server分別配置爲不一樣的域（regionOne、regionTwo等）。
模板（Template）：一個端點集合，表明一組可用的OpenStack服務端點。

2. 安裝部署

2.1 準備環境

環境類型linux	詳細信息git
機器類型：github	PC物理機web
操做系統：sql	Ubuntu-11.10-desktop-64位
用戶類型：	root
數據庫：	sqlite3
IP地址：	192.168.3.67

2.2 版本說明

　　若是你使用的是Ubuntu，那麼也能夠直接經過apt-get來安裝Keystone，不過本文介紹的是從git（https://github.com/openstack/keystone）上獲取Master分支的最新代碼來進行安裝部署。請務必確保各處安裝的Keystone與python-keystoneclient的版本統一，這在Keystone與其餘服務（如Swift）整合使用時尤其重要，可關注後續文檔《Keystone與Swift（集羣）整合使用說明》，你就會明白其中的道理了。

2.3 安裝軟件環境

　　首先，須要安裝Keystone所需的軟件環境（確保你的機器能夠訪問互聯網），例如git用於獲取Keystone代碼，sqlite3做爲本地數據庫。

# apt-get install git python-dev sqlite3 libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev

2.4 安裝Keystone

　　從git上獲取最新的Keystone Service代碼。

# cd ~

# git clone https://github.com/openstack/keystone.git

　　安裝Keystone的依賴項與主體程序（Keystone會被安裝到python的dist-packages中）。

# cd ~/keystone

# pip install -r tools/pip-requires

# pip install -r tools/test-requires（本條命令可不執行）

# python setup.py install

　　文件~/keystone/tools/pip-requires中（內容以下所示）記錄了運行Keystone程序所需的依賴項，setup.py就是根據該文件來檢查依賴項並自動下載安裝的。其中指明瞭python-keystoneclient爲依賴項，python-keystoneclient做爲本地客戶端組件，用於訪問Keystone。python-keystoneclient與Keystone的版本須要統一，不然可能會出現版本兼容性問題，採用依賴項的方式安裝python-keystoneclient，可確保不會出現版本兼容性問題。

# keystone dependencies

pam>=0.1.4

WebOb==1.2.3

eventlet

greenlet

PasteDeploy

paste

routes

sqlalchemy>=0.7.8,<=0.7.9

sqlalchemy-migrate>=0.7.2

passlib

lxml

iso8601>=0.1.4

python-keystoneclient>=0.2.1,<0.3

oslo.config>=1.1.0

　　文件~/keystone/tools/test-requires中（內容以下所示）記錄了Keystone動態開發與測試所需的依賴項。這些依賴項不是運行Keystone所必須的，因此能夠不安裝（即不執行上面的命令：pip install -r tools/test-requires）。

# Optional backend: SQL

pysqlite

# Optional backend: Memcache

python-memcached

# Optional backend: LDAP

python-ldap==2.3.13 # authenticate against an existing LDAP server

# Testing

coverage # computes code coverage percentages

mox # mock object framework

nose # for test discovery and console feedback

nosexcover

openstack.nose_plugin

nosehtmloutput

pylint # static code analysis

pep8==1.3.3 # checks for PEP8 code style compliance

Sphinx>=1.1.2 # required to build documentation

unittest2 # backport of unittest lib in python 2.7

webtest # test wsgi apps without starting an http server

distribute>=0.6.24

# for python-keystoneclient

httplib2 # keystoneclient <0.2.1

requests>=1.0.0 # replaces httplib2 in keystoneclient >=0.2.1

keyring

# swift_auth test dependencies

http://tarballs.openstack.org/swift/swift-master.tar.gz#egg=swift

netifaces

# For translations processing

Babel

　　須要特別注意的是，安裝tools/test-requires依賴項時會自動下載swift-master.tar.gz包並從新安裝Swift。所以，若是電腦上已經安裝了Swift，就不能夠再執行「pip install -r tools/test-requires」命令了（該命令會覆蓋掉以前安裝的Swift程序）。

　　若是你不當心覆蓋掉了以前安裝的Swift程序，也無需擔憂，執行如下命令，從新安裝你的Swift程序便可。（假設Swift的源代碼在目錄~/swift/swift_1.7.6下，python-swiftclient的源代碼在目錄~/swift/python-swiftclient_1.2.0下）

# cd ~/swift/swift_1.7.6

# python setup.py develop

# cd ~/swift/python-swiftclient_1.2.0

# python setup.py develop

2.5 配置Keystone

　　因爲是從git上獲取的代碼，因此咱們須要手動將代碼中的配置文件複製到系統中正確的目錄下。配置文件在~/keystone/etc目錄下，共有四個，包括default_catalog.templates、keystone.conf.sample、logging.conf.sample和policy.json。將這四個配置文件複製到/etc/keystone目錄下，並重命名（去掉「.sample」）。用戶須要注意下文中的紅色標註部分。

# mkdir -p /etc/keystone

# cp ~/keystone/etc/* /etc/keystone/

# cp mv /etc/keystone/keystone.conf.sample /etc/keystone/keystone.conf

# cp mv /etc/keystone/logging.conf.sample /etc/keystone/logging.conf

　　其中keystone.conf是核心配置文件，logging.conf是日誌配置文件，default_catalog.templates是目錄模版文件，policy.json定義了Identity服務的訪問策略。咱們須要修改核心配置文件/etc/keystone/keystone.conf。

[DEFAULT]

# A "shared secret" between keystone and other openstack services

# admin_token = ADMIN

# 注意該信息，admin_token參數是用來訪問Keystone服務的，即Keystone服務的Token。默認爲ADMIN，固然也能夠改爲別的。客戶端可使用該Token訪問Keystone服務、查看信息、建立其餘服務等。

# The IP address of the network interface to listen on

# bind_host = 0.0.0.0

# The port number which the public service listens on

# public_port = 5000

# Keystone提供的認證受權服務監聽的端口，一般爲公網（外網），也能夠是內網。

# The port number which the public admin listens on

# admin_port = 35357

# Keystone提供的認證受權、系統管理服務監聽的端口，一般爲內網。除了認證受權功能外，用戶須要訪問該端口來進行管理員操做，如建立刪除Tenant、User、Role、Service、Endpoint等。

# The port number which the OpenStack Compute service listens on

# compute_port = 8774

# Path to your policy definition containing identity actions

# TODO(dolph): This config method will probably be deprecated during grizzly

# policy_file = policy.json

# Rule to check if no matching policy definition is found

# FIXME(dolph): This should really be defined as [policy] default_rule

# policy_default_rule = admin_required

# === Logging Options ===

# Print debugging output

# verbose = False

# Print more verbose output

# (includes plaintext request logging, potentially including passwords)

# debug = False

# Name of log file to output to. If not set, logging will go to stdout.

# log_file = keystone.log

# The directory to keep log files in (will be prepended to --logfile)

# log_dir = /var/log/keystone

# Use syslog for logging.

# use_syslog = False

# syslog facility to receive log lines

# syslog_log_facility = LOG_USER

# If this option is specified, the logging configuration file specified is

# used and overrides any other logging options specified. Please see the

# Python logging module documentation for details on logging configuration

# files.

# log_config = logging.conf

# A logging.Formatter log message format string which may use any of the

# available logging.LogRecord attributes.

# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s

# Format string for %(asctime)s in log records.

# log_date_format = %Y-%m-%d %H:%M:%S

# onready allows you to send a notification when the process is ready to serve

# For example, to have it notify using systemd, one could set shell command:

# onready = systemd-notify --ready

# or a module with notify() method:

# onready = keystone.common.systemd

[sql]

# The SQLAlchemy connection string used to connect to the database

# connection = sqlite:///keystone.db

# 此處爲數據庫參數，默認使用sqlite，而且指定數據庫文件的存放位置，keystone.db表示在主目錄下建立keystone.db文件，用於存放數據。也能夠指定其餘存儲位置，例如sqlite:////var/lib/keystone/keystone.db。

# 固然也可使用mysql，如mysql://root:123456@192.168.3.67/keystone，其中192.168.3.67爲數據庫地址，keystone爲數據庫名稱，root爲用戶名，123456爲訪問密碼。須要事先安裝mysql，而且建立名爲keystone的數據庫，設置用戶名密碼。

# the timeout before idle sql connections are reaped

# idle_timeout = 200

[identity]

# driver = keystone.identity.backends.sql.Identity

[catalog]

# dynamic, sql-based backend (supports API/CLI-based management commands)

# driver = keystone.catalog.backends.sql.Catalog

# static, file-based backend (does *NOT* support any management commands)

# driver = keystone.catalog.backends.templated.TemplatedCatalog

# template_file = default_catalog.templates

[token]

# driver = keystone.token.backends.kvs.Token

# Amount of time a token should remain valid (in seconds)

# expiration = 86400

[policy]

# driver = keystone.policy.backends.sql.Policy

[ec2]

# driver = keystone.contrib.ec2.backends.kvs.Ec2

[ssl]

#enable = True

#certfile = /etc/keystone/ssl/certs/keystone.pem

#keyfile = /etc/keystone/ssl/private/keystonekey.pem

#ca_certs = /etc/keystone/ssl/certs/ca.pem

#cert_required = True

[signing]

# token_format = PKI

# 此處須要特別注意，新版本中默認Token爲PKI，於是須要爲此設置PKI認證，較爲麻煩，可改成UUID以方便使用，UUID是一個幾十位的隨機字符串。

token_format = UUID

#certfile = /etc/keystone/ssl/certs/signing_cert.pem

#keyfile = /etc/keystone/ssl/private/signing_key.pem

#ca_certs = /etc/keystone/ssl/certs/ca.pem

#key_size = 1024

#valid_days = 3650

#ca_password = None

[ldap]

# url = ldap://localhost

# user = dc=Manager,dc=example,dc=com

# password = None

# suffix = cn=example,cn=com

# use_dumb_member = False

# allow_subtree_delete = False

# dumb_member = cn=dumb,dc=example,dc=com

# user_tree_dn = ou=Users,dc=example,dc=com

# user_filter =

# user_objectclass = inetOrgPerson

# user_id_attribute = cn

# user_name_attribute = sn

# user_mail_attribute = email

# user_pass_attribute = userPassword

# user_enabled_attribute = enabled

# user_enabled_mask = 0

# user_enabled_default = True

# user_attribute_ignore = tenant_id,tenants

# user_allow_create = True

# user_allow_update = True

# user_allow_delete = True

# tenant_tree_dn = ou=Groups,dc=example,dc=com

# tenant_filter =

# tenant_objectclass = groupOfNames

# tenant_id_attribute = cn

# tenant_member_attribute = member

# tenant_name_attribute = ou

# tenant_desc_attribute = desc

# tenant_enabled_attribute = enabled

# tenant_attribute_ignore =

# tenant_allow_create = True

# tenant_allow_update = True

# tenant_allow_delete = True

# role_tree_dn = ou=Roles,dc=example,dc=com

# role_filter =

# role_objectclass = organizationalRole

# role_id_attribute = cn

# role_name_attribute = ou

# role_member_attribute = roleOccupant

# role_attribute_ignore =

# role_allow_create = True

# role_allow_update = True

# role_allow_delete = True

[filter:debug]

paste.filter_factory = keystone.common.wsgi:Debug.factory

[filter:token_auth]

paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

[filter:admin_token_auth]

paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

[filter:xml_body]

paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

[filter:json_body]

paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

[filter:user_crud_extension]

paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

[filter:crud_extension]

paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

[filter:ec2_extension]

paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

[filter:s3_extension]

paste.filter_factory = keystone.contrib.s3:S3Extension.factory

[filter:url_normalize]

paste.filter_factory = keystone.middleware:NormalizingFilter.factory

[filter:stats_monitoring]

paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory

[filter:stats_reporting]

paste.filter_factory = keystone.contrib.stats:StatsExtension.factory

[app:public_service]

paste.app_factory = keystone.service:public_app_factory

[app:service_v3]

paste.app_factory = keystone.service:v3_app_factory

[app:admin_service]

paste.app_factory = keystone.service:admin_app_factory

[pipeline:public_api]

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

[pipeline:admin_api]

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

[pipeline:api_v3]

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3

[app:public_version_service]

paste.app_factory = keystone.service:public_version_app_factory

[app:admin_version_service]

paste.app_factory = keystone.service:admin_version_app_factory

[pipeline:public_version_api]

pipeline = stats_monitoring url_normalize xml_body public_version_service

[pipeline:admin_version_api]

pipeline = stats_monitoring url_normalize xml_body admin_version_service

[composite:main]

use = egg:Paste#urlmap

/v2.0 = public_api

/v3 = api_v3

/ = public_version_api

[composite:admin]

use = egg:Paste#urlmap

/v2.0 = admin_api

/v3 = api_v3

/ = admin_version_api

2.6 查看Keystone幫助信息

　　在終端執行keystone-all --help、keystone-manage --help、keystone --help命令，便可查看Keystone的幫助信息。

　　執行keystone-all --help命令，查看Keystone服務端程序的幫助信息。

# keystone-all --help

usage: keystone-all [-h] [--version] [--debug] [--nodebug] [--verbose]

[--noverbose] [--use-syslog] [--nouse-syslog]

[--standard-threads] [--nostandard-threads]

[--pydev-debug-port PYDEV_DEBUG_PORT] [--config-file PATH]

[--log-config PATH] [--log-format FORMAT]

[--log-date-format DATE_FORMAT] [--log-file PATH]

[--log-dir LOG_DIR]

[--syslog-log-facility SYSLOG_LOG_FACILITY]

[--pydev-debug-host PYDEV_DEBUG_HOST] [--config-dir DIR]

optional arguments:

-h, --help show this help message and exit

--version show program's version number and exit

--debug, -d Print debugging output (set logging level to DEBUG

instead of default WARNING level).

--nodebug The inverse of --debug

--verbose, -v Print more verbose output (set logging level to INFO

instead of default WARNING level).

--noverbose The inverse of --verbose

--use-syslog Use syslog for logging.

--nouse-syslog The inverse of --use-syslog

--standard-threads

--nostandard-threads The inverse of --standard-threads

--pydev-debug-port PYDEV_DEBUG_PORT

--config-file PATH Path to a config file to use. Multiple config files

can be specified, with values in later files taking

precedence. The default files used are:

['/etc/keystone/keystone.conf']

--log-config PATH If this option is specified, the logging configuration

file specified is used and overrides any other logging

options specified. Please see the Python logging

module documentation for details on logging

configuration files.

--log-format FORMAT A logging.Formatter log message format string which

may use any of the available logging.LogRecord

attributes.

--log-date-format DATE_FORMAT

Format string for %(asctime)s in log records.

--log-file PATH Name of log file to output. If not set, logging will

go to stdout.

--log-dir LOG_DIR The directory in which to store log files. (will be

prepended to --log-file)

--syslog-log-facility SYSLOG_LOG_FACILITY

syslog facility to receive log lines.

--pydev-debug-host PYDEV_DEBUG_HOST

--config-dir DIR Path to a config directory to pull *.conf files from.

This file set is sorted, so as to provide a

predictable parse order if individual options are

over-ridden. The set is parsed after the file(s), if

any, specified via --config-file, hence over-ridden

options in the directory take precedence.

　　執行keystone-manage --help命令，查看Keystone管理程序的幫助信息。

# keystone-manage --help

usage: keystone-manage [db_sync|export_legacy_catalog|import_legacy|import_nova_auth|pki_setup]

optional arguments:

-h, --help show this help message and exit

--version show program's version number and exit

--debug, -d Print debugging output (set logging level to DEBUG

instead of default WARNING level).

--nodebug The inverse of --debug

--verbose, -v Print more verbose output (set logging level to INFO

instead of default WARNING level).

--noverbose The inverse of --verbose

--use-syslog Use syslog for logging.

--nouse-syslog The inverse of --use-syslog

--standard-threads

--nostandard-threads The inverse of --standard-threads

--pydev-debug-port PYDEV_DEBUG_PORT

--config-file PATH Path to a config file to use. Multiple config files

can be specified, with values in later files taking

precedence. The default files used are:

['/etc/keystone/keystone.conf']

--log-config PATH If this option is specified, the logging configuration

file specified is used and overrides any other logging

options specified. Please see the Python logging

module documentation for details on logging

configuration files.

--log-format FORMAT A logging.Formatter log message format string which

may use any of the available logging.LogRecord

attributes.

--log-date-format DATE_FORMAT

Format string for %(asctime)s in log records.

--log-file PATH Name of log file to output. If not set, logging will

go to stdout.

--log-dir LOG_DIR The directory in which to store log files. (will be

prepended to --log-file)

--syslog-log-facility SYSLOG_LOG_FACILITY

syslog facility to receive log lines.

--pydev-debug-host PYDEV_DEBUG_HOST

--config-dir DIR Path to a config directory to pull *.conf files from.

This file set is sorted, so as to provide a

predictable parse order if individual options are

over-ridden. The set is parsed after the file(s), if

any, specified via --config-file, hence over-ridden

options in the directory take precedence.

Commands:

{db_sync,export_legacy_catalog,import_legacy,import_nova_auth,pki_setup}

Available commands

db_sync Sync the database.

export_legacy_catalog

Export the service catalog from a legacy database.

import_legacy Import a legacy database.

import_nova_auth Import a dump of nova auth data into keystone.

pki_setup Set up Key pairs and certificates for token signing

and verification.

　　執行keystone --help命令，查看Keystone客戶端程序的幫助信息。

# keystone --help

usage: keystone [--version] [--timeout <seconds>]

[--os-username <auth-user-name>]

[--os-password <auth-password>]

[--os-tenant-name <auth-tenant-name>]

[--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]

[--os-region-name <region-name>]

[--os-identity-api-version <identity-api-version>]

[--os-token <service-token>]

[--os-endpoint <service-endpoint>]

[--os-cacert <ca-certificate>] [--insecure]

[--os-cert <certificate>] [--os-key <key>] [--os-cache]

[--force-new-token] [--stale-duration <seconds>]

<subcommand> ...

Command-line interface to the OpenStack Identity API.

Positional arguments:

catalog

ec2-credentials-create

Create EC2-compatible credentials for user per tenant

ec2-credentials-delete

Delete EC2-compatible credentials

ec2-credentials-get

Display EC2-compatible credentials

ec2-credentials-list

List EC2-compatible credentials for a user

endpoint-create Create a new endpoint associated with a service

endpoint-delete Delete a service endpoint

endpoint-get

endpoint-list List configured service endpoints

password-update Update own password

role-create Create new role

role-delete Delete role

role-get Display role details

role-list List all roles

service-create Add service to Service Catalog

service-delete Delete service from Service Catalog

service-get Display service from Service Catalog

service-list List all services in Service Catalog

tenant-create Create new tenant

tenant-delete Delete tenant

tenant-get Display tenant details

tenant-list List all tenants

tenant-update Update tenant name, description, enabled status

token-get

user-create Create new user

user-delete Delete user

user-get Display user details.

user-list List users

user-password-update

Update user password

user-role-add Add role to user

user-role-list List roles granted to a user

user-role-remove Remove role from user

user-update Update user's name, email, and enabled status

discover Discover Keystone servers, supported API versions and

extensions.

bootstrap Grants a new role to a new user on a new tenant, after

creating each.

bash-completion Prints all of the commands and options to stdout.

help Display help about this program or one of its

subcommands.

Optional arguments:

--version Shows the client version and exits

--timeout <seconds> Set request timeout (in seconds)

--os-username <auth-user-name>

Name used for authentication with the OpenStack

Identity service. Defaults to env[OS_USERNAME]

--os-password <auth-password>

Password used for authentication with the OpenStack

Identity service. Defaults to env[OS_PASSWORD]

--os-tenant-name <auth-tenant-name>

Tenant to request authorization on. Defaults to

env[OS_TENANT_NAME]

--os-tenant-id <tenant-id>

Tenant to request authorization on. Defaults to

env[OS_TENANT_ID]

--os-auth-url <auth-url>

Specify the Identity endpoint to use for

authentication. Defaults to env[OS_AUTH_URL]

--os-region-name <region-name>

Defaults to env[OS_REGION_NAME]

--os-identity-api-version <identity-api-version>

Defaults to env[OS_IDENTITY_API_VERSION] or 2.0

--os-token <service-token>

Specify an existing token to use instead of retrieving

one via authentication (e.g. with username &

password). Defaults to env[OS_SERVICE_TOKEN]

--os-endpoint <service-endpoint>

Specify an endpoint to use instead of retrieving one

from the service catalog (via authentication).

Defaults to env[OS_SERVICE_ENDPOINT]

--os-cacert <ca-certificate>

Specify a CA bundle file to use in verifying a TLS

(https) server certificate. Defaults to env[OS_CACERT]

--insecure Explicitly allow keystoneclient to perform "insecure"

TLS (https) requests. The server's certificate will

not be verified against any certificate authorities.

This option should be used with caution.

--os-cert <certificate>

Defaults to env[OS_CERT]

--os-key <key> Defaults to env[OS_KEY]

--os-cache Use the auth token cache. Defaults to env[OS_CACHE]

--force-new-token If the keyring is available and in use, token will

always be stored and fetched from the keyring until

the token has expired. Use this option to request a

new token and replace the existing one in the keyring.

--stale-duration <seconds>

Stale duration (in seconds) used to determine whether

a token has expired when retrieving it from keyring.

This is useful in mitigating process or network

delays. Default is 30 seconds.

See "keystone help COMMAND" for help on a specific command.

2.7 同步數據庫並運行Keystone

　　同步數據庫schema，Keystone會自動鏈接數據庫，完成Table建立等工做。

# keystone-manage db_sync

　　而後，sqlite3數據庫會建立文件~/keystone.db（視上文中的配置文件而定），咱們能夠查看數據庫中的Table。首先使用sqlite3 ~/keystone.db命令打開數據庫，而後使用.table命令查看全部Table，包括Tenant、User、Role、Service、Endpoint等。

# sqlite3 ~/keystone.db

SQLite version 3.7.7 2011-06-23 19:49:22

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

sqlite> .table

credential migrate_version token

domain policy user

ec2_credential role user_domain_metadata

endpoint service user_tenant_membership

metadata tenant

sqlite>.exit

　　至此，咱們已經成功地完成了Keystone服務的安裝與配置，完事具有，能夠啓動Keystone服務了。

# keystone-all

2.8 導入環境變量

　　爲了訪問Keystone服務，客戶端須要導入環境變量，固然也能夠選擇在執行訪問Keystone的命令時加上相關參數。在本文檔所描述的部署環境中，Keystone客戶端與服務端處在同一臺PC上。導入環境變量的方式有兩種：

　　1. 在終端使用export命令，這種方式使得該環境變量的有效範圍僅限於本終端。

# export SERVICE_TOKEN=ADMIN

# export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0

這裏須要解釋一下：

「SERVICE_ENDPOINT」是Keystone的Endpoint，即API入口。其中，「192.168.3.67」爲安裝Keystone服務的機器的IP，「35357」爲Keystone提供的認證受權和系統管理服務監聽的端口（一般爲內網），用戶須要訪問該端口來進行管理員操做，如建立刪除Tenant、User、Role、Service、Endpoint等，這在《配置Keystone》章節中已進行了說明。
「SERVICE_TOKEN」就是Keystone服務的Token，在《配置Keystone》章節中也已進行了說明。

　　2. 修改~/.bashrc文件，在文件尾部添加以下內容。（該文件包含當前用戶Bash Shell的環境變量信息）

export SERVICE_TOKEN=ADMIN

export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0

　　而後執行以下命令，以使修改生效。一旦生效，終生有效哦親！

# . ~/.bashrc

針對上述環境變量做以下說明：

SERVICE_TOKEN變量表示訪問Keystone服務時使用的Token，與配置文件keystone.conf中的信息相對應，默認爲ADMIN。
SERVICE_ENDPOINT變量表示Keystone服務的接入口，其中IP地址代表Keystone服務的安裝位置，35357爲默認訪問端口。

　　因而，客戶端就可使用名爲ADMIN的Token，經過給定的訪問地址http://192.168.3.67:35357/v2.0來訪問Keystone服務了。

3. 使用實例

3.1 初次查看Keystone中的信息

　　首先，咱們分別執行如下命令，經過訪問Keystone服務來查看幾個重要數據庫Table的內容，包括Tenant、User、Role、Service和Endpoint。固然，結果必然是空的，由於咱們尚未添加任何Tenant、User、Role、Service以及Endpoint，但結果已經證實Keystone已經在正常工做了。

# keystone tenant-list

# keystone user-list

# keystone role-list

# keystone service-list

# keystone endpoint-list

3.2 手動添加自定義的信息

　　下面，咱們將按照本身的要求來手動添加Tenant、User、Role、Service、Endpoint等信息。

　　咱們將建立名稱爲adminTenant的Tenant（租戶）、名稱爲admin的User（用戶）以及名稱爲adminRole的Role（角色），並將它們關聯起來。最終的結果表現爲：一個名叫admin的用戶，其擁有名爲adminRole的角色身份，而且可以使用名爲adminTennant的租戶。

　　1. 建立Tenant，租戶名爲adminTenant，描述信息爲Admin Tenant。請記住該命令生成的Tenant id，下面添加User時須要用到。

# keystone tenant-create --name adminTenant --description "Admin Tenant" --enabled true

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| description | Admin Tenant |

| enabled | True |

| id | 4803098ff0b44f13bb33e7c9665e59d4 |

| name | adminTenant |

+-------------+----------------------------------+

　　2. 建立User，用戶名爲admin，密碼爲openstack。請記住該命令生成的User id，下面的關聯命令須要用到。

# keystone user-create --tenant_id 4803098ff0b44f13bb33e7c9665e59d4 --name admin --pass openstack --enabled true

+----------+----------------------------------+

| Property | Value |

+----------+----------------------------------+

| email | |

| enabled | True |

| id | c2c40638681041aca9625869c260ba51 |

| name | admin |

| tenantId | 4803098ff0b44f13bb33e7c9665e59d4 |

+----------+----------------------------------+

　　3. 建立Role，角色名爲adminRole。請記住該命令生成的Role id，下面的關聯命令須要用到。

# keystone role-create --name adminRole

+----------+----------------------------------+

| Property | Value |

+----------+----------------------------------+

| id | 675c497fdf314e74a3f4bd6e1710d45d |

| name | adminRole |

+----------+----------------------------------+

　　至此，咱們已經建立了一個Ttenant，一個Uuser以及一個Rrole，它們的id分別是：

tenant_id：4803098ff0b44f13bb33e7c9665e59d4

user_id：c2c40638681041aca9625869c260ba51

role_id：675c497fdf314e74a3f4bd6e1710d45d

　　4. 最後，咱們要使用上述三個id，並經過下面的命令來將三者關聯起來。

# keystone user-role-add --user-id c2c40638681041aca9625869c260ba51 --tenant-id 4803098ff0b44f13bb33e7c9665e59d4 --role-id 675c497fdf314e74a3f4bd6e1710d45d

　　此時，讓咱們再使用list命令查看一下Tenant、User、Role、Service和Endpoint的信息。

# keystone tenant-list

+----------------------------------+-------------+---------+

| id | name | enabled |

+----------------------------------+-------------+---------+

| 4803098ff0b44f13bb33e7c9665e59d4 | adminTenant | True |

+----------------------------------+-------------+---------+

# keystone user-list

+----------------------------------+-------+---------+-------+

+----------------------------------+-------+---------+-------+

+----------------------------------+-------+---------+-------+

# keystone role-list

+----------------------------------+-----------+

| id | name |

+----------------------------------+-----------+

| 675c497fdf314e74a3f4bd6e1710d45d | adminRole |

+----------------------------------+-----------+

# keystone service-list

# keystone endpoint-list

3.3 訪問Keystone獲取Token

　　上面已經完成了Tenant、User和Role的建立，並將三者關聯起來，因而咱們就可使用User的用戶名和密碼來訪問Keystone，獲取用於訪問Tenant的Token了。咱們將使用curl命令來訪問Keyston以獲取受權，該命令須要給定四個參數，即tenantName（租戶名）、username（用戶名）、password（用戶密碼）以及認證受權申請地址（http://192.168.3.67:35357/v2.0/tokens或http://192.168.3.67:5000/v2.0/tokens均可以）。此外，返回信息會以json格式展示。

　　先嚐試使用錯誤的密碼進行訪問，結果獲取受權失敗。返回信息中給出了相關錯誤提示信息。

# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "xxx"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 219 100 116 100 103 2547 2262 --:--:-- --:--:-- --:--:-- 2577

{

"error": {

"code": 401,

"message": "The request you have made requires authentication.",

"title": "Not Authorized"

}

　　而後使用正確的密碼訪問（http://192.168.3.67:35357/v2.0/tokens），結果成功獲取受權。返回信息中包含了咱們所需的Token，同時也顯示了與本次請求相關的Tenant、User以及Role的信息。咱們能夠看到，Token的id爲55e9889a646e467693f2e11b58ccf78d，其受權經過的時間爲2013-03-15T12:42:00.096694，其受權過時的時間爲2013-03-16T12:42:00Z。

# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 618 100 509 100 109 8811 1886 --:--:-- --:--:-- --:--:-- 8929

{

"access": {

"metadata": {

"is_admin": 0,

"roles": [

"675c497fdf314e74a3f4bd6e1710d45d"

]

"serviceCatalog": [],

"token": {

"expires": "2013-03-16T12:42:00Z",

"id": "55e9889a646e467693f2e11b58ccf78d",

"issued_at": "2013-03-15T12:42:00.096694",

"tenant": {

"description": "Admin Tenant",

"enabled": true,

"id": "4803098ff0b44f13bb33e7c9665e59d4",

"name": "adminTenant"

}

"user": {

"id": "c2c40638681041aca9625869c260ba51",

"name": "admin",

"roles": [

{

"name": "adminRole"

}

"roles_links": [],

"username": "admin"

}

　　再試一下認證受權地址http://192.168.3.67:5000/v2.0/tokens，一樣成功獲取受權。

% Total % Received % Xferd Average Speed Time Time Time Current

Dload Upload Total Spent Left Speed

100 618 100 509 100 109 9030 1933 --:--:-- --:--:-- --:--:-- 9254

{

"access": {

"metadata": {

"is_admin": 0,

"roles": [

"675c497fdf314e74a3f4bd6e1710d45d"

]

"serviceCatalog": [],

"token": {

"expires": "2013-04-05T07:36:56Z",

"id": "bfe30305790c46e2a4b5bfc80060246b",

"issued_at": "2013-04-04T07:36:56.283627",

"tenant": {

"description": "Admin Tenant",

"enabled": true,

"id": "4803098ff0b44f13bb33e7c9665e59d4",

"name": "adminTenant"

}

"user": {

"id": "c2c40638681041aca9625869c260ba51",

"name": "admin",

"roles": [

{

"name": "adminRole"

}

"roles_links": [],

"username": "admin"

}

　　上述使用實例闡述了Keystone的基本操做，而且代表Keystone正確地爲咱們提供了身份驗證與受權服務。之後的文檔將延續該主題，介紹Keystone與Swift的聯合部署，咱們將使用Keystone爲Swift提供身份驗證與受權服務。

4. 參考連接

4.1 官方連接

Installing Keystone

　　　　http://docs.openstack.org/developer/keystone/installing.html

Setting up a Keystone development environment

　　　　http://docs.openstack.org/developer/keystone/setup.html

Configuring Keystone

　　　　http://docs.openstack.org/developer/keystone/configuration.html

keystone.conf

　　　　http://docs.openstack.org/trunk/openstack-compute/install/yum/content/keystone-conf-file.html

Setting up tenants, users, and roles

　　　　http://docs.openstack.org/trunk/openstack-compute/install/yum/content/setting-up-tenants-users-and-roles.html

OpenStack/Keystone - GitHub

　　　　https://github.com/openstack/keystone

4.2 非官方連接

OpenStack Hands on lab 1: Keystone安裝

　　　　http://liangbo.me/index.php/2012/03/27/11/

OpenStack安裝 - keystone

　　　　http://articles.csdn.net/shangwuzhuanqu/OpenStackzhuanqu/jishufenxiangyemia/2012/0820/2808852.html

OpenStack Essex版安裝 - keystone

　　　　http://blog.csdn.net/nocturne1210/article/details/7877307

OpenStack Keystone的理解

　　　　http://blog.csdn.net/xiangmin2587/article/details/8224042

OpenStack Identity（Keystone）身份服務體系結構與中間件

　　　　http://blog.sina.com.cn/s/blog_6a9ae9e501014w3p.html

OpenStack Keystone install - border / keystone.conf

　　　　https://gist.github.com/border/4070200

OpenStack雲第三天

　　　　http://www.linuxidc.com/Linux/2012-12/75424.htm

相關標籤/搜索

每日一句

每一个你不满意的现在，都有一个你没有努力的曾经。