Openstack(七)keystone
官方安裝文檔:https://docs.openstack.org/ocata/zh_CN/install-guide-rdo/index.htmlhtml
7.1 keystone簡介
Keystone 中主要涉及到以下幾個概念:User、Tenant、Role、Token:python
User:使用openstack的用戶。mysql
Tenant:租戶,能夠理解爲一我的、項目或者組織擁有的資源的合集。在一個租戶中能夠擁有不少個用戶,這些用戶能夠根據權限的劃分使用租戶中的資源。linux
Role:角色,用於分配操做的權限。角色能夠被指定給用戶,使得該用戶得到角色對應的操做權限。web
Token:指的是一串比特值或者字符串,用來做爲訪問資源的記號。Token 中含有可訪問資源的範圍和有效時間。sql
7.2安裝Keystone認證服務
7.2.1keystone數據庫配置
# mysql數據庫
> create database keystone;apache
> grant all on keystone.* to 'keystone'@'%' identified by 'keystone';json
7.2.2配置haproxy代理
Mysql port 3306,memcache port 11211,rabbitMQ port 5672雙機代理,同3.3.3.3,3.3.3.5章vim
7.2.3驗證數據庫VIP端口訪問
# mysql -ukeystone -h192.168.10.100 –pkeystone
7.2.4安裝keystone
openstack-keystone是keystone服務,http是web服務,mod_wsgi是python的通用網關,
# yum install -y openstack-keystone httpd mod_wsgi python-memcached python2-PyMySQL
7.3配置keystone認證服務
7.3.1生成臨時token
# openssl rand -hex 10
a734fda7b075fb62b75c
7.3.2修改配置文件
# vim /etc/keystone/keystone.conf
17 admin_token = a734fda7b075fb62b75c
714 connection = mysql+pymysql://keystone:keystone@192.168.10.100/keystone
2833 provider = fernet
7.3.3當前最終配置
# grep -n "^[a-Z\[]" /etc/keystone/keystone.conf
1:[DEFAULT]
17:admin_token = a734fda7b075fb62b75c
686:[database]
714:connection = mysql+pymysql://keystone:keystone@192.168.10.100/keystone
1494:[memcache]
2791:[token]
2833:provider = fernet
7.3.4初始化並驗證數據庫
# su -s /bin/sh -c "keystone-manage db_sync" keystone
# mysql
>use keystone;
>show tables;
7.3.5keystone日誌文件
# ll /var/log/keystone/keystone.log
7.3.6初始化證書並驗證
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
# ll /etc/keystone/fernet-keys/
-rw------- 1 keystone keystone 44 Sep 10 10:56 0
-rw------- 1 keystone keystone 44 Sep 10 10:56 1
7.3.7 編輯apache配置文件
# vim /etc/httpd/conf/httpd.conf
95 ServerName 192.168.10.201:80
## ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d
7.3.8 啓動apache並驗證
# systemctl start httpd
# systemctl enable httpd
# ss –tnl
7.3.9建立域、用戶、項目和角色
7.3.9.1經過admin的token設置環境標量進行操做:
# export OS_TOKEN=a734fda7b075fb62b75c
# export OS_URL=http://192.168.10.201:35357/v3
# export OS_IDENTITY_API_VERSION=3
7.3.9.2建立默認域
必定要在上一步設置完成環境變量的前提下方可操做成功,不然會提示未認證。
#命令格式爲:openstack domain create --description "描述信息" 域名
# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 961b40ed4c6b40a9b266ce5e451a4292 |
| name | default |
+-------------+----------------------------------+
7.3.9.3建立一個admin的項目
#命令格式爲openstack project --domain 域 --description "描述" 項目名
# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 1caf792ed8d84fc089ef4c3ab6cbf3c1 |
| is_domain | False |
| name | admin |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
7.3.9.4建立admin用戶並設置密碼爲admin:
# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 2c82b16690934cbe9b78bbffae50ecca |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
7.3.9.5建立admin角色:
一個項目裏面能夠有多個角色,目前角色只能建立在/etc/keystone/policy.json文件中定義好的角色:
# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 9c6f0cdfe1704fdb85c56528ebcaec16 |
| name | admin |
+-----------+----------------------------------+
7.3.9.6給admin用戶受權:
將admin用戶授予admin項目的admin角色,即給admin項目添加一個用戶叫admin,並將其添加至admin角色,角色是權限的一種集合:
# openstack role add --project admin --user admin admin
7.3.9.7建立demo項目:
該項目可用於演示和測試等
# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 51919be117ec4ba2bdddd206bd3a1444 |
| is_domain | False |
| name | demo |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
7.3.9.8建立demo用戶並設置密碼爲demo:
# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 49640b553dcc43c6bccf5722eedf46af |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
7.3.9.9建立一個user角色:
角色目前有user和admin:
[root@linux-host1 ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 5b60565079c4475ab640f61038c1c632 |
| name | user |
+-----------+----------------------------------+
7.3.9.10把demo用戶添加到demo項目:
而後賦予user權限:
# openstack role add --project demo --user demo user
7.3.9.11建立一個service項目:
各服務之間與keystone進行訪問和認證,service用於給服務建立用戶
# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | c7cf72ff26dd49f1a9216f94146cf82b |
| is_domain | False |
| name | service |
| parent_id | 961b40ed4c6b40a9b266ce5e451a4292 |
+-------------+----------------------------------+
7.3.9.11建立glance用戶:
建立glance密碼用戶並設置密碼爲glance
# openstack user create --domain default --password-prompt glance
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 1aeb2f2695ec4008b6ff9899e88fcb82 |
| name | glance |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
7.3.9.12對glance用戶受權:
把glance和neutron用戶添加到service項目並授予admin角色
# openstack role add --project service --user glance admin
7.3.9.13按照以上步驟操做nova和neutron用戶:
將nova用戶添加到service項目並授予admin權限
建立nova用戶並設置密碼爲nova:
# openstack user create --domain default --password-prompt nova
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 71580f80cd4345e19f8948b77556ae3a |
| name | nova |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
建立neutron用戶並設置密碼爲neutron:
# openstack user create --domain default --password-prompt neutron
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 961b40ed4c6b40a9b266ce5e451a4292 |
| enabled | True |
| id | 73fe1b80b71e46f49fe1d5730dca5283 |
| name | neutron |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
對nova和neutron用戶受權:
將nova和neutron用戶受權爲service項目的admi權限
[root@linux-host1 ~]# openstack role add --project service --user nova admin
[root@linux-host1 ~]# openstack role add --project service --user neutron admin
7.3.9.14服務註冊
將keystone服務地址註冊到openstack:
建立一個keystone認證服務:
# openstack service list #查看當前的服務
# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 6efd80d3570f40bfafb02a1169b68aaa |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
# openstack service list #驗證服務建立成功
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 6efd80d3570f40bfafb02a1169b68aaa | keystone | identity |
+----------------------------------+----------+----------+
# openstack endpoint create --region RegionOne identity public http://192.168.10.100:5000/v3 #公共端點
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 92990b4521454e1ab1b5aa9e26e3e230 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:5000/v3 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne identity internal http://192.168.10.100:5000/v3 #私有端點
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 9779a47b96ee4ffa9196fb8593bbcc1d |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:5000/v3 |
+--------------+----------------------------------+
# openstack endpoint create --region RegionOne identity admin http://192.168.10.100:35357/v3 #管理端點
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | c95807c1098e4cab95e11eeebba1221f |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6efd80d3570f40bfafb02a1169b68aaa |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.10.100:35357/v3 |
+--------------+----------------------------------+
7.4配置keystone雙機集羣
7.4.1同步linux-hosts1文件
安裝認證服務,同7.2.4
# scp -r -P22 /etc/keystone/ 192.168.10.202:/etc/keystone
# vim /etc/httpd/conf/httpd.conf
95 ServerName 192.168.10.201:80
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d
# systemctl start httpd
# systemctl enable httpd
# ss –tnl
7.4.2配置haporxy
linux-host五、linux-host6
# vim /etc/haproxy/haproxy.cfg
listen keystone-public-url
bind 192.168.10.100:5000
mode tcp
log global
balance source
server keystone1 192.168.10.201:5000 check inter 5000 rise 3 fall 3
server keystone1 192.168.10.202:5000 check inter 5000 rise 3 fall 3
listen keystone-admin-url
bind 192.168.10.100:35357
mode tcp
log global
balance source
server keystone1 192.168.10.201:35357 check inter 5000 rise 3 fall 3
server keystone1 192.168.10.202: 35357 check inter 5000 rise 3 fall 3
# systemctl reload haproxy
# telnet 192.168.10.100 5000
# telnet 192.168.10.100 35357
7.5驗證
7.5.1測試keystone是否能夠作用戶驗證
驗證admin用戶,密碼admin,新打開一個窗口並進行如下操做:
# export OS_IDENTITY_API_VERSION=3
# openstack --os-auth-url http://192.168.10.100:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
驗證demo用戶,密碼爲demo:
# export OS_IDENTITY_API_VERSION=3
# openstack --os-auth-url http://192.168.10.100:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
- 1. Openstack(七)keystone
- 2. openstack keystone 筆記
- 3. openstack部署keystone
- 4. openstack-2-Keystone
- 5. openstack之keystone部署
- 6. OpenStack Keystone V3 簡介
- 7. openstack部署之keystone
- 8. OpenStack Keystone架構二
- 9. openstack 之~keystone部署
- 10. OpenStack之Keystone模塊
- 更多相關文章...
- • TCP/IP網絡訪問層的構成 - TCP/IP教程
- • XQuery 術語 - XQuery 教程
- • RxJava操作符(七)Conditional and Boolean
- • Docker容器實戰(七) - 容器眼光下的文件系統
-
每一个你不满意的现在,都有一个你没有努力的曾经。