openstack運維實戰系列(一)之keystone用戶創建

1. 前言

    在生產環境中，使用openstack已經有1年多的時間了，苦於一直沒有時間，加上工做帶來的懶惰，一直遲遲沒有對openstack方面的知識作個總結，趁着年末，把過去一年多在生產環境中所遇到的一些常見運維操做作個總結。須要說明的是，相關的操做，基本都創建在openstack的官方文檔和幫助，因此最好的方式莫過於看官方文檔，此處只做爲拋磚引玉之用，望須知。

2. 關於keystone

    keystone是openstack中負責認證受權的服務，主要負責兩方面的工做：1. 用戶認證受權，2.目錄catalog服務。整體而言，keystone承擔着openstack中的註冊表服務，即全部的用戶都須要到keystone中註冊其信息，全部openstack的服務，都須要將其catalog信息註冊到keystone，以方便組件之間相互調用。

3. keystone開放用戶

    openstack中最小的資源單位集合是租戶，即tenant，tenant是一系列資源的集合，包括計算資源，網絡資源和存儲資源，tenant通常來講是指公司，部門，或者我的，好比某個公司去申請阿里雲，某個部門申請使用內部的openstack私有云資源等等，做爲openstack雲管理員，爲用戶開放訪問權限，是一項基本的工做。此外tenant會獲得一個默認計算的quota，存儲的quota以及網絡的quota，關於quota的調整，參考後續的博客。以下爲建立user的過程，主要分爲三個階段：1.用戶建立，2. 租戶建立，3. 將用戶加入到租戶和角色

3.1 建立用戶

[root@controller ~]# keystone user-create --name user1 --pass password --email user1@example.com --enabled true
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |        user1@example.com         |
| enabled  |               True               |
|    id    | ce398fc13d224c63b9d90b3cc2b6d464 |        #用戶的id號
|   name   |              user1               |
| username |              user1               |
+----------+----------------------------------+

查看用戶列表:
[root@controller ~]# keystone user-list
+----------------------------------+---------+---------+---------------------+
|                id                |   name  | enabled |        email        |
+----------------------------------+---------+---------+---------------------+
| bc5e46fc4204497185ae3ca6f8b7affb |  admin  |   True  |  admin@example.com  |
| ac86694e3053492f921e19aca9c9d646 |  cinder |   True  |  cinder@example.com |
| 0ed4f1c5af2a496a8d56e256d966ef9d |   demo  |   True  |   demo@example.com  |
| 0922aae9b7bf4f80a7811fd0c7db49c6 |  glance |   True  |  glance@example.com |
| 053262aa44ce430d91465417f045cead | neutron |   True  | neutron@example.com |
| b709f56c61114ce78768b34d76d5af90 |   nova  |   True  |   nova@example.com  |
| ce398fc13d224c63b9d90b3cc2b6d464 |  user1  |   True  |  user1@example.com  |        #剛建立的user,id號，後續須要使用
+----------------------------------+---------+---------+---------------------+

查看用戶具體信息:
[root@controller ~]# keystone user-get ce398fc13d224c63b9d90b3cc2b6d464
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |        user1@example.com         |
| enabled  |               True               |
|    id    | ce398fc13d224c63b9d90b3cc2b6d464 |
|   name   |              user1               |
| username |              user1               |
+----------+----------------------------------+

小結: 用戶管理相關操做包括:user-create,user-delete,user-update,user-list,user-get即增刪改查，以及user-password-update修改用戶密碼等操做，其餘的操做如tenant，role，service和endpoint相相似，觸類旁通。

3.2 建立租戶

[root@controller ~]# keystone tenant-create --name companyA --description "Project For ComputeA" --enabled true           
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |       Project For ComputeA       |
|   enabled   |               True               |
|      id     | 7ff1dfb5a6f349958c3a949248e56236 |        #tenant的id號，後續使用使用
|     name    |             companyA             |
+-------------+----------------------------------+

查看tenant列表:
[root@controller ~]# keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 842ab3268a2c47e6a4b0d8774de805ae |  admin   |   True  |
| 7ff1dfb5a6f349958c3a949248e56236 | companyA |   True  |        #剛所建立的tenant
| 10d1465c00d049fab88dec1af0f56b1b |   demo   |   True  |
| 3b57a14f7c354a979c9f62b60f31a331 | service  |   True  |
+----------------------------------+----------+---------+

查看tenant的詳細信息:
[root@controller ~]# keystone tenant-get 7ff1dfb5a6f349958c3a949248e56236
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |       Project For ComputeA       |
|   enabled   |               True               |
|      id     | 7ff1dfb5a6f349958c3a949248e56236 |
|     name    |             companyA             |
+-------------+----------------------------------+

3.3 用戶與租戶角色關聯

查看租戶的id號
[root@controller ~]# keystone tenant-list
+----------------------------------+----------+---------+
|                id                |   name   | enabled |
+----------------------------------+----------+---------+
| 842ab3268a2c47e6a4b0d8774de805ae |  admin   |   True  |
| 7ff1dfb5a6f349958c3a949248e56236 | companyA |   True  |        #tenant的id號
| 10d1465c00d049fab88dec1af0f56b1b |   demo   |   True  |
| 3b57a14f7c354a979c9f62b60f31a331 | service  |   True  |
+----------------------------------+----------+---------+

查看角色的id號：
[root@controller ~]# keystone role-list
+----------------------------------+----------+
|                id                |   name   |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |                  #_member_角色的id號
| 7b0ceee10fb64960acb2b6f0b9247b4f |  admin   |
+----------------------------------+----------+

查看用戶的id號：
[root@controller ~]# keystone user-role-add --user ce398fc13d224c63b9d90b3cc2b6d464 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 7ff1dfb5a6f349958c3a949248e56236

查看用戶的關聯信息：

[root@controller ~]# keystone user-role-list --user user1 --tenant companyA
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ce398fc13d224c63b9d90b3cc2b6d464 | 7ff1dfb5a6f349958c3a949248e56236 |
+----------------------------------+----------+----------------------------------+----------------------------------+

4. 總結

    以上是keystone開放用戶的過程，keystone的操做涉及到:user,tenant,role,service和endpoint，每一個對象都有相應的增刪改查的方法實現，查看keystone的命令便可，如keystone help user-create能夠查看到user-create的具體用法。

5. keystone用法附錄

[root@controller ~]# keystone -h

usage: keystone [--version] [--timeout <seconds>]

                [--os-username <auth-user-name>]

                [--os-password <auth-password>]

                [--os-tenant-name <auth-tenant-name>]

                [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]

                [--os-region-name <region-name>]

                [--os-identity-api-version <identity-api-version>]

                [--os-token <service-token>]

                [--os-endpoint <service-endpoint>]

                [--os-cacert <ca-certificate>] [--insecure]

                [--os-cert <certificate>] [--os-key <key>] [--os-cache]

                [--force-new-token] [--stale-duration <seconds>]

                <subcommand> ...

Pending deprecation: Command-line interface to the OpenStack Identity API.

This CLI is pending deprecation in favor of python-openstackclient. For a

Python library, continue using python-keystoneclient.

Positional arguments:

  <subcommand>

    catalog             List service catalog, possibly filtered by service.

    ec2-credentials-create                                             #兼容於亞馬遜的EC2

                        Create EC2-compatible credentials for user per tenant.

    ec2-credentials-delete

                        Delete EC2-compatible credentials.

    ec2-credentials-get

                        Display EC2-compatible credentials.

    ec2-credentials-list

                        List EC2-compatible credentials for a user.   #訪問端點endpoint管理

    endpoint-create     Create a new endpoint associated with a service.

    endpoint-delete     Delete a service endpoint.

    endpoint-get        Find endpoint filtered by a specific attribute or

                        service type.

    endpoint-list       List configured service endpoints.

    password-update     Update own password.

    role-create         Create new role.                               #角色role的管理

    role-delete         Delete role.

    role-get            Display role details.

    role-list           List all roles.

    service-create      Add service to Service Catalog.                #服務service的管理

    service-delete      Delete service from Service Catalog.

    service-get         Display service from Service Catalog.

    service-list        List all services in Service Catalog.

    tenant-create       Create new tenant.                             #租戶tenant的管理

    tenant-delete       Delete tenant.

    tenant-get          Display tenant details.

    tenant-list         List all tenants.

    tenant-update       Update tenant name, description, enabled status.

    token-get           Display the current user token.

    user-create         Create new user                                #用戶user的管理

    user-delete         Delete user.

    user-get            Display user details.

    user-list           List users.

    user-password-update

                        Update user password.

    user-role-add       Add role to user.                           #用戶角色和tenant的管理

    user-role-list      List roles granted to a user.

    user-role-remove    Remove role from user.

    user-update         Update user's name, email, and enabled status.

    discover            Discover Keystone servers, supported API versions and

                        extensions.

    bootstrap           Grants a new role to a new user on a new tenant, after

                        creating each.

    bash-completion     Prints all of the commands and options to stdout.

    help                Display help about this program or one of its

                        subcommands.