CentOS7安裝OpenStack(Rocky版)-02.安裝Keyston認證服務組件(控制節點)
本文分享openstack的認證服務組件keystonehtml
--------------- 完美的分割線 ----------------python
2.0.keystone認證服務
1)用戶與認證:用戶權限與用戶行爲跟蹤mysql
User 用戶
Tenant 租戶
Token 令牌
Role 角色
2)服務目錄:提供一個服務目錄,包括全部服務項與相關API的端點linux
Service 服務
Endpoint 端點
2.1.在控制節點建立keystone相關數據庫
1)建立keystone數據庫並受權
mysql -p123456 -------------------------------- CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; flush privileges; show databases; select user,host from mysql.user; exit --------------------------------
2.2.在控制節點安裝keystone相關軟件包
1)安裝keystone相關軟件包
# 配置Apache服務,使用帶有「mod_wsgi」的HTTP服務器來相應認證服務請求,端口爲5000和35357, 默認狀況下,Kestone服務仍然監聽這些端口sql
yum install openstack-keystone httpd mod_wsgi -y
yum install openstack-keystone python-keystoneclient openstack-utils -y
2)快速修改keystone配置
# 下面使用的快速配置方法須要安裝Openstack-utils才能夠實現數據庫
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
# 注意:keystone不須要鏈接rabbitmqapache
# 查看生效的配置bootstrap
egrep -v "^#|^$" /etc/keystone/keystone.conf
# 其餘方式查看生效配置vim
grep '^[a-z]' /etc/keystone/keystone.conf
# 實例演示:服務器
[root@openstack01 tools]# grep '^[a-z]' /etc/keystone/keystone.conf connection = mysql+pymysql://keystone:keystone@controller/keystone provider = fernet
# keystone不須要啓動,經過http服務進行調用
2.3.初始化同步keystone數據庫
1)同步keystone數據庫(44張)
su -s /bin/sh -c "keystone-manage db_sync" keystone
2)同步完成進行鏈接測試
# 保證全部須要的表已經創建,不然後面可能沒法進行下去
mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
實例演示:
[root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;" +-----------------------------+ | Tables_in_keystone | +-----------------------------+ | access_token | | application_credential | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | limit | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | project_tag | | region | | registered_limit | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | system_assignment | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | +-----------------------------+ [root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l 45
2.4.初始化Fernet令牌庫
# Initialize Fernet key repositories:
# 關於Fernet令牌能夠參考:https://blog.csdn.net/wllabs/article/details/79064094
# 如下命令無返回信息
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
2.5.配置啓動Apache(httpd)
1)修改httpd主配置文件
vim /etc/httpd/conf/httpd.conf +95
----------------------------------
ServerName controller
----------------------------------
# 或者
sed -i "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.conf cat /etc/httpd/conf/httpd.conf |grep ServerName
2)配置虛擬主機
# 建立keystone虛擬主機配置文件的快捷方式,也能夠複製過來
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
# 或者能夠手動編輯建立該文件
cat /usr/share/keystone/wsgi-keystone.conf ------------------------------- [root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.conf Listen 5000 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> Alias /identity /usr/bin/keystone-wsgi-public <Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location> --------------------------------
3)啓動httpd並配置開機自啓動
systemctl start httpd.service systemctl status httpd.service netstat -anptl|grep httpd systemctl enable httpd.service systemctl list-unit-files |grep httpd.service
# 若是http起不來,須要關閉 selinux 或者安裝 yum install openstack-selinux
實例演示:
[root@openstack01 ~]# systemctl start httpd.service [root@openstack01 ~]# systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled) Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago Docs: man:httpd(8) man:apachectl(8) Main PID: 1978 (httpd) Status: "Processing requests..." CGroup: /system.slice/httpd.service ├─1978 /usr/sbin/httpd -DFOREGROUND ├─1981 (wsgi:keystone- -DFOREGROUND ├─1982 (wsgi:keystone- -DFOREGROUND ├─1983 (wsgi:keystone- -DFOREGROUND ├─1984 (wsgi:keystone- -DFOREGROUND ├─1985 (wsgi:keystone- -DFOREGROUND ├─1986 /usr/sbin/httpd -DFOREGROUND ├─1988 /usr/sbin/httpd -DFOREGROUND └─1989 /usr/sbin/httpd -DFOREGROUND 10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server... 10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server. [root@openstack01 ~]# netstat -anptl|grep httpd tcp 0 0 0.0.0.0:5000 0.0.0.0:* LISTEN 1978/httpd tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1978/httpd [root@openstack01 ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@openstack01 ~]# systemctl list-unit-files |grep httpd.service httpd.service enabled
# 至此,http服務配置完成
2.6.初始化keystone認證服務
1)建立 keystone 用戶,初始化的服務實體和API端點
# 在以前的版本(queens以前),引導服務須要2個端口提供服務(用戶5000和管理35357),本版本經過同一個端口提供服務
# 建立keystone服務實體和身份認證服務,如下三種類型分別爲公共的、內部的、管理的。
# 須要建立一個密碼ADMIN_PASS,做爲登錄openstack的管理員用戶,這裏建立爲123456
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne
# 如下爲命令實例:
keystone-manage bootstrap --bootstrap-password 123456 \ --bootstrap-admin-url http://controller:5000/v3/ \ --bootstrap-internal-url http://controller:5000/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOne
# 運行這條命令,會在keystone數據庫執增長如下任務,以前的版本須要手動建立:
1)在endpoint表增長3個服務實體的API端點 2)在local_user表中建立admin用戶 3)在project表中建立admin和Default項目(默認域) 4)在role表建立3種角色,admin,member和reader 5)在service表中建立identity服務
2)臨時配置管理員帳戶的相關變量進行管理
# 這裏的export OS_PASSWORD要使用上面配置的ADMIN_PASS
export OS_PROJECT_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3
# 查看聲明的變量
env |grep OS_
實例演示:
[root@openstack01 ~]# env|grep OS_ OS_USER_DOMAIN_NAME=Default OS_PROJECT_NAME=admin OS_IDENTITY_API_VERSION=3 OS_PASSWORD=123456 OS_AUTH_URL=http://controller:5000/v3 OS_USERNAME=admin OS_PROJECT_DOMAIN_NAME=Default
# 以前的版本採用admin_token來設置初始化的管理用戶認證令牌,相似下面的
export OS_TOKEN=c0053993bb39ad3de84a export OS_URL=http://192.168.1.81:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
附:經常使用的openstack管理命令,須要應用管理員的環境變量
# 查看keystone實例相關信息
openstack endpoint list openstack project list openstack user list
實例演示:
[root@openstack01 ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ | b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ | | eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ | | f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ | +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ [root@openstack01 ~]# openstack project list +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | 3706708374804e2eb4ed056f55d84666 | admin | | 84cc7185f2c8461eb19a14968228b272 | myproject | | b8e318b3c7a844708762169959c34ff8 | service | +----------------------------------+-----------+ [root@openstack01 ~]# openstack user list +----------------------------------+--------+ | ID | Name | +----------------------------------+--------+ | cbb2b3830a8f44bc837230bca27ae563 | myuser | | e5dbfc8b394c41679fd5ce229cdd6ed3 | admin | +----------------------------------+--------+
# 刪除endpoint
# 之前的版本單首創建endpoint可能會出錯須要刪除,新版本已經優化好,只要系統配置沒問題,會自動生成通常也不會出錯
openstack endpoint delete [ID]
2.7.建立keystone的通常實例
# Create a domain, projects, users, and roles
https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
1)建立一個名爲example的keystone域
# 如下命令會在project表中建立名爲example的項目
openstack domain create --description "An Example Domain" example
實例演示:
[root@openstack01 ~]# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | 17254ea898de477ca4a1f6f3cbc6c5bc | | name | example | | tags | [] | +-------------+----------------------------------+
2)爲keystone系統環境建立名爲service的項目提供服務
# 用於常規(非管理)任務,須要使用無特權用戶
# 如下命令會在project表中建立名爲service的項目
openstack project create --domain default --description "Service Project" service
實例演示:
[root@openstack01 ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | b8e318b3c7a844708762169959c34ff8 | | is_domain | False | | name | service | | parent_id | default | | tags | [] | +-------------+----------------------------------+
3)建立myproject項目和對應的用戶及角色
# 做爲通常用戶(非管理員)的項目,爲普通用戶提供服務
# 如下命令會在project表中建立名爲myproject項目
openstack project create --domain default --description "Demo Project" myproject
實例演示:
[root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 84cc7185f2c8461eb19a14968228b272 | | is_domain | False | | name | myproject | | parent_id | default | | tags | [] | +-------------+----------------------------------+
4)在默認域建立myuser用戶
# 使用--password選項爲直接配置明文密碼,使用--password-prompt選項爲交互式輸入密碼
# 如下命令會在local_user表增長myuser用戶
openstack user create --domain default --password-prompt myuser # 交互式輸入密碼 # openstack user create --domain default --password=myuser myuser # 直接建立用戶和密碼
實例演示:
[root@openstack01 ~]# openstack user create --domain default --password-prompt myuser User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | cbb2b3830a8f44bc837230bca27ae563 | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
5)在role表建立myrole角色
openstack role create myrole
實例演示:
[root@openstack01 ~]# openstack role create myrole +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 75ac33f79cc945afa42a18a3dd0ba0ad | | name | myrole | +-----------+----------------------------------+
6)將myrole角色添加到myproject項目中和myuser用戶組中
# 如下命令無返回,數據表操做不太明顯
openstack role add --project myproject --user myuser myrole
2.8.驗證操做keystone是否安裝成功
1)去除環境變量
# 關閉臨時認證令牌機制,獲取 token,驗證keystone配置成功
unset OS_AUTH_URL OS_PASSWORD
env |grep OS_
2)做爲管理員用戶去請求一個認證的token
# 測試是否可使用admin帳戶進行登錄認證,請求認證令牌
openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue
實例演示:
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-26T11:48:40+0000 | | id | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY | | project_id | 3706708374804e2eb4ed056f55d84666 | | user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3)使用普通用戶獲取認證token
# 如下命令使用」myuser「用戶的密碼和API端口5000,只容許對身份認證服務API的常規(非管理)訪問。
openstack --os-auth-url http://controller:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name myproject --os-username myuser token issue
實例演示:
[root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name myproject --os-username myuser token issue Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-26T11:49:18+0000 | | id | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g | | project_id | 84cc7185f2c8461eb19a14968228b272 | | user_id | cbb2b3830a8f44bc837230bca27ae563 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
2.9.建立OpenStack客戶端環境腳本
# Create OpenStack client environment scripts
# 上面使用環境變量和命令選項的組合經過「openstack」客戶端與身份認證服務交互。
# 爲了提高客戶端操做的效率,OpenStack支持簡單的客戶端環境變量腳本即OpenRC 文件,我這裏使用自定義的文件名
1)建立admin用戶的環境管理腳本
# vim admin-openrc cd /server/tools vim keystone-admin-pass.sh ---------------------------------- export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ---------------------------------- env |grep OS_
# 應用:
若是修改dashboard登錄密碼忘記了,可使用admin_token認證機制修改登錄密碼
2)建立普通用戶myuser的客戶端環境變量腳本
vim keystone-myuser-pass.sh ------------------------------- export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=myuser export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 -------------------------------
3)測試環境管理腳本
# 使用腳本加載相關客戶端配置,以便快速使用特定租戶和用戶運行客戶端
source keystone-admin-pass.sh
4)請求認證令牌
openstack token issue
實例演示:
[root@openstack01 tools]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-10-26T12:13:28+0000 | | id | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE | | project_id | 3706708374804e2eb4ed056f55d84666 | | user_id | e5dbfc8b394c41679fd5ce229cdd6ed3 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
# 能夠看到user_id和上面用命令獲取到的是同樣的,說明配置成功
# 至此,keystone安裝完畢
======== 完畢,呵呵呵呵 ========
相關文章
- 1. CentOS7安裝OpenStack(Rocky版)-03.安裝Glance鏡像服務組件(控制節點)
- 2. CentOS7安裝OpenStack(Rocky版)-09.安裝Cinder存儲服務組件(控制節點)
- 3. CentOS7安裝OpenStack(Rocky版)-06.安裝Neutron網絡服務(控制節點)
- 4. CentOS7安裝OpenStack(Rocky版)-04.安裝Nova計算服務(控制節點)
- 5. Centos7 單節點安裝 FastDFS + FastDHT服務
- 6. 安裝Gitblit版本控制服務器
- 7. K8S集羣安裝 之 安裝主控節點apiserver服務
- 8. K8S集羣安裝 之 安裝主控節點etcd服務
- 9. Centos7安裝大數據安全認證組件Kerberos
- 10. Centos7安裝-多節點Torque
- 更多相關文章...
- • Eclipse 安裝插件 - Eclipse 教程
- • Eclipse 安裝(Neon 版本) - Eclipse 教程
- • Composer 安裝與使用
- • IntelliJ IDEA安裝代碼格式化插件
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
歡迎關注本站公眾號,獲取更多信息
相關文章
- 1. CentOS7安裝OpenStack(Rocky版)-03.安裝Glance鏡像服務組件(控制節點)
- 2. CentOS7安裝OpenStack(Rocky版)-09.安裝Cinder存儲服務組件(控制節點)
- 3. CentOS7安裝OpenStack(Rocky版)-06.安裝Neutron網絡服務(控制節點)
- 4. CentOS7安裝OpenStack(Rocky版)-04.安裝Nova計算服務(控制節點)
- 5. Centos7 單節點安裝 FastDFS + FastDHT服務
- 6. 安裝Gitblit版本控制服務器
- 7. K8S集羣安裝 之 安裝主控節點apiserver服務
- 8. K8S集羣安裝 之 安裝主控節點etcd服務
- 9. Centos7安裝大數據安全認證組件Kerberos
- 10. Centos7安裝-多節點Torque