2、OpenStack Identity(身份认证)服务(keystone)
1 、环境(创建数据库和管理令牌)
NOTICE:身份认证服务仅在控制节点上安装
1.1、连接到数据库服务器
$ mysql -u root -p
1.2、创建keystone数据库
mysql> CREATE DATABASE keystone;
1.3、授予对keystone数据库的正确访问权限
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
KEYSTONE_DBPASS替换为实际密码
2、使用Apache HTTP服务器mod_wsgi在端口5000和35357上提供身份服务请求。默认情况下,keystone服务仍会监听这些端口。因此,需要手动禁用keystone服务。
2.1、安装keystone httpd mod_wsgi
软件包
# yum install openstack-keystone httpd mod_wsgi
2.2、配置keystone,/etc/keystone/keystone.conf
[database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
...
provider = fernet
2.3、填充数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
2.4、初始化Fernet密钥存储库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
2.5、引导身份认证服务
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \ --bootstrap-admin-url http://controller:35357/v3/ \ --bootstrap-internal-url http://controller:35357/v3/ \ --bootstrap-public-url http://controller:5000/v3/ \ --bootstrap-region-id RegionOneADMIN_PASS替换为实际密码
3、配置Http服务器
3.1、编辑/etc/httpd/conf/httpd.conf配置文件下的ServerName
ServerName controller
3.2、创建/usr/share/keystone/wsgi-keystone.conf的链接
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3.3、启动并随机启动
# systemctl enable httpd.service
# systemctl start httpd.service
3.4、配置管理帐号
$ export OS_USERNAME=admin $ export OS_PASSWORD=ADMIN_PASS $ export OS_PROJECT_NAME=admin $ export OS_USER_DOMAIN_NAME=Default $ export OS_PROJECT_DOMAIN_NAME=Default $ export OS_AUTH_URL=http://controller:35357/v3 $ export OS_IDENTITY_API_VERSION=3
ADMIN_PASS替换为keystone-manage bootstrap中的密码
4、创建域,项目,用户和角色
4.1、创建service 项目(管理,使用default域)
# openstack project create --domain default \ > --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | a997f8fe00ae4391965658b4487007a5 | | is_domain | False | | name | service | | parent_id | default | +-------------+----------------------------------+
4.2、常规(非管理员)任务应使用非特权项目和用户,以下创建非特权项目、用户、角色
创建demo项目
# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | fad24fcce9944b42a7676b5cfbc1f84b | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+
创建demo用户
# openstack user create --domain default \ > --password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 34cbdbe2fd0344309d777f6da77d2f51 | | name | demo | | password_expires_at | None | +---------------------+----------------------------------+
创建user角色
# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 2081a514bdbe4a16ad0f2e00933f4d06 | | name | user | +-----------+----------------------------------+
4.3、将user角色添加到demo项目和用户,无任何输出表示执行成功
# openstack role add --project demo --user demo user
5、验证身份服务
5.1、出于安全考虑,禁用临时身份验证令牌机制
编辑/etc/keystone/keystone-paste.ini 文件并从 [pipeline:public_api],[pipeline:admin_api]和[pipeline:api_v3]段删除admin_token_auth
5.2、取消设置临时OS_AUTH_URL和OS_PASSWORD 环境变量
# unset OS_AUTH_URL OS_PASSWORD
5.3、使用admin用户(3.4节中配置的管理用户、项目、域),请求身份验证令牌
#管理用户使用35357端口进行身份验证
# openstack --os-auth-url http://controller:35357/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name admin --os-username admin token issue +------------+---------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------+ | expires | 2017-07-19 09:16:40+00:00 | | id | gAAAAABZbxVo13JGxGfS0QZ2Q2iqUywKrhLSBuSp5BI-ZZt6PZ53OnmaJVA_mdftbIz | | | aDEOotDppZiqBXeXIPPBVcW4LpDSR7FLGNjxqP1qaEIbnULZVr8e2e4EyC06ECrCqpL | | | yutgoqfDEsRY08bLDzPWdSsVRB2Daj97m-LRS0Gtxsj_IWmVQ | | project_id | 2ca49bfa14cb4229b8cc868ea0eede81 | | user_id | 79527f3483c644508ff7827745ac45d7 | +------------+---------------------------------------------------------------------+
5.4、作为demo用户,请求身份验证令牌
#公共账户使用5000端口进行身份验证(Identity service API)
# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name demo --os-username demo token issue +------------+---------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------+ | expires | 2017-07-19 09:14:43+00:00 | | id | gAAAAABZbxTzCV-XWbzF6g0EXglacJFjdTHJzwcLVSKL4q_dR_4f5HzCKxXgMpCjzyS | | | SS_7FnBWbVkzBy5IuyXD50eDSlDncm_9DXjtvP-rQthKdU4obR6g4_qkwu6OLtt4iip | | | wcFjdUS0GJN1lsoARHp0GaOMOGjeNeDtN4Pk519r_EMmHMGaE | | project_id | fad24fcce9944b42a7676b5cfbc1f84b | | user_id | 34cbdbe2fd0344309d777f6da77d2f51 | +------------+---------------------------------------------------------------------+
6、创建OpenStack客户端环境脚本
上一节(请求身份令牌中)使用环境变量和命令选项的组合来通过openstack客户端与身份服务进行交互 。为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。这些脚本通常包含所有客户端的常用选项,但也支持唯一选项。
6.1、创建脚本
6.1.1、编辑admin-openrc文件并添加以下内容
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=ADMIN_PASS export OS_AUTH_URL=http://controller:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
6.1.2、编辑demo-openrc文件并添加以下内容
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=DEMO_PASS export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
6.2、使用脚本
要以特定项目和用户身份运行客户端,您可以在运行它们之前简单加载关联的客户端环境脚本。
6.2.1、加载admin-openrc文件以使用Identity Service和admin项目和用户凭据的位置来填充环境变量
# source admin-openrc
6.2.2、请求身份验证令牌
# openstack token issue +------------+---------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------+ | expires | 2017-07-19 09:12:06+00:00 | | id | gAAAAABZbxRWtNC9-zJAWtL3Ws_2t5OQ4GBWdkQ16zMa7Srdt42dyFY9MoGkhL112MN | | | Rszbaf3b_afP1piwQshtxsXXgik5vYOBvqsW-p_S9FE7bPSjvYAawo571RMokb4NTbH | | | bTyf2h7GYlo6Kwv1PdS403_rp8Kxu5cPLcJ3pAw_a5Fqk9OK0 | | project_id | 2ca49bfa14cb4229b8cc868ea0eede81 | | user_id | 79527f3483c644508ff7827745ac45d7 | +------------+---------------------------------------------------------------------+
6.2.3、加载demo-openrc文件以使用Identity Service和admin项目和用户凭据的位置来填充环境变量
# source demo-openrc
6.2.4、请求身份验证令牌
# openstack token issue +------------+---------------------------------------------------------------------+ | Field | Value | +------------+---------------------------------------------------------------------+ | expires | 2017-07-19 09:13:23+00:00 | | id | gAAAAABZbxSjtPf7G_7wEH5U9f3jEQ_JpkFZA0Ym0WHTdzJuuXMi_- | | | SJNUKF3m8ceFE7NE-05f35e-c220TdDOKdJot02q2SKeRO5RDzVmA5kZvPv1Erx4sfw | | | r0TupKfQxP7ToP4reJu9Z2ZM3qxcsB9X0OUDJkU5Jx6EiXKWnxaL75WlwoAlCg | | project_id | fad24fcce9944b42a7676b5cfbc1f84b | | user_id | 34cbdbe2fd0344309d777f6da77d2f51 | +------------+---------------------------------------------------------------------+
