业余程序员的自我修养

导航

 

在前面的章节里面,我们配置了基本环境,也安装keystone服务,并且创建了keystone的数据库,在这一篇里面,我们说怎么配置keystone。

首先编辑keystone服务,需要修改如下数据

编辑 /etc/keystone/keystone.conf
[database]
# ...
connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
[token]
# ...
provider = fernet

将keystone服务同步到数据库

[root@linux-node1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

验证同步是否成功,如果成功,应该有如下输出

[root@linux-node1 ~]# mysql -h 192.168.56.11 -ukeystone -pkeystone -e "use keystone;show tables;"
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group | 
| region |
| request_token |
| revocation_event | 
| role | 
| sensitive_config | 
| service |
| service_provider | 
| token |
| trust |
| trust_role |
| user |
| user_group_membership | 
| user_option |
| whitelisted_config |

 

初始化Fernet key 资源库

[root@linux-node1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@linux-node1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@linux-node1 ~]#

验证初始化是否成功,如果fernet-keys & credential-keys 下面多了两个文件,则为正确

[root@linux-node1 ~]# cd /etc/keystone/ 
[root@linux-node1 keystone]# tree fernet-keys/ fernet-keys/ ├── 0 └── 1 0 directories, 2 files [root@linux-node1 keystone]# tree credential-keys/ credential-keys/ ├── 0 └── 1 0 directories, 2 files

 

启动keystone服务

keystone-manage bootstrap --bootstrap-password admin \
  --bootstrap-admin-url http://192.168.56.11:35357/v3/ \
  --bootstrap-internal-url http://192.168.56.11:5000/v3/ \
  --bootstrap-public-url http://192.168.56.11:5000/v3/ \
  --bootstrap-region-id RegionOne

 

因为keystone需要用httpd服务来运行,这里配置一下httpd.conf

[root@linux-node1 keystone]# vim /etc/httpd/conf/httpd.conf 
#line 96:
ServerName 192.168.56.11:80

创建链接

[root@linux-node1 keystone]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

将httpd启动并设置为开机启动

[root@linux-node1 httpd]# systemctl start httpd
[root@linux-node1 httpd]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

将前面遗漏的rabbitmq和database也设置为开机启动

[root@linux-node1 httpd]# systemctl enable rabbitmq-server mariadb

配置admin用户环境变量

[root@linux-node1 ~]# cat admin-openstack.sh
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3

安装openstack客户端

[root@linux-node1 ~]# yum install python-openstackclient openstack-selinux -y

在本文档中,给每个服务用一个只包含唯一user的service project,现在创建这个 service project

#首先需引入环境变量
[root@linux-node1 ~]# source admin-openstack.sh
openstack project create --domain default \
  --description "Service Project" service
+-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | id | 773e022475654ab0a4fbbfd66dec62bd | | is_domain | False | name | service | | parent_id | default | +-------------+----------------------------------+ [root@linux-node1 ~]#

一般的任务应该有一个未授权的项目和user,现在我们创建这个demo(non-admin)用户和项目

openstack project create --domain default \
--description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | id | 1d5b969df6da43e69e4a956297404f5c | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+

Create the demo user: openstack user create --domain default \
--password-
prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 291f02337e514343a09a92932a86fd22 | | name | demo | options | {} | | password_expires_at | None | +-----------+----------------------------------+

创建user角色

[root@linux-node1 ~]# openstack role create user 
+-----------+----------------------------------+
| Field | Value | 
+-----------+----------------------------------+
| domain_id | None |
| id | 8996a91ed1214d82b107ca0e9aa94b15 | 
| name | user |
+-----------+----------------------------------+

将user角色赋予demo project 和user

[root@linux-node1 ~]# openstack role add --project demo --user demo user
[root@linux-node1 ~]#

 

验证刚才所做的操作

首先unset环境变量 OS_AUTH_URL and OS_PASSWORD 

[root@linux-node1 ~]# unset OS_AUTH_URL OS_PASSWORD

用admin用户生成token

openstack --os-auth-url http://192.168.56.11:35357/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name admin --os-username admin token issue
Password:
+------------
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------+
| Field      | Value
|
+------------
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------+
| expires    | 2018-01-11T07:31:39+0000 |
| id         | gAAAAABaVwTLT729scUG7kebG-S6MuXD2Ta9caG-
IowiOBR5D4yQhs3xFdZTBEFbc-XKSzdpnJxT-
J6DeQPy0uIZOExYFReTs_938NpQ5CWl_AzwNn5ZTAKrzj41d7_rQX6GYHLWDv4HGJG8_lTp_Ba9N0nsY
oDJ13r3pMJ28qgk1KT56T8L9Ys |
| project_id | fb6761ab3d3d43569d5fdfafcdfa5e28 |
| user_id    | d010fba89633421a800698b0e5300d50 |
+------------
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------+
[root@linux-node1 ~]#

用demo用户生成token

openstack --os-auth-url http://192.168.56.11:5000/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name demo --os-username demo token issue
Password:
+------------
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------+
| Field      | Value |
+------------
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------+
| expires    | 2018-01-11T07:34:04+0000 |
| id         | gAAAAABaVwVcKzYPlTB9sg-
x21HDgCyCBqujQO4dqDaawlOSBixQFiSnFgRCiNx48MsLrLsGmX1o6HqcBOo84xPBy1UQIfUQlNhszd5
a_FpkHjY9AK61QTWV-AKBCzGUNJzyT7PNzs82ANF1K5dOltTsDVx40pmYMc0C6zXjIjHZsU2yuVLPOmY
|
| project_id | 1d5b969df6da43e69e4a956297404f5c |
| user_id    | 291f02337e514343a09a92932a86fd22 |
+------------
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------+

编辑demo用户的环境变量

[root@linux-node1 ~]# cat demo-openstack.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

导入demo环境变量,用openstack token issue可以直接为demo用户生成token

[root@linux-node1 ~]# source demo-openstack.sh
[root@linux-node1 ~]# openstack token issue
+------------
+-------------------------------------------------------------------------------
--------------------------------------------------------------------------------
--------------------------+
| Field      | Value
|
+------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+
| expires | 2018-01-11T07:37:38+0000 |
| id | gAAAAABaVwYysLrhxRdCprzhvU6r1S_kG3qo6bLNxjpq2IX_Ezwg1dAjnqPGXHMD5nYzqVyGViZQtJ5p W8IJDv0JN6Y9nT1hDbD-P- BRrhw0ki6eaSgoR0PiofIK1DmT3EV_RkPWT0Gd_CnEjbJFM6UcNts6E8tVsXku3vJZPG2GmIXcwLlqza M|
| project_id | 1d5b969df6da43e69e4a956297404f5c |
| user_id | 291f02337e514343a09a92932a86fd22 |
+------------ +------------------------------------------------------------------------------- -------------------------------------------------------------------------------- --------------------------+
[root@linux-node1 ~]#

同理也可导入admin环境变量,用openstack token issue为admin用户生成环境变量

keystone服务的安装配置介绍到这里

 

posted on 2018-01-11 18:59  yangyanzhao  阅读(758)  评论(0编辑  收藏  举报