openstack部署之keystone

简介

keystone作为openstack的认证服务,有很多组件都需要于keystone交互,所以我们首先来部署keystone组件。

创建数据库

下边需要创建一个keystone数据库,并进行授权

$ mysql -u root -p
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; #指定本机
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';   

安装配置

# yum install openstack-keystone httpd mod_wsgi 

修改/etc/keystone/keystone.conf,此为keystone的配置文件,在其中指定连接的mysql

[database]
connection = mysql+pymysql://keystone:keystone@192.168.46.130/keystone
[token]
# ...
provider = fernet

初始化

  • 初始化keystone数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone

执行完初始化后,会在keystone中创建一些数据表

  • 初始化密钥库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

 初始化完成后会在/etc/keystone/下生成两个密钥的目录

  • 启动服务
keystone-manage bootstrap --bootstrap-password admin \
	--bootstrap-admin-url http://192.168.46.130:35357/v3/ \
	--bootstrap-internal-url http://192.168.46.130:5000/v3/ \
	--bootstrap-public-url http://192.168.46.130:5000/v3/ \
	--bootstrap-region-id RegionOne

此处指定了keystone的35357和5000端口,这是keystone的默认的两个端口,为后续其他组件与keystone交互使用。

安装HTTP server

keystone需要用到Apache HTTP server,之前我们已经安装过了,在此进行配置,编辑 /etc/httpd/conf/httpd.conf 

ServerName 192.168.46.130:80

创建/usr/share/keystone/wsgi-keystone.conf的软连接

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

/usr/share/keystone/wsgi-keystone.conf是keystone生效的配置(内容如下),涉及到两个端口,下边启动httpd服务以后,会开始监听5000和35357两个端口

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>
  • 启动httpd服务
# systemctl enable httpd.service
# systemctl start httpd.service
  • 设置环境变量
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3

通过以上的配置,keystone组件就安装完成了,下边我们在keystone中创建project、user和role

创建domain、projects、users 和roles

  •  创建project:service
$ openstack project create --domain default \
  --description "Service Project" service

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
+-------------+----------------------------------+
  •  创建project:demo
$ openstack project create --domain default \
  --description "Demo Project" demo

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
+-------------+----------------------------------+
  • 创建user:demo
$ openstack user create --domain default \
  --password-prompt demo

User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | aeda23aa78f44e859900e22c24817832 |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+
  •  创建role:user
$ openstack role create user

+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 997ce8d05fc143ac97d83fdfb5998552 |
| name      | user                             |
+-----------+----------------------------------+
  • 设置demo用户为user角色并添加到demo项目中
$ openstack role add --project demo --user demo user

 经过上边的操作可能有点懵,现在解释以下,在keystone中有三个名词,分别为project(可以称为项目,之前叫tenument租户),user(用户),role(角色)。以上三个名词可以做如下理解,user就是用户,用来登录openstack的,可以在openstack上做一些操作,但是不同的用户应该有不同的操作权限,所以就有了role,角色的称呼,每个用户可以分配到一个角色里,每个角色的权限是不一样的。为了对用户进行管理,就把每个用户放到了project中,每个project中可能有多个用户。所以project相当于我们公司的部门,role相当于员工的角色,不同角色权限不一样,user就相当于公司员工了。

验证操作

经过以上的部署,下边验证下keystone的部署是否成功。之前我们设置了一堆环境变量,如下:

export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3

这些环境变量我们可以不用设置,但是在执行openstack的时候需要指定,像如下的操作

$ openstack --os-auth-url http://192.168.46.130:35357/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name admin --os-username admin token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:14:07.056119Z                                     |
| id         | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|            | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|            | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws       |
| project_id | 343d245e850143a096806dfaefa9afdc                                |
| user_id    | ac3377633149401296f6c0d92d79dc16                                |
+------------+-----------------------------------------------------------------+

以上操作是admin用户向keystone发起请求,keystone返回一个token

如下验证刚才创建的demo用户

$ openstack --os-auth-url http://192.168.46.130:5000/v3 \
  --os-project-domain-name Default --os-user-domain-name Default \
  --os-project-name demo --os-username demo token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:15:39.014479Z                                     |
| id         | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|            | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|            | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U       |
| project_id | ed0b60bf607743088218b0a533d5943f                                |
| user_id    | 58126687cbcc4888bfa9ab73a2256f27                                |
+------------+-----------------------------------------------------------------+

 如果以上的操作都正常执行,则说明keystone我们已经成功部署完成了

设置环境变量脚本

上边向keystone发起请求每次都需要设置很多参数,其实在openstack的其他组件与keystone交互时,要求我们首先应该设置一系列的环境变量,不需要再指定众多参数

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

我们把以上内容保存到admin-openstack.sh,以后每次开始使用keystone认证时执行下source admin-openstack.sh

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.46.130:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

以上内容保存到demo-openstack.sh,我想大家应该也发现了,上边的admin用户使用的OS_AUTH_URL=http://192.168.46.130:35357/v3。demo用户使用的是OS_AUTH_URL=http://192.168.46.130:5000/v3,这就是keystone提供两个端口的用处,不同的用户可以使用两个端口中的任何一个,至于使用那个端口,应该看用户的使用权限。

至此keystone组件就部署完成了。

posted @ 2019-04-14 21:39  心梦无痕bhl  阅读(341)  评论(0编辑  收藏  举报