openstack部署之keystone
简介
keystone作为openstack的认证服务,有很多组件都需要于keystone交互,所以我们首先来部署keystone组件。
创建数据库
下边需要创建一个keystone数据库,并进行授权
$ mysql -u root -p MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; #指定本机 MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
安装配置
# yum install openstack-keystone httpd mod_wsgi
修改/etc/keystone/keystone.conf,此为keystone的配置文件,在其中指定连接的mysql
[database] connection = mysql+pymysql://keystone:keystone@192.168.46.130/keystone [token] # ... provider = fernet
初始化
- 初始化keystone数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
执行完初始化后,会在keystone中创建一些数据表
- 初始化密钥库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
初始化完成后会在/etc/keystone/下生成两个密钥的目录
- 启动服务
keystone-manage bootstrap --bootstrap-password admin \ --bootstrap-admin-url http://192.168.46.130:35357/v3/ \ --bootstrap-internal-url http://192.168.46.130:5000/v3/ \ --bootstrap-public-url http://192.168.46.130:5000/v3/ \ --bootstrap-region-id RegionOne
此处指定了keystone的35357和5000端口,这是keystone的默认的两个端口,为后续其他组件与keystone交互使用。
安装HTTP server
keystone需要用到Apache HTTP server,之前我们已经安装过了,在此进行配置,编辑 /etc/httpd/conf/httpd.conf
ServerName 192.168.46.130:80
创建/usr/share/keystone/wsgi-keystone.conf的软连接
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
/usr/share/keystone/wsgi-keystone.conf是keystone生效的配置(内容如下),涉及到两个端口,下边启动httpd服务以后,会开始监听5000和35357两个端口
Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 <IfVersion >= 2.4> ErrorLogFormat "%{cu}t %M" </IfVersion> ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined <Directory /usr/bin> <IfVersion >= 2.4> Require all granted </IfVersion> <IfVersion < 2.4> Order allow,deny Allow from all </IfVersion> </Directory> </VirtualHost> Alias /identity /usr/bin/keystone-wsgi-public <Location /identity> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location> Alias /identity_admin /usr/bin/keystone-wsgi-admin <Location /identity_admin> SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On </Location>
- 启动httpd服务
# systemctl enable httpd.service # systemctl start httpd.service
- 设置环境变量
export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://192.168.46.130:35357/v3 export OS_IDENTITY_API_VERSION=3
通过以上的配置,keystone组件就安装完成了,下边我们在keystone中创建project、user和role
创建domain、projects、users 和roles
- 创建project:service
$ openstack project create --domain default \ --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 24ac7f19cd944f4cba1d77469b2a73ed | | is_domain | False | | name | service | | parent_id | default | +-------------+----------------------------------+
- 创建project:demo
$ openstack project create --domain default \ --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 231ad6e7ebba47d6a1e57e1cc07ae446 | | is_domain | False | | name | demo | | parent_id | default | +-------------+----------------------------------+
- 创建user:demo
$ openstack user create --domain default \ --password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | aeda23aa78f44e859900e22c24817832 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
- 创建role:user
$ openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 997ce8d05fc143ac97d83fdfb5998552 | | name | user | +-----------+----------------------------------+
- 设置demo用户为user角色并添加到demo项目中
$ openstack role add --project demo --user demo user
经过上边的操作可能有点懵,现在解释以下,在keystone中有三个名词,分别为project(可以称为项目,之前叫tenument租户),user(用户),role(角色)。以上三个名词可以做如下理解,user就是用户,用来登录openstack的,可以在openstack上做一些操作,但是不同的用户应该有不同的操作权限,所以就有了role,角色的称呼,每个用户可以分配到一个角色里,每个角色的权限是不一样的。为了对用户进行管理,就把每个用户放到了project中,每个project中可能有多个用户。所以project相当于我们公司的部门,role相当于员工的角色,不同角色权限不一样,user就相当于公司员工了。
验证操作
经过以上的部署,下边验证下keystone的部署是否成功。之前我们设置了一堆环境变量,如下:
export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://192.168.46.130:35357/v3 export OS_IDENTITY_API_VERSION=3
这些环境变量我们可以不用设置,但是在执行openstack的时候需要指定,像如下的操作
$ openstack --os-auth-url http://192.168.46.130:35357/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issue Password: +------------+-----------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------+ | expires | 2016-02-12T20:14:07.056119Z | | id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv | | | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 | | | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws | | project_id | 343d245e850143a096806dfaefa9afdc | | user_id | ac3377633149401296f6c0d92d79dc16 | +------------+-----------------------------------------------------------------+
以上操作是admin用户向keystone发起请求,keystone返回一个token
如下验证刚才创建的demo用户
$ openstack --os-auth-url http://192.168.46.130:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name demo --os-username demo token issue Password: +------------+-----------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------+ | expires | 2016-02-12T20:15:39.014479Z | | id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW | | | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ | | | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U | | project_id | ed0b60bf607743088218b0a533d5943f | | user_id | 58126687cbcc4888bfa9ab73a2256f27 | +------------+-----------------------------------------------------------------+
如果以上的操作都正常执行,则说明keystone我们已经成功部署完成了
设置环境变量脚本
上边向keystone发起请求每次都需要设置很多参数,其实在openstack的其他组件与keystone交互时,要求我们首先应该设置一系列的环境变量,不需要再指定众多参数
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://192.168.46.130:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
我们把以上内容保存到admin-openstack.sh,以后每次开始使用keystone认证时执行下source admin-openstack.sh
export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://192.168.46.130:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
以上内容保存到demo-openstack.sh,我想大家应该也发现了,上边的admin用户使用的OS_AUTH_URL=http://192.168.46.130:35357/v3。demo用户使用的是OS_AUTH_URL=http://192.168.46.130:5000/v3,这就是keystone提供两个端口的用处,不同的用户可以使用两个端口中的任何一个,至于使用那个端口,应该看用户的使用权限。
至此keystone组件就部署完成了。