openstack pike版本安装笔记2(keystone认证组件安装)
Identity:主要有两个功能 keystone组件: 用户管理:认证和授权 token 账号和密码 服务目录:所有可用服务的信息库,包含API endpoint路径 几个核心术语: User:用户相对于tanent而言的用户(类似于阿里云里的二级账号) Tanent:租户(类似于阿里云的主账号) Role:角色用于对用户授权 Service:服务 Endpoint:API访问的路径 Token:令牌,用于认证 keystone安装: yum install openstack-keystone 配置文件(/etc/keystone/keystone.conf): [DEFAULT]#定义初始管理令牌的值:: admin_token = TOKEN_PASSWORD [database]#配置数据库访问: connection = mysql+pymysql://root:123456@con.colinshi.top/keystone [token]#配置Fernet UUID令牌的提供者。 provider = fernet 注:这里需要先在mysql上建立keystone数据库,并赋予相关访问权限 初始化身份认证服务的数据库: su -s /bin/sh -c "keystone-manage db_sync" keystone 初始化Fernet keys: keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone keystone-manage credential_setup --keystone-user keystone --keystone-group keystone 引导身份服务: keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://con.colinshi.top:35357/v3/ --bootstrap-internal-url http://con.colinshi.top:5000/v3/ --bootstrap-public-url http://con.colinshi.top:5000/v3/ --bootstrap-region-id RegionOne 安装httpd: yum istall httpd mod-wsgi 配置 Apache HTTP 服务器 /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> 启动 Apache HTTP 服务并配置其随系统启动: systemctl enable httpd.service systemctl start httpd.service 创建项目(租户)(Service Project): openstack project create --domain default --description "Service Project" service 创建用户(demo) openstack user create --domain default <[--password-prompt]|[--password <password>]> demo 创建角色授权role: openstack role create user 将用户关联至租户和role上: openstack role add --project service --user demo user openstack role add --project service --user demo _member_ 将变量写入文件,方便直接调用: 编辑文件 admin-openrc 并添加如下内容: export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://con.colinshi.top:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 编辑文件 demo-openrc 并添加如下内容: export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://con.colinshi.top:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2