Identity:主要有两个功能
keystone组件:
用户管理:认证和授权
token
账号和密码
服务目录:所有可用服务的信息库,包含API endpoint路径
几个核心术语:
User:用户相对于tanent而言的用户(类似于阿里云里的二级账号)
Tanent:租户(类似于阿里云的主账号)
Role:角色用于对用户授权
Service:服务
Endpoint:API访问的路径
Token:令牌,用于认证
keystone安装:
yum install openstack-keystone
配置文件(/etc/keystone/keystone.conf):
[DEFAULT]#定义初始管理令牌的值::
admin_token = TOKEN_PASSWORD
[database]#配置数据库访问:
connection = mysql+pymysql://root:123456@con.colinshi.top/keystone
[token]#配置Fernet UUID令牌的提供者。
provider = fernet
注:这里需要先在mysql上建立keystone数据库,并赋予相关访问权限
初始化身份认证服务的数据库:
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet keys:
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
引导身份服务:
keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://con.colinshi.top:35357/v3/ --bootstrap-internal-url http://con.colinshi.top:5000/v3/ --bootstrap-public-url http://con.colinshi.top:5000/v3/ --bootstrap-region-id RegionOne
安装httpd:
yum istall httpd mod-wsgi
配置 Apache HTTP 服务器
/etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
启动 Apache HTTP 服务并配置其随系统启动:
systemctl enable httpd.service
systemctl start httpd.service
创建项目(租户)(Service Project):
openstack project create --domain default --description "Service Project" service
创建用户(demo)
openstack user create --domain default <[--password-prompt]|[--password <password>]> demo
创建角色授权role:
openstack role create user
将用户关联至租户和role上:
openstack role add --project service --user demo user
openstack role add --project service --user demo _member_
将变量写入文件,方便直接调用:
编辑文件 admin-openrc 并添加如下内容:
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://con.colinshi.top:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
编辑文件 demo-openrc 并添加如下内容:
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://con.colinshi.top:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
