Openstack_O版(otaka)部署_认证服务keystone部署
安装和配置服务
1. 建keystone库建用户
在控制节点执行
mysql -uroot -p123456 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456'; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456'; flush privileges;
2.软件安装
1 yum install openstack-keystone httpd mod_wsgi -y
3. 编辑配置文件
vim /etc/keystone/keystone.conf [DEFAULT] admin_token = b4164396208d7fe6d48b # 建议用命令制作 token:openssl rand -hex 10 [database] connection = mysql+pymysql://keystone:123456@controller01/keystone [token] provider = fernet
4. 同步修改到数据库
1 su -s /bin/sh -c "keystone-manage db_sync" keystone
5. 初始化fernet keys
1 keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6. 配置apache服务
vim /etc/httpd/conf/httpd.conf
ServerName controller01
vim /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357 <VirtualHost *:5000> WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost *:35357> WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
7. 启动Web服务
1 systemctl enable httpd.service 2 systemctl restart httpd.service
创建服务实体和访问端点
1. 实现配置管理员环境变量,用于获取后面创建的权限
export OS_TOKEN=b4164396208d7fe6d48b export OS_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3
2. 基于上一步给的权限,创建认证服务实体(目录服务)
openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | aa47cd781e53430dad37b0c9944b688b | | name | keystone | | type | identity | +-------------+----------------------------------+
3. 基于上一步建立的服务实体,创建访问该实体的三个api端点
openstack endpoint create --region RegionOne identity public http://controller01:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 41fee09de7cc4e9b8d08c0b73e9f39d3 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | aa47cd781e53430dad37b0c9944b688b | | service_name | keystone | | service_type | identity | | url | http://controller01:5000/v3 | +--------------+----------------------------------+ openstack endpoint create --region RegionOne identity internal http://controller01:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | d5dcf1954a414131913f7fa4ea5182ee | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | aa47cd781e53430dad37b0c9944b688b | | service_name | keystone | | service_type | identity | | url | http://controller01:5000/v3 | +--------------+----------------------------------+ openstack endpoint create --region RegionOne identity admin http://controller01:35357/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 93fe3d113327455f9c973d3b42579268 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | aa47cd781e53430dad37b0c9944b688b | | service_name | keystone | | service_type | identity | | url | http://controller01:35357/v3 | +--------------+----------------------------------+
创建域,租户,用户,角色,把四个元素关联到一起
1. 建立一个公共的域名
openstack domain create --description "Default Domain" default +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Default Domain | | enabled | True | | id | 135e691ebbb74fefb5086970eac74706 | | name | default | +-------------+----------------------------------+
2. 建立一个管理员
openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | 135e691ebbb74fefb5086970eac74706 | | enabled | True | | id | a3f24ce750034504876c0132c427306e | | is_domain | False | | name | admin | | parent_id | 135e691ebbb74fefb5086970eac74706 | +-------------+----------------------------------+ openstack user create --domain default --password-prompt admin +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 135e691ebbb74fefb5086970eac74706 | | enabled | True | | id | 1a1f6cf671474f45b81bf4150d8f6a67 | | name | admin | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
3. 建立一个角色:admin
openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | a442951d5ed044b78c80c223aef2bf3a | | name | admin | +-----------+----------------------------------+ openstack role add --project admin --user admin admin
4. 建立一个普通用户
openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | 135e691ebbb74fefb5086970eac74706 | | enabled | True | | id | 890abe6826374c4d94b371d035f3f6ee | | is_domain | False | | name | demo | | parent_id | 135e691ebbb74fefb5086970eac74706 | +-------------+----------------------------------+ openstack user create --domain default --password-prompt demo +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | 135e691ebbb74fefb5086970eac74706 | | enabled | True | | id | 8f26fad523ed4b6e9c30fbfa21cc8544 | | name | demo | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+
5. 建立一个普通角色
openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 3065224e5e32425a8d84775fe0fadbbc | | name | user | +-----------+----------------------------------+ openstack role add --project demo --user demo user
6. 为后续的服务创建统一租户service
# 解释:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建租户 2.建用户 3.建角色 4.做关联 # 后面所有的服务公用一个租户service,都是管理员角色admin,所以实际上后续的服务安装关于keysotne的操作只剩2,4 openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | 135e691ebbb74fefb5086970eac74706 | | enabled | True | | id | 38fce9de65f2455088be6196678e2090 | | is_domain | False | | name | service | | parent_id | 135e691ebbb74fefb5086970eac74706 | +-------------+----------------------------------+
验证操作
vim /etc/keystone/keystone-paste.ini 在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三个地方 移走:admin_token_auth unset OS_TOKEN OS_URL openstack --os-auth-url http://controller01:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue +------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2018-02-02T02:45:24+0000 | | id | gAAAAABac8K0yoQzaByOrSYlzDGUAASjSuz-4mcyk6neOMNoCh_pkqXZH20wW3n6RXOQ4fk2IZQyM1yt0MMghtYakyurzghBFsuVYBw- | | | 76mA2yQRGDTtL_3XTcg8AHD2Oaw0_UTZ59ROda_l6deP_BFGnyxIvO80pcUXBqp6HN7xzgP5ssnnXkQ | | project_id | a3f24ce750034504876c0132c427306e | | user_id | 1a1f6cf671474f45b81bf4150d8f6a67 | +------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
新建客户端脚本文件
管理员:admin-openrc
vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
普通用户demo:demo-openrc
vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=che001 export OS_AUTH_URL=http://controller01:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
效果:
source admin-openrc
openstack token issue
