OpenStack Keystone安装部署流程

之前介绍了OpenStack Swift的安装部署,采用的都是tempauth认证模式,今天就来介绍一个新的组件,名为Keystone

 

1. 简介

  本文将详细描述Keystone的安装部署流程,并给出一些简单的使用实例。

  Keystone是Openstack框架中的一个重要组成部分,负责身份认证、服务管理、服务规则和服务令牌的功能, 它实现了Openstack的Identity API。Keystone类似一个服务总线,或者说是整个Openstack框架的注册表,其他服务通过Keystone来注册其服务,任何服务之间相互的调用,都需要经过Keystone的身份验证来获得目标服务。Keystone包含两个主要部件:验证与服务目录。

  验证部件提供了一套基于令牌的验证服务,主要包含以下几个概念:

  1. 租户(Tenant:使用相关服务的一个组织(一个租户可以代表一个客户、账号、公司、组织或项目),必须指定一个相应的租户(Tenant)才可以申请OpenStack服务。在Swift中,一个租户可以拥有一定的存储空间,拥有多个容器,可以理解为一个公司拥有一大块存储空间。
  2. 用户(User:表示拥有用户名、密码、邮箱等账号信息的个人,用户能够申请并获得访问资源的授权。用户拥有证书,可以与一个或多个租户关联。经过身份验证后,会为每个关联的租户提供一个特定的令牌。一个用户可以在不同的租户中被分配不同的角色。以Swift为例,我们可以这样理解:租户是一个公司,拥有一大块存储空间,用户是个人,是该公司的员工,能够根据用户的角色访问公司的部分或全部存储空间,当然这个员工可以同时在其他公司兼职,拥有其他公司的存储空间;如果某个公司只有一个员工,即该员工拥有公司的全部存储空间,此时的用户就类似于金山快盘的用户了。
  3. 证书(Credentials:为了给用户提供一个令牌,需要用证书来唯一标识一个用户的密码或其它信息。
  4. 令牌(Token:一个令牌是一个任意比特的文本,用于与其它OpenStack服务来共享信息,Keystone以此来提供一个Central Location,以验证访问OpenStack服务的用户。一个令牌可以是scoped或unscoped。一个scoped令牌代表为某个租户验证过的用户,而unscoped令牌则仅代表一个用户。令牌的有效期是有限的,可以随时被撤回。
  5. 角色(Role:代表特定的租户中的用户操作权限,一个角色是应用于某个租户的使用权限集合,以允许某个指定用户访问或使用特定操作。角色是使用权限的逻辑分组,它使得通用的权限可以简单地分组并绑定到与某个指定租户相关的用户。

  服务目录部件(Service Catalog)提供了一套REST API服务端点列表并以此作为决策参考,主要包含以下几个概念:

  1. 服务(Service:一个OpenStack服务,例如Nova、Swift、Glance或Keystone。一个服务可以拥有一个或多个端点,用户可以通过它与OpenStack的服务或资源进行交互。
  2. 端点(Endpoint:一个可以通过网络访问的地址(例如一个URL),代表了OpenStack服务的API入口。端点也可以分组为模板,每个模板代表一组可用的OpenStack服务,这些服务是跨区域(regions)可用的,例如将多个Swift Proxy Server分别配置为不同的域(regionOne、regionTwo等)。
  3. 模板(Template:一个端点集合,代表一组可用的OpenStack服务端点。

2. 安装部署

2.1 准备环境

环境类型

详细信息

机器类型:

PC物理机

操作系统:

Ubuntu-11.10-desktop-64

用户类型:

root

数据库:

sqlite3

IP地址:

192.168.3.67

2.2 版本说明

  如果你使用的是Ubuntu,那么也可以直接通过apt-get来安装Keystone,不过本文介绍的是从git(https://github.com/openstack/keystone)上获取Master分支的最新代码来进行安装部署。请务必确保各处安装的Keystone与python-keystoneclient的版本统一,这在Keystone与其他服务(如Swift)整合使用时尤为重要,可关注后续文档《Keystone与Swift(集群)整合使用说明》,你就会明白其中的道理了。

2.3 安装软件环境

  首先,需要安装Keystone所需的软件环境(确保你的机器可以访问互联网),例如git用于获取Keystone代码,sqlite3作为本地数据库。

# apt-get install git python-dev sqlite3 libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev

2.4 安装Keystone

  从git上获取最新的Keystone Service代码。

# cd ~

# git clone https://github.com/openstack/keystone.git

  安装Keystone的依赖项与主体程序(Keystone会被安装到python的dist-packages中)。

# cd ~/keystone

# pip install -r tools/pip-requires

# pip install -r tools/test-requires(本条命令可不执行)

# python setup.py install

  文件~/keystone/tools/pip-requires中(内容如下所示)记录了运行Keystone程序所需的依赖项,setup.py就是根据该文件来检查依赖项并自动下载安装的。其中指明了python-keystoneclient为依赖项,python-keystoneclient作为本地客户端组件,用于访问Keystone。python-keystoneclient与Keystone的版本需要统一,否则可能会出现版本兼容性问题,采用依赖项的方式安装python-keystoneclient,可确保不会出现版本兼容性问题。

# keystone dependencies

pam>=0.1.4

WebOb==1.2.3

eventlet

greenlet

PasteDeploy

paste

routes

sqlalchemy>=0.7.8,<=0.7.9

sqlalchemy-migrate>=0.7.2

passlib

lxml

iso8601>=0.1.4

python-keystoneclient>=0.2.1,<0.3

oslo.config>=1.1.0

  文件~/keystone/tools/test-requires中(内容如下所示)记录了Keystone动态开发与测试所需的依赖项。这些依赖项不是运行Keystone所必须的,所以可以不安装(即不执行上面的命令:pip install -r tools/test-requires)。

# Optional backend: SQL

pysqlite

 

# Optional backend: Memcache

python-memcached

 

# Optional backend: LDAP

python-ldap==2.3.13 # authenticate against an existing LDAP server

 

# Testing

coverage # computes code coverage percentages

mox # mock object framework

nose # for test discovery and console feedback

nosexcover

openstack.nose_plugin

nosehtmloutput

pylint # static code analysis

pep8==1.3.3 # checks for PEP8 code style compliance

Sphinx>=1.1.2 # required to build documentation

unittest2 # backport of unittest lib in python 2.7

webtest # test wsgi apps without starting an http server

distribute>=0.6.24

 

# for python-keystoneclient

httplib2 # keystoneclient <0.2.1

requests>=1.0.0 # replaces httplib2 in keystoneclient >=0.2.1

keyring

 

# swift_auth test dependencies

http://tarballs.openstack.org/swift/swift-master.tar.gz#egg=swift

netifaces

 

# For translations processing

Babel

  需要特别注意的是,安装tools/test-requires依赖项时会自动下载swift-master.tar.gz包并重新安装Swift。因此,如果电脑上已经安装了Swift,就不可以再执行“pip install -r tools/test-requires”命令了(该命令会覆盖掉之前安装的Swift程序)。

  如果你不小心覆盖掉了之前安装的Swift程序,也无需担心,执行以下命令,重新安装你的Swift程序即可。(假设Swift的源代码在目录~/swift/swift_1.7.6下,python-swiftclient的源代码在目录~/swift/python-swiftclient_1.2.0下)

# cd ~/swift/swift_1.7.6

# python setup.py develop

# cd ~/swift/python-swiftclient_1.2.0

# python setup.py develop

2.5 配置Keystone

  由于是从git上获取的代码,所以我们需要手动将代码中的配置文件复制到系统中正确的目录下。配置文件在~/keystone/etc目录下,共有四个,包括default_catalog.templateskeystone.conf.samplelogging.conf.samplepolicy.json。将这四个配置文件复制到/etc/keystone目录下,并重命名(去掉“.sample”)。用户需要注意下文中的红色标注部分。

# mkdir -p /etc/keystone

# cp ~/keystone/etc/* /etc/keystone/

# cp mv /etc/keystone/keystone.conf.sample /etc/keystone/keystone.conf

# cp mv /etc/keystone/logging.conf.sample /etc/keystone/logging.conf

  其中keystone.conf是核心配置文件,logging.conf是日志配置文件,default_catalog.templates是目录模版文件,policy.json定义了Identity服务的访问策略。我们需要修改核心配置文件/etc/keystone/keystone.conf。

[DEFAULT]

# A "shared secret" between keystone and other openstack services

# admin_token = ADMIN

# 注意该信息,admin_token参数是用来访问Keystone服务的,即Keystone服务的Token。默认为ADMIN,当然也可以改成别的。客户端可以使用该Token访问Keystone服务、查看信息、创建其他服务等。

 

# The IP address of the network interface to listen on

# bind_host = 0.0.0.0

 

# The port number which the public service listens on

# public_port = 5000

# Keystone提供的认证授权服务监听的端口,通常为公网(外网),也可以是内网。

 

# The port number which the public admin listens on

# admin_port = 35357

# Keystone提供的认证授权、系统管理服务监听的端口,通常为内网。除了认证授权功能外,用户需要访问该端口来进行管理员操作,如创建删除Tenant、User、Role、Service、Endpoint等。

 

# The port number which the OpenStack Compute service listens on

# compute_port = 8774

 

# Path to your policy definition containing identity actions

# TODO(dolph): This config method will probably be deprecated during grizzly

# policy_file = policy.json

 

# Rule to check if no matching policy definition is found

# FIXME(dolph): This should really be defined as [policy] default_rule

# policy_default_rule = admin_required

 

# === Logging Options ===

# Print debugging output

# verbose = False

 

# Print more verbose output

# (includes plaintext request logging, potentially including passwords)

# debug = False

 

# Name of log file to output to. If not set, logging will go to stdout.

# log_file = keystone.log

 

# The directory to keep log files in (will be prepended to --logfile)

# log_dir = /var/log/keystone

 

# Use syslog for logging.

# use_syslog = False

 

# syslog facility to receive log lines

# syslog_log_facility = LOG_USER

 

# If this option is specified, the logging configuration file specified is

# used and overrides any other logging options specified. Please see the

# Python logging module documentation for details on logging configuration

# files.

# log_config = logging.conf

 

# A logging.Formatter log message format string which may use any of the

# available logging.LogRecord attributes.

# log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s

 

# Format string for %(asctime)s in log records.

# log_date_format = %Y-%m-%d %H:%M:%S

 

# onready allows you to send a notification when the process is ready to serve

# For example, to have it notify using systemd, one could set shell command:

# onready = systemd-notify --ready

# or a module with notify() method:

# onready = keystone.common.systemd

 

[sql]

# The SQLAlchemy connection string used to connect to the database

# connection = sqlite:///keystone.db

# 此处为数据库参数,默认使用sqlite,并且指定数据库文件的存放位置,keystone.db表示在主目录下创建keystone.db文件,用于存放数据。也可以指定其他存储位置,例如sqlite:////var/lib/keystone/keystone.db。

# 当然也可以使用mysql,如mysql://root:123456@192.168.3.67/keystone,其中192.168.3.67为数据库地址,keystone为数据库名称,root为用户名,123456为访问密码。需要事先安装mysql,并且创建名为keystone的数据库,设置用户名密码。

 

# the timeout before idle sql connections are reaped

# idle_timeout = 200

 

[identity]

# driver = keystone.identity.backends.sql.Identity

 

[catalog]

# dynamic, sql-based backend (supports API/CLI-based management commands)

# driver = keystone.catalog.backends.sql.Catalog

 

# static, file-based backend (does *NOT* support any management commands)

# driver = keystone.catalog.backends.templated.TemplatedCatalog

 

# template_file = default_catalog.templates

 

[token]

# driver = keystone.token.backends.kvs.Token

 

# Amount of time a token should remain valid (in seconds)

# expiration = 86400

 

[policy]

# driver = keystone.policy.backends.sql.Policy

 

[ec2]

# driver = keystone.contrib.ec2.backends.kvs.Ec2

 

[ssl]

#enable = True

#certfile = /etc/keystone/ssl/certs/keystone.pem

#keyfile = /etc/keystone/ssl/private/keystonekey.pem

#ca_certs = /etc/keystone/ssl/certs/ca.pem

#cert_required = True

 

[signing]

# token_format = PKI

# 此处需要特别注意,新版本中默认Token为PKI,因而需要为此设置PKI认证,较为麻烦,可改为UUID以方便使用,UUID是一个几十位的随机字符串。

 

token_format = UUID

#certfile = /etc/keystone/ssl/certs/signing_cert.pem

#keyfile = /etc/keystone/ssl/private/signing_key.pem

#ca_certs = /etc/keystone/ssl/certs/ca.pem

#key_size = 1024

#valid_days = 3650

#ca_password = None

 

[ldap]

# url = ldap://localhost

# user = dc=Manager,dc=example,dc=com

# password = None

# suffix = cn=example,cn=com

# use_dumb_member = False

# allow_subtree_delete = False

# dumb_member = cn=dumb,dc=example,dc=com

 

# user_tree_dn = ou=Users,dc=example,dc=com

# user_filter =

# user_objectclass = inetOrgPerson

# user_id_attribute = cn

# user_name_attribute = sn

# user_mail_attribute = email

# user_pass_attribute = userPassword

# user_enabled_attribute = enabled

# user_enabled_mask = 0

# user_enabled_default = True

# user_attribute_ignore = tenant_id,tenants

# user_allow_create = True

# user_allow_update = True

# user_allow_delete = True

 

# tenant_tree_dn = ou=Groups,dc=example,dc=com

# tenant_filter =

# tenant_objectclass = groupOfNames

# tenant_id_attribute = cn

# tenant_member_attribute = member

# tenant_name_attribute = ou

# tenant_desc_attribute = desc

# tenant_enabled_attribute = enabled

# tenant_attribute_ignore =

# tenant_allow_create = True

# tenant_allow_update = True

# tenant_allow_delete = True

 

# role_tree_dn = ou=Roles,dc=example,dc=com

# role_filter =

# role_objectclass = organizationalRole

# role_id_attribute = cn

# role_name_attribute = ou

# role_member_attribute = roleOccupant

# role_attribute_ignore =

# role_allow_create = True

# role_allow_update = True

# role_allow_delete = True

 

[filter:debug]

paste.filter_factory = keystone.common.wsgi:Debug.factory

 

[filter:token_auth]

paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory

 

[filter:admin_token_auth]

paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory

 

[filter:xml_body]

paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory

 

[filter:json_body]

paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory

 

[filter:user_crud_extension]

paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory

 

[filter:crud_extension]

paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory

 

[filter:ec2_extension]

paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory

 

[filter:s3_extension]

paste.filter_factory = keystone.contrib.s3:S3Extension.factory

 

[filter:url_normalize]

paste.filter_factory = keystone.middleware:NormalizingFilter.factory

 

[filter:stats_monitoring]

paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory

 

[filter:stats_reporting]

paste.filter_factory = keystone.contrib.stats:StatsExtension.factory

 

[app:public_service]

paste.app_factory = keystone.service:public_app_factory

 

[app:service_v3]

paste.app_factory = keystone.service:v3_app_factory

 

[app:admin_service]

paste.app_factory = keystone.service:admin_app_factory

 

[pipeline:public_api]

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service

 

[pipeline:admin_api]

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service

 

[pipeline:api_v3]

pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3

 

[app:public_version_service]

paste.app_factory = keystone.service:public_version_app_factory

 

[app:admin_version_service]

paste.app_factory = keystone.service:admin_version_app_factory

 

[pipeline:public_version_api]

pipeline = stats_monitoring url_normalize xml_body public_version_service

 

[pipeline:admin_version_api]

pipeline = stats_monitoring url_normalize xml_body admin_version_service

 

[composite:main]

use = egg:Paste#urlmap

/v2.0 = public_api

/v3 = api_v3

/ = public_version_api

 

[composite:admin]

use = egg:Paste#urlmap

/v2.0 = admin_api

/v3 = api_v3

/ = admin_version_api

2.6 查看Keystone帮助信息

  在终端执行keystone-all --help、keystone-manage --help、keystone --help命令,即可查看Keystone的帮助信息。

  执行keystone-all --help命令,查看Keystone服务端程序的帮助信息。

# keystone-all --help

usage: keystone-all [-h] [--version] [--debug] [--nodebug] [--verbose]

                    [--noverbose] [--use-syslog] [--nouse-syslog]

                    [--standard-threads] [--nostandard-threads]

                    [--pydev-debug-port PYDEV_DEBUG_PORT] [--config-file PATH]

                    [--log-config PATH] [--log-format FORMAT]

                    [--log-date-format DATE_FORMAT] [--log-file PATH]

                    [--log-dir LOG_DIR]

                    [--syslog-log-facility SYSLOG_LOG_FACILITY]

                    [--pydev-debug-host PYDEV_DEBUG_HOST] [--config-dir DIR]

 

optional arguments:

  -h, --help            show this help message and exit

  --version             show program's version number and exit

  --debug, -d           Print debugging output (set logging level to DEBUG

                        instead of default WARNING level).

  --nodebug             The inverse of --debug

  --verbose, -v         Print more verbose output (set logging level to INFO

                        instead of default WARNING level).

  --noverbose           The inverse of --verbose

  --use-syslog          Use syslog for logging.

  --nouse-syslog        The inverse of --use-syslog

  --standard-threads

  --nostandard-threads  The inverse of --standard-threads

  --pydev-debug-port PYDEV_DEBUG_PORT

  --config-file PATH    Path to a config file to use. Multiple config files

                        can be specified, with values in later files taking

                        precedence. The default files used are:

                        ['/etc/keystone/keystone.conf']

  --log-config PATH     If this option is specified, the logging configuration

                        file specified is used and overrides any other logging

                        options specified. Please see the Python logging

                        module documentation for details on logging

                        configuration files.

  --log-format FORMAT   A logging.Formatter log message format string which

                        may use any of the available logging.LogRecord

                        attributes.

  --log-date-format DATE_FORMAT

                        Format string for %(asctime)s in log records.

  --log-file PATH       Name of log file to output. If not set, logging will

                        go to stdout.

  --log-dir LOG_DIR     The directory in which to store log files. (will be

                        prepended to --log-file)

  --syslog-log-facility SYSLOG_LOG_FACILITY

                        syslog facility to receive log lines.

  --pydev-debug-host PYDEV_DEBUG_HOST

  --config-dir DIR      Path to a config directory to pull *.conf files from.

                        This file set is sorted, so as to provide a

                        predictable parse order if individual options are

                        over-ridden. The set is parsed after the file(s), if

                        any, specified via --config-file, hence over-ridden

                        options in the directory take precedence.

  执行keystone-manage --help命令,查看Keystone管理程序的帮助信息。

# keystone-manage --help

usage: keystone-manage [db_sync|export_legacy_catalog|import_legacy|import_nova_auth|pki_setup]

 

optional arguments:

  -h, --help            show this help message and exit

  --version             show program's version number and exit

  --debug, -d           Print debugging output (set logging level to DEBUG

                        instead of default WARNING level).

  --nodebug             The inverse of --debug

  --verbose, -v         Print more verbose output (set logging level to INFO

                        instead of default WARNING level).

  --noverbose           The inverse of --verbose

  --use-syslog          Use syslog for logging.

  --nouse-syslog        The inverse of --use-syslog

  --standard-threads

  --nostandard-threads  The inverse of --standard-threads

  --pydev-debug-port PYDEV_DEBUG_PORT

  --config-file PATH    Path to a config file to use. Multiple config files

                        can be specified, with values in later files taking

                        precedence. The default files used are:

                        ['/etc/keystone/keystone.conf']

  --log-config PATH     If this option is specified, the logging configuration

                        file specified is used and overrides any other logging

                        options specified. Please see the Python logging

                        module documentation for details on logging

                        configuration files.

  --log-format FORMAT   A logging.Formatter log message format string which

                        may use any of the available logging.LogRecord

                        attributes.

  --log-date-format DATE_FORMAT

                        Format string for %(asctime)s in log records.

  --log-file PATH       Name of log file to output. If not set, logging will

                        go to stdout.

  --log-dir LOG_DIR     The directory in which to store log files. (will be

                        prepended to --log-file)

  --syslog-log-facility SYSLOG_LOG_FACILITY

                        syslog facility to receive log lines.

  --pydev-debug-host PYDEV_DEBUG_HOST

  --config-dir DIR      Path to a config directory to pull *.conf files from.

                        This file set is sorted, so as to provide a

                        predictable parse order if individual options are

                        over-ridden. The set is parsed after the file(s), if

                        any, specified via --config-file, hence over-ridden

                        options in the directory take precedence.

 

Commands:

  {db_sync,export_legacy_catalog,import_legacy,import_nova_auth,pki_setup}

                        Available commands

    db_sync             Sync the database.

    export_legacy_catalog

                        Export the service catalog from a legacy database.

    import_legacy       Import a legacy database.

    import_nova_auth    Import a dump of nova auth data into keystone.

    pki_setup           Set up Key pairs and certificates for token signing

                        and verification.

  执行keystone --help命令,查看Keystone客户端程序的帮助信息。

# keystone --help

usage: keystone [--version] [--timeout <seconds>]

                [--os-username <auth-user-name>]

                [--os-password <auth-password>]

                [--os-tenant-name <auth-tenant-name>]

                [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]

                [--os-region-name <region-name>]

                [--os-identity-api-version <identity-api-version>]

                [--os-token <service-token>]

                [--os-endpoint <service-endpoint>]

                [--os-cacert <ca-certificate>] [--insecure]

                [--os-cert <certificate>] [--os-key <key>] [--os-cache]

                [--force-new-token] [--stale-duration <seconds>]

                <subcommand> ...

 

Command-line interface to the OpenStack Identity API.

 

Positional arguments:

  <subcommand>

    catalog

    ec2-credentials-create

                        Create EC2-compatible credentials for user per tenant

    ec2-credentials-delete

                        Delete EC2-compatible credentials

    ec2-credentials-get

                        Display EC2-compatible credentials

    ec2-credentials-list

                        List EC2-compatible credentials for a user

    endpoint-create     Create a new endpoint associated with a service

    endpoint-delete     Delete a service endpoint

    endpoint-get

    endpoint-list       List configured service endpoints

    password-update     Update own password

    role-create         Create new role

    role-delete         Delete role

    role-get            Display role details

    role-list           List all roles

    service-create      Add service to Service Catalog

    service-delete      Delete service from Service Catalog

    service-get         Display service from Service Catalog

    service-list        List all services in Service Catalog

    tenant-create       Create new tenant

    tenant-delete       Delete tenant

    tenant-get          Display tenant details

    tenant-list         List all tenants

    tenant-update       Update tenant name, description, enabled status

    token-get

    user-create         Create new user

    user-delete         Delete user

    user-get            Display user details.

    user-list           List users

    user-password-update

                        Update user password

    user-role-add       Add role to user

    user-role-list      List roles granted to a user

    user-role-remove    Remove role from user

    user-update         Update user's name, email, and enabled status

    discover            Discover Keystone servers, supported API versions and

                        extensions.

    bootstrap           Grants a new role to a new user on a new tenant, after

                        creating each.

    bash-completion     Prints all of the commands and options to stdout.

    help                Display help about this program or one of its

                        subcommands.

 

Optional arguments:

  --version             Shows the client version and exits

  --timeout <seconds>   Set request timeout (in seconds)

  --os-username <auth-user-name>

                        Name used for authentication with the OpenStack

                        Identity service. Defaults to env[OS_USERNAME]

  --os-password <auth-password>

                        Password used for authentication with the OpenStack

                        Identity service. Defaults to env[OS_PASSWORD]

  --os-tenant-name <auth-tenant-name>

                        Tenant to request authorization on. Defaults to

                        env[OS_TENANT_NAME]

  --os-tenant-id <tenant-id>

                        Tenant to request authorization on. Defaults to

                        env[OS_TENANT_ID]

  --os-auth-url <auth-url>

                        Specify the Identity endpoint to use for

                        authentication. Defaults to env[OS_AUTH_URL]

  --os-region-name <region-name>

                        Defaults to env[OS_REGION_NAME]

  --os-identity-api-version <identity-api-version>

                        Defaults to env[OS_IDENTITY_API_VERSION] or 2.0

  --os-token <service-token>

                        Specify an existing token to use instead of retrieving

                        one via authentication (e.g. with username &

                        password). Defaults to env[OS_SERVICE_TOKEN]

  --os-endpoint <service-endpoint>

                        Specify an endpoint to use instead of retrieving one

                        from the service catalog (via authentication).

                        Defaults to env[OS_SERVICE_ENDPOINT]

  --os-cacert <ca-certificate>

                        Specify a CA bundle file to use in verifying a TLS

                        (https) server certificate. Defaults to env[OS_CACERT]

  --insecure            Explicitly allow keystoneclient to perform "insecure"

                        TLS (https) requests. The server's certificate will

                        not be verified against any certificate authorities.

                        This option should be used with caution.

  --os-cert <certificate>

                        Defaults to env[OS_CERT]

  --os-key <key>        Defaults to env[OS_KEY]

  --os-cache            Use the auth token cache. Defaults to env[OS_CACHE]

  --force-new-token     If the keyring is available and in use, token will

                        always be stored and fetched from the keyring until

                        the token has expired. Use this option to request a

                        new token and replace the existing one in the keyring.

  --stale-duration <seconds>

                        Stale duration (in seconds) used to determine whether

                        a token has expired when retrieving it from keyring.

                        This is useful in mitigating process or network

                        delays. Default is 30 seconds.

 

See "keystone help COMMAND" for help on a specific command.

2.7 同步数据库并运行Keystone

  同步数据库schema,Keystone会自动连接数据库,完成Table创建等工作。

# keystone-manage db_sync

  然后,sqlite3数据库会创建文件~/keystone.db(视上文中的配置文件而定),我们可以查看数据库中的Table。首先使用sqlite3 ~/keystone.db命令打开数据库,然后使用.table命令查看所有Table,包括Tenant、User、Role、Service、Endpoint等。

# sqlite3 ~/keystone.db

SQLite version 3.7.7 2011-06-23 19:49:22

Enter ".help" for instructions

Enter SQL statements terminated with a ";"

sqlite> .table

credential              migrate_version         token                

domain                  policy                  user                 

ec2_credential          role                    user_domain_metadata 

endpoint                service                 user_tenant_membership

metadata                tenant               

sqlite>.exit

#

  至此,我们已经成功地完成了Keystone服务的安装与配置,完事具备,可以启动Keystone服务了。

# keystone-all

2.8 导入环境变量

  为了访问Keystone服务,客户端需要导入环境变量,当然也可以选择在执行访问Keystone的命令时加上相关参数。在本文档所描述的部署环境中,Keystone客户端与服务端处在同一台PC上。导入环境变量的方式有两种:

  1. 在终端使用export命令,这种方式使得该环境变量的有效范围仅限于本终端。

# export SERVICE_TOKEN=ADMIN

# export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0

      这里需要解释一下:

  • “SERVICE_ENDPOINT”是Keystone的Endpoint,即API入口。其中,“192.168.3.67”为安装Keystone服务的机器的IP,“35357”为Keystone提供的认证授权和系统管理服务监听的端口(通常为内网),用户需要访问该端口来进行管理员操作,如创建删除Tenant、User、Role、Service、Endpoint等,这在《配置Keystone》章节中已进行了说明。
  • “SERVICE_TOKEN”就是Keystone服务的Token,在《配置Keystone》章节中也已进行了说明。

  2. 修改~/.bashrc文件,在文件尾部添加如下内容。(该文件包含当前用户Bash Shell的环境变量信息)

export SERVICE_TOKEN=ADMIN

export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0

  然后执行如下命令,以使修改生效。一旦生效,终生有效哦亲!

# . ~/.bashrc

      针对上述环境变量作如下说明:

  • SERVICE_TOKEN变量表示访问Keystone服务时使用的Token,与配置文件keystone.conf中的信息相对应,默认为ADMIN。
  • SERVICE_ENDPOINT变量表示Keystone服务的接入口,其中IP地址表明Keystone服务的安装位置,35357为默认访问端口。

  于是,客户端就可以使用名为ADMIN的Token,通过给定的访问地址http://192.168.3.67:35357/v2.0来访问Keystone服务了。

3. 使用实例

3.1 初次查看Keystone中的信息

  首先,我们分别执行以下命令,通过访问Keystone服务来查看几个重要数据库Table的内容,包括Tenant、User、Role、Service和Endpoint。当然,结果必然是空的,因为我们还没有添加任何Tenant、User、Role、Service以及Endpoint,但结果已经证明Keystone已经在正常工作了。

# keystone tenant-list

 

 

# keystone user-list

 

 

# keystone role-list

 

 

# keystone service-list

 

 

# keystone endpoint-list

 

3.2 手动添加自定义的信息

  下面,我们将按照自己的要求来手动添加Tenant、User、Role、Service、Endpoint等信息。

  我们将创建名称为adminTenant的Tenant(租户)、名称为admin的User(用户)以及名称为adminRole的Role(角色),并将它们关联起来。最终的结果表现为:一个名叫admin的用户,其拥有名为adminRole的角色身份,并且能够使用名为adminTennant的租户。

  1. 创建Tenant,租户名为adminTenant,描述信息为Admin Tenant。请记住该命令生成的Tenant id,下面添加User时需要用到。

# keystone tenant-create --name adminTenant --description "Admin Tenant" --enabled true

+-------------+----------------------------------+

|   Property  |              Value               |

+-------------+----------------------------------+

| description |           Admin Tenant           |

|   enabled   |               True               |

|      id     | 4803098ff0b44f13bb33e7c9665e59d4 |

|     name    |           adminTenant            |

+-------------+----------------------------------+

   2. 创建User,用户名为admin,密码为openstack。请记住该命令生成的User id,下面的关联命令需要用到。

# keystone user-create --tenant_id 4803098ff0b44f13bb33e7c9665e59d4 --name admin --pass openstack --enabled true

+----------+----------------------------------+

| Property |              Value               |

+----------+----------------------------------+

|  email   |                                  |

| enabled  |               True               |

|    id    | c2c40638681041aca9625869c260ba51 |

|   name   |              admin               |

| tenantId | 4803098ff0b44f13bb33e7c9665e59d4 |

+----------+----------------------------------+

  3. 创建Role,角色名为adminRole。请记住该命令生成的Role id,下面的关联命令需要用到。

# keystone role-create --name adminRole

+----------+----------------------------------+

| Property |              Value               |

+----------+----------------------------------+

|    id    | 675c497fdf314e74a3f4bd6e1710d45d |

|   name   |            adminRole             |

+----------+----------------------------------+

 

  至此,我们已经创建了一个Ttenant,一个Uuser以及一个Rrole,它们的id分别是:

tenant_id:4803098ff0b44f13bb33e7c9665e59d4

user_id:c2c40638681041aca9625869c260ba51

role_id:675c497fdf314e74a3f4bd6e1710d45d

 

  4. 最后,我们要使用上述三个id,并通过下面的命令来将三者关联起来。

# keystone user-role-add --user-id c2c40638681041aca9625869c260ba51 --tenant-id 4803098ff0b44f13bb33e7c9665e59d4 --role-id 675c497fdf314e74a3f4bd6e1710d45d

  此时,让我们再使用list命令查看一下Tenant、User、Role、Service和Endpoint的信息。

# keystone tenant-list

+----------------------------------+-------------+---------+

|                id                |     name    | enabled |

+----------------------------------+-------------+---------+

| 4803098ff0b44f13bb33e7c9665e59d4 | adminTenant |   True  |

+----------------------------------+-------------+---------+

 

# keystone user-list

+----------------------------------+-------+---------+-------+

|                id                |  name | enabled | email |

+----------------------------------+-------+---------+-------+

| c2c40638681041aca9625869c260ba51 | admin |   True  |       |

+----------------------------------+-------+---------+-------+

 

# keystone role-list

+----------------------------------+-----------+

|                id                |    name   |

+----------------------------------+-----------+

| 675c497fdf314e74a3f4bd6e1710d45d | adminRole |

+----------------------------------+-----------+

 

# keystone service-list

 

 

# keystone endpoint-list

 

3.3 访问Keystone获取Token

  上面已经完成了Tenant、User和Role的创建,并将三者关联起来,于是我们就可以使用User的用户名和密码来访问Keystone,获取用于访问Tenant的Token了。我们将使用curl命令来访问Keyston以获取授权,该命令需要给定四个参数,即tenantName(租户名)、username(用户名)、password(用户密码)以及认证授权申请地址(http://192.168.3.67:35357/v2.0/tokens或http://192.168.3.67:5000/v2.0/tokens都可以)。此外,返回信息会以json格式展现。

  先尝试使用错误的密码进行访问,结果获取授权失败。返回信息中给出了相关错误提示信息。

# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "xxx"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100   219  100   116  100   103   2547   2262 --:--:-- --:--:-- --:--:--  2577

{

    "error": {

        "code": 401,

        "message": "The request you have made requires authentication.",

        "title": "Not Authorized"

    }

}

  然后使用正确的密码访问(http://192.168.3.67:35357/v2.0/tokens),结果成功获取授权。返回信息中包含了我们所需的Token,同时也显示了与本次请求相关的Tenant、User以及Role的信息。我们可以看到,Token的id为55e9889a646e467693f2e11b58ccf78d,其授权通过的时间为2013-03-15T12:42:00.096694,其授权过期的时间为2013-03-16T12:42:00Z。

# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100   618  100   509  100   109   8811   1886 --:--:-- --:--:-- --:--:--  8929

{

    "access": {

        "metadata": {

            "is_admin": 0,

            "roles": [

                "675c497fdf314e74a3f4bd6e1710d45d"

            ]

        },

        "serviceCatalog": [],

        "token": {

            "expires": "2013-03-16T12:42:00Z",

            "id": "55e9889a646e467693f2e11b58ccf78d",

            "issued_at": "2013-03-15T12:42:00.096694",

            "tenant": {

                "description": "Admin Tenant",

                "enabled": true,

                "id": "4803098ff0b44f13bb33e7c9665e59d4",

                "name": "adminTenant"

            }

        },

        "user": {

            "id": "c2c40638681041aca9625869c260ba51",

            "name": "admin",

            "roles": [

                {

                    "name": "adminRole"

                }

            ],

            "roles_links": [],

            "username": "admin"

        }

    }

}

  再试一下认证授权地址http://192.168.3.67:5000/v2.0/tokens,同样成功获取授权。

# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:5000/v2.0/tokens | python -mjson.tool

  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current

                                 Dload  Upload   Total   Spent    Left  Speed

100   618  100   509  100   109   9030   1933 --:--:-- --:--:-- --:--:--  9254

{

    "access": {

        "metadata": {

            "is_admin": 0,

            "roles": [

                "675c497fdf314e74a3f4bd6e1710d45d"

            ]

        },

        "serviceCatalog": [],

        "token": {

            "expires": "2013-04-05T07:36:56Z",

            "id": "bfe30305790c46e2a4b5bfc80060246b",

            "issued_at": "2013-04-04T07:36:56.283627",

            "tenant": {

                "description": "Admin Tenant",

                "enabled": true,

                "id": "4803098ff0b44f13bb33e7c9665e59d4",

                "name": "adminTenant"

            }

        },

        "user": {

            "id": "c2c40638681041aca9625869c260ba51",

            "name": "admin",

            "roles": [

                {

                    "name": "adminRole"

                }

            ],

            "roles_links": [],

            "username": "admin"

        }

    }

}

  上述使用实例阐述了Keystone的基本操作,并且表明Keystone正确地为我们提供了身份验证与授权服务。以后的文档将延续该主题,介绍Keystone与Swift的联合部署,我们将使用Keystone为Swift提供身份验证与授权服务。

4. 参考链接

4.1 官方链接

  • Installing Keystone

    http://docs.openstack.org/developer/keystone/installing.html

  • Setting up a Keystone development environment

    http://docs.openstack.org/developer/keystone/setup.html

  • Configuring Keystone

    http://docs.openstack.org/developer/keystone/configuration.html

  • keystone.conf

    http://docs.openstack.org/trunk/openstack-compute/install/yum/content/keystone-conf-file.html

  • Setting up tenants, users, and roles

    http://docs.openstack.org/trunk/openstack-compute/install/yum/content/setting-up-tenants-users-and-roles.html

  • OpenStack/Keystone - GitHub

    https://github.com/openstack/keystone

4.2 非官方链接

  • OpenStack Hands on lab 1: Keystone安装

    http://liangbo.me/index.php/2012/03/27/11/

  • OpenStack安装 - keystone

    http://articles.csdn.net/shangwuzhuanqu/OpenStackzhuanqu/jishufenxiangyemia/2012/0820/2808852.html

  • OpenStack Essex版安装 - keystone

    http://blog.csdn.net/nocturne1210/article/details/7877307

  • OpenStack Keystone的理解

    http://blog.csdn.net/xiangmin2587/article/details/8224042

  • OpenStack Identity(Keystone)身份服务体系结构与中间件

    http://blog.sina.com.cn/s/blog_6a9ae9e501014w3p.html

  • OpenStack Keystone install - border / keystone.conf

    https://gist.github.com/border/4070200

  • OpenStack云第三天

    http://www.linuxidc.com/Linux/2012-12/75424.htm

posted @ 2013-08-23 18:17  最初的幸福ever  阅读(14436)  评论(1编辑  收藏  举报