1. OpenStack 认证服务keystone简介及实现
官方文档:https://docs.openstack.org/install-guide/openstack-services.html
https://docs.openstack.org/keystone/train/install/
MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone123'; Query OK, 0 rows affected (0.000 sec)
yum install openstack-keystone httpd mod_wsgi
编辑/etc/keystone/keystone.conf文件并完成以下操作
[database] # connection = mysql+pymysql://keystone:keystone123@192.168.64.110/keystone connection = mysql+pymysql://keystone:keystone123@openstack-vip.test.com/keystone # 如果做了高可用,使用域名解析到VIP,防止IP变动
这里我们使用hosts临时解析,所有节点
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 ::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 192.168.64.110 openstack-1 192.168.64.111 openstack-2 192.168.64.112 openstack-3 192.168.64.110 openstack-vip.test.com
测试访问
[root@openstack-1 yum.repos.d]# ping openstack-vip.test.com PING openstack-vip.test.com (192.168.64.110) 56(84) bytes of data. 64 bytes from openstack-1 (192.168.64.110): icmp_seq=1 ttl=64 time=0.019 ms 64 bytes from openstack-1 (192.168.64.110): icmp_seq=2 ttl=64 time=0.022 ms
[token]
# ...
provider = fernet
初始化数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
验证
MariaDB [(none)]> use keystone Reading table information for completion of table and column names You can turn off this feature to get a quicker startup with -A Database changed MariaDB [keystone]> show tables; +------------------------------------+ | Tables_in_keystone | +------------------------------------+ | access_rule | | access_token | | application_credential | | application_credential_access_rule | | application_credential_role | | assignment | | config_register | +------------------------------------+ 48 rows in set (0.000 sec)
初始化 Fernet 密钥存储库
[root@openstack-1 yum.repos.d]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@openstack-1 yum.repos.d]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone [root@openstack-1 yum.repos.d]# ll /etc/keystone/ total 124 drwx------ 2 keystone keystone 24 Jul 23 22:53 credential-keys -rw-r----- 1 root keystone 2303 Jun 7 2021 default_catalog.templates drwx------ 2 keystone keystone 24 Jul 23 22:53 fernet-keys -rw-r----- 1 root keystone 106566 Jul 23 22:48 keystone.conf -rw-r----- 1 root keystone 1046 Jun 7 2021 logging.conf -rw-r----- 1 root keystone 3 Jun 8 2021 policy.json -rw-r----- 1 keystone keystone 665 Jun 7 2021 sso_callback_template.html
初始化 Fernet 密钥存储库
使用haproxy监听VIP 5000端口进行转发
keystone-manage bootstrap --bootstrap-password admin \ # admin为密码 --bootstrap-admin-url http://openstack-vip.test.com:5000/v3/ \ # 管理网络 --bootstrap-internal-url http://openstack-vip.test.com:5000/v3/ \ #内部网络 --bootstrap-public-url http://openstack-vip.test.com:5000/v3/ \ # 共有网络,客户端 --bootstrap-region-id RegionOne
编辑/etc/httpd/conf/httpd.conf文件并配置 ServerName选项以引用控制器节点
ServerName 192.168.64.110:80
创建/usr/share/keystone/wsgi-keystone.conf文件的链接
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
启动
# systemctl enable httpd.service
# systemctl start httpd.service
测试
[root@openstack-1 yum.repos.d]# curl 192.168.64.110:5000 {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://192.168.64.110:5000/v3/", "rel": "self"}]}]}}
[root@openstack-1 yum.repos.d]# curl openstack-vip.test.com:5000 {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://openstack-vip.test.com:5000/v3/", "rel": "self"}]}]}}
配置环境变量
cat admin.sh
#!/bin/bash export OS_USERNAME=admin export OS_PASSWORD=admin export OS_PROJECT_NAME=admin export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_DOMAIN_NAME=Default export OS_AUTH_URL=http://openstack-vip.test.com:5000/v3 export OS_IDENTITY_API_VERSION=3
[root@openstack-1 ~]# source admin.sh [root@openstack-1 ~]# echo $OS_USERNAME admin
创建域、项目、用户和角色
[root@openstack-1 ~]# openstack domain create --description "An Example Domain" example +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | An Example Domain | | enabled | True | | id | bc7f471f19fd494aa725f488b1ec1ad4 | | name | example | | options | {} | | tags | [] | +-------------+----------------------------------+ [root@openstack-1 ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | c2fe2481251b480bb6fec5ed82032d59 | | is_domain | False | | name | service | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ [root@openstack-1 ~]# openstack project create --domain default --description "Demo Project" myproject +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | c80c4f4686d649be8e68d178a9710aff | | is_domain | False | | name | myproject | | options | {} | | parent_id | default | | tags | [] | +-------------+----------------------------------+ [root@openstack-1 ~]# openstack user create --domain default --password-prompt myuser User Password: myuser123456 Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | default | | enabled | True | | id | 7b97c105b094459b814304e129928eb9 | | name | myuser | | options | {} | | password_expires_at | None | +---------------------+----------------------------------+ [root@openstack-1 ~]# openstack role create myrole +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | None | | domain_id | None | | id | 7d049d75e07d405b8352e01508878b1c | | name | myrole | | options | {} | +-------------+----------------------------------+ [root@openstack-1 ~]# openstack role add --project myproject --user myuser myrole
验证
[root@openstack-1 ~]# unset OS_AUTH_URL OS_PASSWORD [root@openstack-1 ~]# echo $OS_USERNAME admin [root@openstack-1 ~]# echo $OS_PASSWOED
[root@openstack-1 ~]# openstack --os-auth-url http://openstack-vip.test.com:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue Password: 密码是admin Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2022-07-23T16:35:05+0000 | | id | gAAAAABi3BUpk3LKXb4xnDmn9C9wfenLFEOD4KeMisZrVg3hrZk-s1YTsw6YnUI150S_OQ_BqepLIMFfdnj1RZWxyCRtO0SsCnvYQcGcy_RTiwQHdv3IkZfEpmpbaC6p3GvX-i5ocrZxjgKyLMVioTlEbRMGUTro4Jk6VfDmz9yNBNH46BfH70Y | | project_id | 27ee021c3415461fa17eb0fb7eb0b85a | | user_id | 9851de7707b64aa297c73bc3bbc88179 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
myuser 用户token
[root@openstack-1 ~]# openstack --os-auth-url http://openstack-vip.test.com:5000/v3 \ > --os-project-domain-name Default --os-user-domain-name Default \ > --os-project-name myproject --os-username myuser token issue Password: myuser123456 Password: +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2022-07-23T16:37:57+0000 | | id | gAAAAABi3BXVwClq-cjPP3I8iYEH7BUuqGXWDeW5DZVzkMwkCWlFzqzUyyv0A7NEOhjWyhKCIr8ic9e2lZiyWNAYDOgU0hro0-DvtJFyem3m1Jc2J_Q0Df0RoJmfspEHHFIb7YDuwwY6Qdo8oFu1S8EYCRte7yjCGnljF2py-Q5LBr0fDt4qM5A | | project_id | c80c4f4686d649be8e68d178a9710aff | | user_id | 7b97c105b094459b814304e129928eb9 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
查看项目
[root@openstack-1 ~]# source admin.sh [root@openstack-1 ~]# openstack project list +----------------------------------+-----------+ | ID | Name | +----------------------------------+-----------+ | 27ee021c3415461fa17eb0fb7eb0b85a | admin | | c2fe2481251b480bb6fec5ed82032d59 | service | | c80c4f4686d649be8e68d178a9710aff | myproject | +----------------------------------+-----------+
创建客户端环境脚本
[root@openstack-1 ~]# cat admin.sh #!/bin/bash export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://openstack-vip.test.com:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
验证
[root@openstack-1 ~]# source admin.sh [root@openstack-1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2022-07-23T16:45:20+0000 | | id | gAAAAABi3BeQZ3Ed8pac4cDz4sawzOEPgYLDau9hCZUaGKTcH882mm2kOK4LbIjzBKMOjxxDDAHeZgu4TsVGJ8czsR1Prc0YHRi4aCDG74zigQ3B3Q8ya0hwaTFRANBZyGDhSC6CnZlkdcNaqty4IXA4DtLCavsSXd5ti5a9Qk6D-sKfDm2PLsU | | project_id | 27ee021c3415461fa17eb0fb7eb0b85a | | user_id | 9851de7707b64aa297c73bc3bbc88179 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
myuser
[root@openstack-1 ~]# cat myuser.sh #!/bin/bash export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=myproject export OS_USERNAME=myuser export OS_PASSWORD=myuser123456 export OS_AUTH_URL=http://openstack-vip.test.com:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
验证
[root@openstack-1 ~]# source myuser.sh
[root@openstack-1 ~]# openstack token issue +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | Field | Value | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ | expires | 2022-07-23T16:47:04+0000 | | id | gAAAAABi3Bf4KI_13iHTZr0v6PNQT1Bt8BjBZxdyOEMhYssLSmU1J0fYm9XzxzQW5Ls5YD5Xyom90Rz_SYWLF-E5tn7oyrFFoZJS5lfnE_a094bwDsxJh9Ey_LKnuFD0zwwiLFj0aTQC3aUvV4RE23X6lXyoSu_viXJRSw2p269uEucGzV9s8iU | | project_id | c80c4f4686d649be8e68d178a9710aff | | user_id | 7b97c105b094459b814304e129928eb9 | +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
越学越感到自己的无知
