Keystone服务详解
一、Keystone服务概述
在Openstack框架中,keystone(Openstack Identity Service)的功能是负责验证身份、校验服务规则和发布服务令牌的,它实现了Openstack的Identity API.keystone可分解为两个功能:权限管理和服务目录。
https://www.cnblogs.com/mh20131118/p/12942346.html
https://www.cnblogs.com/linuxk/p/9282996.html
二、Keystone运维操作
1、keystone运维案例
# 环境配置
source /etc/keystone/admin-openrc.sh
# 创建 hqs用户
openstack user create --password ps1234 --email hqs@example.com --domain demo hqs
# 创建acme项目
openstack project create --domain demo acme
# 创建角色
openstack role create compute-user
# 绑定用户和项目权限
# 添加的用户需要分配一定的权限,需要把用户关联绑定到对应的项目和角色
openstack role add --user hqs --project acme compute-user
# 用户列表查询
[root@controller ~]# openstack user list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0f217182b5af448c988f5464c706a337 | admin |
| 1579d0526c8b4cf0ba1158960054fde0 | neutron |
| 408d6f8e000847a3a9a0f799a1ea2ef6 | hqs |
| 560d1dca91184856822e3750ea2f4afb | nova |
| 5ca7355fbe4f4b87b352a72f9c4b4a66 | cinder |
| 93443c8fc497495e8bb9033a1a52fc1d | demo |
| d5bcfce4e83d4ef696bcd87599399429 | swift |
| e255b170101c41d3b839dbb013daef02 | glance |
+----------------------------------+---------+
# 查询hqs用户详细信息
[root@controller ~]# openstack user show hqs
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 90f55d85d1824e2ca27318eefc57535e |
| email | hqs@example.com |
| enabled | True |
| id | 408d6f8e000847a3a9a0f799a1ea2ef6 |
| name | hqs |
+-----------+----------------------------------+
# 查询当前openstack平台所有项目
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 015510f69fd74453a700a529b7bee827 | demo |
| 168c9d9e5cf448c2a3dab6335590566a | service |
| 386dbfcf77e444c7872e4e23d5829fcc | admin |
| b66f515463e54b229b1d61d9313717ff | acme |
+----------------------------------+---------+
# 查询acme项目详情
[root@controller ~]# openstack project show acme
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | 90f55d85d1824e2ca27318eefc57535e |
| enabled | True |
| id | b66f515463e54b229b1d61d9313717ff |
| is_domain | False |
| name | acme |
| parent_id | 90f55d85d1824e2ca27318eefc57535e |
+-------------+----------------------------------+
# 查询所有keystone角色
[root@controller ~]# openstack role list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 0190945cf6a84b60bb2f4631f85c30fa | compute-user |
| 4c438257d4a24e4aa4d4fcbeff248bce | user |
| d8ac2f3e57664b7abee701d82c9bbf16 | admin |
+----------------------------------+--------------+
# 查询compute-user角色详细信息
[root@controller ~]# openstack role show compute-user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 0190945cf6a84b60bb2f4631f85c30fa |
| name | compute-user |
+-----------+----------------------------------+
# 查看平台所有服务所使用的端点地址
[root@controller ~]# openstack endpoint list
+------------+-----------+--------------+--------------+---------+-----------+---------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+------------+-----------+--------------+--------------+---------+-----------+---------------+
| 14f90cb0cb | RegionOne | nova | compute | True | internal | http://contro |
....
2、域管理
Domain(域):管理多租户。
openstack
domain create Create new domain # 创建域
domain delete Delete domain(s) # 删除域
domain list List domains # 查看域列表信息
domain set Set domain properties # 域更新
domain show Display domain details # 查看域详细信息
# 创建域
[root@controller ~]# openstack domain create --description "hqs Domain" hqs
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | hqs Domain |
| enabled | True |
| id | 6b44bea170004507960b643cf686ee9b |
| name | hqs |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
# 查看域列表信息
[root@controller ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+--------------------+
| 6b44bea170004507960b643cf686ee9b | hqs | True | hqs Domain |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+--------------------+
# 更新域
# 语法:
openstack domain set [--options] <domain-name>
--name <name> New domain name # 新名字
--description <description> # 新的描述
New domain description
--enable Enable domain # 启用域
--disable Disable domain # 禁用域
[root@controller ~]# openstack domain set --description "test test test" --name hqs-domain hqs
# 查询域详情
[root@controller ~]# openstack domain show hqs-domain
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | test test test |
| enabled | True |
| id | 6b44bea170004507960b643cf686ee9b |
| name | hqs-domain |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
# 删除域(只能删除disable的域)
[root@controller ~]# openstack domain set --disable hqs-domain
[root@controller ~]# openstack domain delete hqs-domain
2、租户管理
Project(租户):个人或服务可访问的资源集合,在一个Project(Tenant)中可以包含多个User,每一个User都会根据权限的划分来使用Project(Tenant)中的资源,即其包含的用户根据权限使用资源。
# 语法
openstack
project create Create new project # 租户创建
project delete Delete project(s) # 租户删除
project list List projects # 查看租户列表信息
project purge Clean resources associated with a project # 清理与租户相关的资源
project set Set project properties # 更新租户信息
project show Display project details # 查看租户的详情
# 创建名为acme的租户
[root@controller ~]# openstack project create --domain default acme
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | 2c5bd1d63cee43b7a8d4308392527320 |
| is_domain | False |
| name | acme |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
# 查看租户列表
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 2c5bd1d63cee43b7a8d4308392527320 | acme |
| 4188570a34464b938ed3fa7e08681df8 | admin |
| e3a549077f354998aa1a75677cfde62e | project |
+----------------------------------+---------+
# 更新租户信息
[root@controller ~]# openstack project set --description "best of all" acme
# 查看租户详情
[root@controller ~]# openstack project show acme
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | best of all |
| domain_id | default |
| enabled | True |
| id | 2c5bd1d63cee43b7a8d4308392527320 |
| is_domain | False |
| name | acme |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
# 删除租户
[root@controller ~]# openstack project delete acme
3、用户管理
用户(User):访问OpenStack的对象。任何使用 openstack 的实体,可以是用户、系统或服务。
用户拥有证书(credentials),且可能分配给一个或多个租户。经过验证后,会为每个单独的租户提供一个特定的令牌。
# 语法
openstack
user create Create new user # 创新新用户
user delete Delete user(s) # 删除用户
user list List users # 查看用户列表
user password set Change current user password # 修改用户密码
user set Set user properties # 更新用户信息
user show Display user details # 查看用户详情
# 创建新用户
openstack user create [--options] <name>
--domain <domain> Default domain (name or ID) # 所属的域
--project <project> Default project (name or ID) # 所属租户
--project-domain <project-domain>
Domain the project belongs to (name or ID). This can
be used in case collisions between project names
exist.
--password <password> Set user password # 设置用户密码
--password-prompt Prompt interactively for password # 交互式提示输入密码
--email <email-address> # 设置用户邮箱
Set user email address
--description <description> # 用户描述
User description
--enable Enable user (default) # 启用用户
--disable Disable user # 禁用用户
[root@controller ~]# openstack user create --password my123 --email alice@qq.com --domain Default alice
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| email | alice@qq.com |
| enabled | True |
| id | 4ab2796d0ed448b8b3fc0d1090e0da21 |
| name | alice |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
# 查看用户列表
[root@controller ~]# openstack user list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| f4f16d960e0643d7b5a35db152c87dae | admin |
| 81238b556a444c8f80cb3d7dc72a24d3 | glance |
| e0d6a46f9b1744d8a7ab0332ab45d59c | placement |
| 2f5041ed122d4a50890c34ea02881b47 | nova |
| 67bd1f9c48174e3e96bb41e0f76687ca | neutron |
| b9a2bdfcbf3b445ab0db44c9e35af678 | cinder |
| 4ab2796d0ed448b8b3fc0d1090e0da21 | alice |
+----------------------------------+-----------+
# 更新用户信息
[root@controller ~]# openstack user set --description "good gay" --disable alice
# 查看用户详情
[root@controller ~]# openstack user show alice
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| description | good gay |
| domain_id | default |
| email | alice@qq.com |
| enabled | False |
| id | 4ab2796d0ed448b8b3fc0d1090e0da21 |
| name | alice |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
# 删除用户
[root@controller ~]# openstack user delete alice
4、角色管理
角色(Role):用于划分权限,管理用户可以访问资源的权限。可以通过给User指定Role,使User获得Role对应的操作权限。
Keystone返回给User的Token包含了Role列表,被访问的Services会判断访问它的User和User提供的Token中所包含的Role。
# 语法
openstack
role add Adds a role assignment to a user or group on the system, a domain, or a project # 授权
role assignment list List role assignments # 列出角色分配
role create Create new role # 创建角色
role delete Delete role(s) # 删除角色
role list List roles # 查看角色列表
role remove Removes a role assignment from system/domain/project : user/group # 删除角色分配
role set Set role properties # 修改角色属性
role show Display role details # 查看角色详情
# 先准备用户和租户
[root@controller ~]# openstack user create --password my123 --email alice@qq.com --domain Default alice
[root@controller ~]# openstack project create --domain default acme
# 创建角色
[root@controller ~]# openstack role create compute-user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | f589e27a13a04266ab8026f7856e4c1b |
| name | compute-user |
| options | {} |
+-------------+----------------------------------+
# 授权——绑定用户和租户权限
[root@controller ~]# openstack role add --user alice --project acme compute-user
# 查看角色列表
[root@controller ~]# openstack role list
+----------------------------------+--------------+
| ID | Name |
+----------------------------------+--------------+
| 47670bbd6cc1472ab42db560637c7ebe | reader |
| 5eee0910aeb844a1b82f48100da7adc9 | admin |
| 700ec993d3cf456fa591c03e72f37856 | user |
| bc2c8147bbd643629a020a6bd9591eca | member |
| f589e27a13a04266ab8026f7856e4c1b | compute-user |
+----------------------------------+--------------+
# 列出角色分配
[root@controller ~]# openstack role assignment list
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| Role | User | Group | Project | Domain | System | Inherited |
+----------------------------------+----------------------------------+-------+----------------------------------+--------+--------+-----------+
| f589e27a13a04266ab8026f7856e4c1b | 1358f0164e244d00845330583322b6cd | | 260ff6919a8e48b5980ef7df4b8e0885 | | | False |
| 5eee0910aeb844a1b82f48100da7adc9 | 2f5041ed122d4a50890c34ea02881b47 | | e3a549077f354998aa1a75677cfde62e | | | False |
...略
# 修改角色
openstack role set [--domain <domain>] [--name <name>] <role>
--domain <domain> Domain the role belongs to (name or ID) # 修改域
--name <name> Set role name # 修改角色名
[root@controller ~]# openstack role set --name pc-user compute-user
# 删除角色
[root@controller ~]# openstack role delete pc-user
5、服务管理
服务(service):Openstack中运行的组件服务。用户可以通过Endpoint访问资源和执行操作。
# 语法
openstack
service create Create new service # 创建服务
service delete Delete service(s) # 删除服务
service list List services # 查看服务列表
service set Set service properties # 修改服务
service show Display service details # 查询服务详情
# 创建名为test,类型为test的服务
[root@controller ~]# openstack service create --name test test
+---------+----------------------------------+
| Field | Value |
+---------+----------------------------------+
| enabled | True |
| id | 94e2e3193373420e90ef73365ba8d137 |
| name | test |
| type | test |
+---------+----------------------------------+
# 查看服务列表
[root@controller ~]# openstack service list
+----------------------------------+-----------+-----------+
| ID | Name | Type |
+----------------------------------+-----------+-----------+
| 324a07034ea4453692570e3edf73cf2c | glance | image |
| 459c365a11c74e5894b718b5406022a8 | neutron | network |
| 5d25b4ed1443497599707e043866eaae | keystone | identity |
| 90dc0dcf9879493d98144b481ea0df2b | cinderv3 | volumev3 |
| 94e2e3193373420e90ef73365ba8d137 | test | test |
| da038496edf04ce29d7d3d6b8e647755 | placement | placement |
| e7cccf0a4d2549139801ac51bb8546db | nova | compute |
+----------------------------------+-----------+-----------+
# 修改服务
openstack service set [--options] <service>
--type <type> New service type (compute, image, identity, volume,
etc) # 新服务类型
--name <service-name> New service name # 新服务名
--description <description> New service description # 新服务描述
--enable Enable service # 启用服务
--disable Disable service # 禁用服务
[root@controller ~]# openstack service set --name docker --type k8s test
# 查询服务详情
[root@controller ~]# openstack service show docker
+---------+----------------------------------+
| Field | Value |
+---------+----------------------------------+
| enabled | True |
| id | 94e2e3193373420e90ef73365ba8d137 |
| name | docker |
| type | k8s |
+---------+----------------------------------+
# 服务删除
[root@controller ~]# openstack service delete docker
6、端点(访问地址)管理
端点(Endpoint):Service暴露的网络访问地址,通过网络来访问和定位某个Openstack service的地址,通常是一个URL。分为三类
- admin url:管理员用户使用,端口35357
- internal url:openstack内部组件间互相通信(内部访问),端口5000
- public url:其他用户访问(全局访问),端口5000
# 语法
openstack
endpoint create Create new endpoint # 创建端点
endpoint delete Delete endpoint(s) # 删除端点
endpoint list List endpoints # 查看端点列表
endpoint set Set endpoint properties # 修改端点
endpoint show Display endpoint details # 查看端点详情
endpoint group add project Add a project to an endpoint group # 添加项目到端点组
endpoint group create Create new endpoint group # 创建新端点组
endpoint group delete Delete endpoint group(s) # 删除端点组
endpoint group list List endpoint groups # 查看端点组列表
endpoint group remove project Remove project from endpoint group # 项目从端点组移除
endpoint group set Set endpoint group properties # 修改端点组
endpoint group show Display endpoint group details # 端点组详情
endpoint add project Associate a project to an endpoint # 端点关联项目
endpoint remove project Dissociate a project from an endpoint # 项目和端点解除关联
# 创建端点
openstack endpoint create [--region <region-id>] # 新端点域ID
[--enable | --disable] # 禁用/启用
<service> <interface> <url> # 服务、接口类型、url地址
# 创建案例:
[root@controller ~]# openstack endpoint create --region RegionOne glance public http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne glance internal http://controller:9292
[root@controller ~]# openstack endpoint create --region RegionOne glance internal http://controller:9292/test
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1524c4a185a548a890aaa5699f0aa979 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 324a07034ea4453692570e3edf73cf2c |
| service_name | glance |
| service_type | image |
| url | http://controller:9292/test |
+--------------+----------------------------------+
# 删除端点
[root@controller ~]# openstack endpoint delete 1524c4a185a548a890aaa5699f0aa979
# 查看端点列表
[root@controller ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+------------------------------------------+
| 0d31919afb564c8aa52ec5eddf474a55 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3 |
| 1d59d497c89c4fa9b8789d685fab9fe5 | RegionOne | neutron | network | True | public | http://controller:9696
...略
# 查看端点详情
[root@controller ~]# openstack endpoint show 702df46845be40fb9e75fb988314ee90
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 702df46845be40fb9e75fb988314ee90 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 5d25b4ed1443497599707e043866eaae |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
