OpenStack搭建之认证服务KeyStone(二)
文章
林里克斯
在Linux下搭建OpenStack之认证服务KeyStone
一、实验平台:CentOS Linux release 7.3.1611 (Core)
二、openstack版本:Mitake
三、本机所有IP:
内网(OpenStack通信):192.168.1.2 192.168.1.3
外网(与宿主机通信):192.168.2.4 192.168.2.5
四、openstack1:192.168.1.2 #控制节点 1 处理器, 4 GB 内存, 及20 GB 存储
五、openstack2:192.168.1.3 #计算节点 1 处理器, 2 GB 内存, 及20 GB 存储
一、配置身份认证服务环境
在配置OpenStack身份认证服务前,你必须创建一个数据库和管理员令牌。
创建keystone数据库
$ mysql -u root -predhat
CREATE DATABASE keystone; #创建库
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; #授权
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; #授权生成一个随机值在初始的配置中作为管理员的令牌。
$ openssl rand -hex 10
212066c6242457e19bfb安装包:
$ yum -y install openstack-keystone httpd mod_wsgi编辑文件/etc/keystone/keystone.conf
$ vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = 212066c6242457e19bfb #填写前面步骤生成的随机数
[database]
connection = mysql+pymysql://keystone:keystone@192.168.1.2/keystone #配置数据库访问
[token]
provider = fernet #配置Fernet UUID令牌的提供者初始化身份认证服务的数据库:
$ su -s /bin/sh -c "keystone-manage db_sync" keystone
#自动找到keystone配置文件里的mysql连接,来帮我们创建数据库中的表检查表是否创建成功
$ mysql -h 192.168.1.2 -ukeystone -pkeystone -e "use keystone;show tables;"
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
#如果此命令输出为空,那么我们就应该排查/var/log/keystone.log
开启debug日志如下:
$ vim /etc/keystone/keystone.conf
#debug = true
将false修改为true将开启,修改后要重启服务才生效初始化Fernet keys:
$ keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
$ keystone-manage credential_setup --keystone-user keystone --keystone-group keystone二、配置 Apache HTTP 服务器
编辑/etc/httpd/conf/httpd.conf 文件,配置ServerName选项为控制节点
$ vim /etc/httpd/conf/httpd.conf
ServerName 192.168.1.2:80创建文件 /etc/httpd/conf.d/wsgi-keystone.conf
$ vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>递归更改/etc/keystone目录的所有权
$ chown -R keystone:keystone /etc/keystone/启动 Apache HTTP 服务并配置其随系统启动:
$ systemctl enable httpd.service
$ systemctl start httpd.service三、创建服务实体和API端点
如果想连接到keystone上,需要有3个环境变量
1.设置admin_token环境变量
export OS_TOKEN=212066c6242457e19bfb
admin_token后面的值是我们在keystone.conf里面写的
2.设置连接到keystone的地址(配置端点URL)
export OS_URL=http://192.168.1.2:35357/v3
设置keystone的admin(35357)端口 v3是用第三个版本
3.配置认证API版本
export OS_IDENTITY_API_VERSION=3我们可以将他写入文件中:
$ vim keystone-openstack.sh
export OS_TOKEN=212066c6242457e19bfb
export OS_URL=http://192.168.1.2:35357/v3
export OS_IDENTITY_API_VERSION=3在你的Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务.
创建服务实体和身份认证服务:
$ . keystone-openstack.sh #设置环境变量
$ openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 83b23919566646c3bc1007abe911904a |
| name | keystone |
| type | identity |
+-------------+----------------------------------+创建认证服务的 API 端点:
$ openstack endpoint create --region RegionOne identity public http://192.168.1.2:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | ba8144029a4c42b1a102fad01e21d9a8 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 83b23919566646c3bc1007abe911904a |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.2:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne identity internal http://192.168.1.2:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1809ad0a2f794b18bc60ee8d117a9f95 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 83b23919566646c3bc1007abe911904a |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.2:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne identity admin http://192.168.1.2:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 809285bcb12a4470a038c5b3e284854d |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 83b23919566646c3bc1007abe911904a |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.2:35357/v3 |
+--------------+----------------------------------+
身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 domains, projects (tenants),users<user>和 roles<role>的组合。 创建域、项目、用户和角色 创建域default
$ openstack domain create --description "Default Domain" Default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 563963f57f154b628814c4e1bc9d2169 |
| name | Default |
+-------------+----------------------------------+在环境中,为进行管理操作,创建管理的项目、用户和角色: 创建 admin 项目
$ openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled | True |
| id | db84902f7b1a4553a97684f210395abe |
| is_domain | False |
| name | admin |
| parent_id | 563963f57f154b628814c4e1bc9d2169 |
+-------------+----------------------------------+
#命令格式为openstack project --domain 域 --description "描述" 项目名创建 admin 用户:
$ openstack user create --domain default --password-prompt admin
User Password: #这里我设置为admin密码
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled | True |
| id | 9683b183b9da4e2b95e1d307c8a6a9df |
| name | admin |
+-----------+----------------------------------+创建 admin 角色:
$ openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | fa72404914694d90b0b671b568f3b5cd |
| name | admin |
+-----------+----------------------------------+添加admin 角色到 admin 项目和用户上:
$ openstack role add --project admin --user admin admin创建service项目:
$ openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled | True |
| id | 55266bc56f3c43168bd48b8421d0ea96 |
| is_domain | False |
| name | service |
| parent_id | 563963f57f154b628814c4e1bc9d2169 |
+-------------+----------------------------------+常规(非管理)任务应该使用无特权的项目和用户。作为例子,本指南创建 demo 项目和用户。
$ openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled | True |
| id | 67e8d71973f74c73bce88de7f88626cd |
| is_domain | False |
| name | demo |
| parent_id | 563963f57f154b628814c4e1bc9d2169 |
+-------------+----------------------------------+创建demo 用户:
$ openstack user create --domain default --password-prompt demo
User Password: #我这里设置了密码为demo
Repeat User Password:
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled | True |
| id | 3ac154bc2e654b74a39e366f4bee4318 |
| name | demo |
+-----------+----------------------------------+创建 user 角色:
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 425a578954b542be9ec2c53be6362126 |
| name | user |
+-----------+----------------------------------+添加 user角色到 demo 项目和用户:
$ openstack role add --project demo --user demo user四、验证
重置OS_TOKEN和OS_URL 环境变量
unset OS_TOKEN OS_URL作为 admin 用户,请求认证令牌:
$ openstack --os-auth-url http://192.168.1.2:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue
Password: #这里输入admin的密码。admin
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-07-17T02:44:04.000000Z |
| id | gAAAAABZbBZkqjhCCzoTtYRQLuMl5CymS0sFXXBj-GPyv2mOtYtMuXUmm5J6SHaFaxdlxvwKqVC1OBc4xK_kpdnDPfYjdFPMR0IQLXSAcEDurxLiTKMK2Rx5O6tK1iBpHpQn8jEIaRe_n4ynIIIUd2GhOKEL1TZpFW_YwdYr0ty8sf08fLrvcMY |
| project_id | db84902f7b1a4553a97684f210395abe |
| user_id | 9683b183b9da4e2b95e1d307c8a6a9df |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+作为demo 用户,请求认证令牌:
$openstack --os-auth-url http://192.168.1.2:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password: #这里输入demo的密码。demo
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-07-17T02:52:20.000000Z |
| id | gAAAAABZbBhUEgQJQHIutediRQmGY4yjKrCoZXcIYNUhQG5T5ttpXGSl6jsUAMSRfIRPxq9-XFU7BXhptnzvW5aytnWc5eqlQYWCO26XZPkvOHpm-xf-7MAzhGIo6nnCaCT3sLDfeCurcFie9Qx5NLhyNYdb1-b1zZ-6Irh4Xb5T4UCGTqHZrc8 |
| project_id | 67e8d71973f74c73bce88de7f88626cd |
| user_id | 3ac154bc2e654b74a39e366f4bee4318 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
这个使用`demo` 用户的API端口5000,这样只会允许对身份认证服务API的常规(非管理)访问。创建 OpenStack 客户端环境脚本 为admin创建脚本
$ vim admin-openstack.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin #输入上面步骤设置的admin的密码
export OS_AUTH_URL=http://192.168.1.2:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2为demo创建脚本
$ vim demo-openstack.sh
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.1.2:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2使用脚本 使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本。例如: 加载admin-openstack.sh文件来身份认证服务的环境变量位置和admin项目和用户证书:
$ . admin-openstack.sh
$ openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-07-17T03:06:33.000000Z |
| id | gAAAAABZbBuprhW1jTlge3m6YqKt5OIg8tUeAIie9nwoFvWIX3gFozfOC_oTjpK_cbELuhgJeMet-zsghc5_5IoRm9k4Ol3OevrOnv9jn0hPhDnCEBuV8E_THpz2sR35fN0ULLy5alrNmHCLVZBB0Gd16veaefjKke-odVqndXGFUFar_eb5CMA |
| project_id | db84902f7b1a4553a97684f210395abe |
| user_id | 9683b183b9da4e2b95e1d307c8a6a9df |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+Over ~
版权协议须知!
本篇文章来源于 Uambiguous ,如本文章侵犯到任何版权问题,请立即告知本站,本站将及时予与删除并致以最深的歉意
673 0 2017-01-14
博主卡片
运维时间
搭建这个平台,只为分享及记载自己所遇之事和难题。
现在时间 2024-04-26
今日天气
随机推荐
12-02
Linux 下实现实例之间免密登录
07-22
acme实现自动更新网站SSL证书
08-08
在 Linux 下搭建 Pure-ftpd
01-30
常用端口
08-23
使用 dockerfile 构建 WAF 镜像
站点统计
- 文章总数:240篇
- 分类总数:29个
- 评论总数:10条
- 本站总访问量 215841 次
@yuanyuan 为什么我的4b安装centos7.9 插上tf卡 显示不兼...
@Wong arrhenius 牛比
@MakerFace 厉害了!
@TongSir 老哥 更新下我的友链链接 https://blog.ton...