目录
openstack之认证服务keystone的安装
一,openstack服务安装的通用步骤
1,创库授权
2,在keystone创建用户,关联角色
3,在keystone上创建服务,注册api
4,安装服务相关的软件包
5,修改配置
- 数据库的连接
- keystone的认证授权信息
- rabbitmq的连接信息
- 其他服务的连接配置
6,同步数据库,创建表
7,启动服务
二,keystone的简介
1,keystone是openstack的身份服务,可以简单理解为“与权限有关”的组件
2,keystone集成的功能:
- 管理身份验证(managing authentication):验证用户身份
- 授权(authorization):基于角色role的授权管理
- 服务目录(catalog of services):简单来说就是记录了后端服务地址的目录。类似于电话本
三,keystone的安装(仅在控制节点执行)
1,创建keystone库并授权
create databases keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
2,安装keystone相关的软件包
yum -y install openstack-keystone httpd mod_wsgi #apache的拓展模块wsgi,作用是httpd访问python代码是需要的模块
3,修改keystone.conf
一,直接修改
cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
vim /etc/keystone/keystone.conf
#修改一下几项
[DEFAULT] #定义初始管理令牌的值:
...
admin_token = ADMIN_TOKEN #t版的不需要修改该项
[database] #配置数据库访问:
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token] # 配置Fernet UUID令牌的提供者
...
provider = fernet #fernet为生成token字符串的一种方法
二,openstack-config修改(两种方法都可以)
yum install openstack-utils -y
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
4,同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone #切换到keystone身份执行keystone-manage db_sync命令
5,初始化Fernet keys
#这是新版本的OpenStack的新功能,在Train版本下,keystone不再使用简单的字符串作为临时token,而是使用下面创建的fernet的用户来运行keystone。同时,keystone也不再对管理员用户和普通用户的服务端点区分使用不同的端口5000和35357,而是只使用5000端口不再使用35357端口。
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
#执行后/etc/keystone/目录下会生成一个fernet-keys目录
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
keystone-manage bootstrap --bootstrap-password ADMIN_PASS
--bootstrap-admin-url http://controller:5000/v3/
--bootstrap-internal-url http://controller:5000/v3/
--bootstrap-public-url http://controller:5000/v3/
--bootstrap-region-id RegionOne
6,配置及启动httpd服务
1,新版官网配置方法,本实验用的该方法配置
echo 'ServerName controller' >> /etc/httpd/conf/httpd.conf
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#启动httpd服务
# systemctl enable httpd.service
# systemctl start httpd.service
2,老版配置方法
echo 'ServerName controller' >> /etc/httpd/conf/httpd.conf
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
#启动httpd服务
# systemctl enable httpd.service
# systemctl start httpd.service
7,执行环境变量
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
8,创建service项目及角色
#在上面的初始化Fernet密钥存储时候已经创建了default域、admin项目和admin用户。(下面的3条命令必须要进行上面的初始化环境变量之后才能执行成功)
[root@controller ~]# openstack domain list
+---------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+---------+---------+---------+--------------------+
| default | Default | True | The default domain |
+---------+---------+---------+--------------------+
[root@controller ~]# openstack project list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4c0a56c8e5444a73a1eb0a4e3cb3d4a7 | admin |
+----------------------------------+-------+
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| c5d3016e0873403487102264a4ba09e4 | admin |
+----------------------------------+-------+
9,创建域,项目,用户,角色等
一,创建域(该步骤可以省略,本次实验未进行此步骤)
# 创建了example域,简单理解就是公有云上的大区,华北区,华南区等等
openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 2f4f80574fd84fe6ba9067228ae0a50c |
| name | example |
| tags | [] |
+-------------+----------------------------------+
二,创建项目
#上面步骤已经证实有default域存在,所以在default域下创建service即可
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 695024d064f84bcfa5a48170b4519fad |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
三,创建角色与关联用户
#创建用户
[root@controller ~]# openstack user create --domain default --password ADMIN_PASS myuser
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 84a0c3edd86a416a9c5bf0196e724843 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#创建角色
[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 8ec87a64484944d88e93d2a59f55bfe0 |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
#关联角色与用户
openstack role add --project service --user myuser myrole #为service项目指定用户角色
四,验证keystone服务
1,验证默认admin用户的keystone服务
unset OS_AUTH_URL OS_PASSWORD
openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue #密码为:ADMIN_PASS
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T09:41:18+0000 |
| id | gAAAAABeAyCuDHlhlbOL-JfSZp7r00O04-9_46jds7MKM-bTmHcxfyETreTkEg43cg8DLzPS_ktkRxFZ3rO-jZD8L3o7maFtaPN1g-uzfALr6lnCbL7mgDTAjyJgayjJRSNFzvQ7-SlqOHa59miW7CojG2qrazVY2eQuQbzK-HCYRLK2m8ygLy4 |
| project_id | 4c0a56c8e5444a73a1eb0a4e3cb3d4a7 |
| user_id | c5d3016e0873403487102264a4ba09e4 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#
2,验证myuser用户的keystone服务
openstack --os-auth-url http://controller:5000/v3
--os-project-domain-name Default --os-user-domain-name Default
--os-project-name service --os-username myuser token issue
#密码为ADMIN_PASS
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T09:51:23+0000 |
| id | gAAAAABeAyMLS0gKUC_u33WJOQVpom0aT0-QB1XP6Q1RiPW16obhaYFNVD8xLBOJHSyG2DIlXwD7u56LyuNMCLek8NmEnMpCAcbX8MejxcN0DFk9euEClDwQzfUvFYJcxdStMdBPdjfWac9XDq_32K-lEDQtgogqkzct4GuI_ws2jL-nxnJ9apk |
| project_id | 695024d064f84bcfa5a48170b4519fad |
| user_id | 84a0c3edd86a416a9c5bf0196e724843 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
五,创建客户端环境变量脚本
为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。
如需切换用户,source 相对应的XXX.openrc文件即可
1,验证admin客户端
vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
source admin-openrc
openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T09:58:24+0000 |
| id | gAAAAABeAySwb2okuaQkMF11C4ko1ZqW0XN8vZnwhjBwomHhjDOxSPEJSXdyXM52M6QVMSIeqfHOy6yml8CxzN5hSIpR8NaBoUyRNQThPScYsZw0-6TqCha9HmqgLgsdsTNdZELLjPnIxlhCbSnjmPQgB_-0H2D7NZri72OmfIEq2bzI5PX3iDM |
| project_id | 4c0a56c8e5444a73a1eb0a4e3cb3d4a7 |
| user_id | c5d3016e0873403487102264a4ba09e4 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#验证结果与步骤四 命令行执行相同
2,验证myuser
vim myuser-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=service
export OS_USERNAME=myuser
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
source myuser-openrc
openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-12-25T10:02:55+0000 |
| id | gAAAAABeAyW_aaBMwaHmhxgBl88IpwDBSj_4TvMGTmWRtlCf7vakyxT-_tADfb0clHthdoC1S0kyoYYtBe0Bw31zNqfl3OlnoCc5wwGVp2hchysgdpTCWKMkgmD5N2wip0u-KsPBvIDZcKvxzizf7bOvr1bZWp0IS55qHHGAVjTwv7GlQ7P3Uy0 |
| project_id | 695024d064f84bcfa5a48170b4519fad |
| user_id | 84a0c3edd86a416a9c5bf0196e724843 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#验证结果与步骤四 命令行执行相同
#测试通过套接字访问5000端口
[root@controller ~]# curl http://controller:5000
{"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://controller:5000/v3/", "rel": "self"}]}]}}
至此,keystone安装完毕