• 二,openstack之keystone的简介与安装


    openstack之认证服务keystone的安装

    一,openstack服务安装的通用步骤

    1,创库授权

    2,在keystone创建用户,关联角色

    3,在keystone上创建服务,注册api

    4,安装服务相关的软件包

    5,修改配置

    • 数据库的连接
    • keystone的认证授权信息
    • rabbitmq的连接信息
    • 其他服务的连接配置

    6,同步数据库,创建表

    7,启动服务

    二,keystone的简介

    1,keystone是openstack的身份服务,可以简单理解为“与权限有关”的组件

    2,keystone集成的功能:

    • 管理身份验证(managing authentication):验证用户身份
    • 授权(authorization):基于角色role的授权管理
    • 服务目录(catalog of services):简单来说就是记录了后端服务地址的目录。类似于电话本

    三,keystone的安装(仅在控制节点执行

    1,创建keystone库并授权

    create databases keystone;
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
    

    2,安装keystone相关的软件包

    yum -y install openstack-keystone httpd mod_wsgi #apache的拓展模块wsgi,作用是httpd访问python代码是需要的模块
    
    

    3,修改keystone.conf

    一,直接修改

    cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
    grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
    
    vim /etc/keystone/keystone.conf
    
    #修改一下几项
    [DEFAULT]      #定义初始管理令牌的值:
    ...
    admin_token = ADMIN_TOKEN   #t版的不需要修改该项
    
    [database]     #配置数据库访问:
    ...
    connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
    
    [token]         # 配置Fernet UUID令牌的提供者
    ...
    provider = fernet   #fernet为生成token字符串的一种方法
    
    

    二,openstack-config修改(两种方法都可以)

    yum install openstack-utils -y
    openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
    openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
    openstack-config --set /etc/keystone/keystone.conf token provider fernet
    

    4,同步数据库

    su -s /bin/sh -c "keystone-manage db_sync" keystone #切换到keystone身份执行keystone-manage db_sync命令
    

    5,初始化Fernet keys

    #这是新版本的OpenStack的新功能,在Train版本下,keystone不再使用简单的字符串作为临时token,而是使用下面创建的fernet的用户来运行keystone。同时,keystone也不再对管理员用户和普通用户的服务端点区分使用不同的端口5000和35357,而是只使用5000端口不再使用35357端口。
    
    keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
    #执行后/etc/keystone/目录下会生成一个fernet-keys目录
    
    keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
    
    keystone-manage bootstrap --bootstrap-password ADMIN_PASS 
      --bootstrap-admin-url http://controller:5000/v3/ 
      --bootstrap-internal-url http://controller:5000/v3/ 
      --bootstrap-public-url http://controller:5000/v3/ 
      --bootstrap-region-id RegionOne
    

    6,配置及启动httpd服务

    1,新版官网配置方法,本实验用的该方法配置

    echo 'ServerName controller' >> /etc/httpd/conf/httpd.conf
    ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
    
    #启动httpd服务
    # systemctl enable httpd.service
    # systemctl start httpd.service
    

    2,老版配置方法

    echo 'ServerName controller' >> /etc/httpd/conf/httpd.conf
    
    vim /etc/httpd/conf.d/wsgi-keystone.conf
    Listen 5000
    Listen 35357
    
    <VirtualHost *:5000>
        WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
        WSGIProcessGroup keystone-public
        WSGIScriptAlias / /usr/bin/keystone-wsgi-public
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        ErrorLogFormat "%{cu}t %M"
        ErrorLog /var/log/httpd/keystone-error.log
        CustomLog /var/log/httpd/keystone-access.log combined
    
        <Directory /usr/bin>
            Require all granted
        </Directory>
    </VirtualHost>
    
    <VirtualHost *:35357>
        WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
        WSGIProcessGroup keystone-admin
        WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        ErrorLogFormat "%{cu}t %M"
        ErrorLog /var/log/httpd/keystone-error.log
        CustomLog /var/log/httpd/keystone-access.log combined
    
        <Directory /usr/bin>
            Require all granted
        </Directory>
    </VirtualHost>
    
    #启动httpd服务
    # systemctl enable httpd.service
    # systemctl start httpd.service
    
    

    7,执行环境变量

    export OS_USERNAME=admin
    export OS_PASSWORD=ADMIN_PASS
    export OS_PROJECT_NAME=admin
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_AUTH_URL=http://controller:5000/v3
    export OS_IDENTITY_API_VERSION=3
    

    8,创建service项目及角色

    #在上面的初始化Fernet密钥存储时候已经创建了default域、admin项目和admin用户。(下面的3条命令必须要进行上面的初始化环境变量之后才能执行成功)
    
    [root@controller ~]# openstack domain list
    +---------+---------+---------+--------------------+
    | ID      | Name    | Enabled | Description        |
    +---------+---------+---------+--------------------+
    | default | Default | True    | The default domain |
    +---------+---------+---------+--------------------+
    
    [root@controller ~]# openstack project list
    +----------------------------------+-------+
    | ID                               | Name  |
    +----------------------------------+-------+
    | 4c0a56c8e5444a73a1eb0a4e3cb3d4a7 | admin |
    +----------------------------------+-------+
    
    [root@controller ~]# openstack user list
    +----------------------------------+-------+
    | ID                               | Name  |
    +----------------------------------+-------+
    | c5d3016e0873403487102264a4ba09e4 | admin |
    +----------------------------------+-------+
    
    

    9,创建域,项目,用户,角色等

    一,创建域(该步骤可以省略,本次实验未进行此步骤

    # 创建了example域,简单理解就是公有云上的大区,华北区,华南区等等
    openstack domain create --description "An Example Domain" example
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | An Example Domain                |
    | enabled     | True                             |
    | id          | 2f4f80574fd84fe6ba9067228ae0a50c |
    | name        | example                          |
    | tags        | []                               |
    +-------------+----------------------------------+
    

    二,创建项目

    #上面步骤已经证实有default域存在,所以在default域下创建service即可
    [root@controller ~]# openstack project create --domain default --description "Service Project" service
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Service Project                  |
    | domain_id   | default                          |
    | enabled     | True                             |
    | id          | 695024d064f84bcfa5a48170b4519fad |
    | is_domain   | False                            |
    | name        | service                          |
    | options     | {}                               |
    | parent_id   | default                          |
    | tags        | []                               |
    +-------------+----------------------------------+
    
    

    三,创建角色与关联用户

    #创建用户
    [root@controller ~]#  openstack user create --domain default   --password ADMIN_PASS myuser
    +---------------------+----------------------------------+
    | Field               | Value                            |
    +---------------------+----------------------------------+
    | domain_id           | default                          |
    | enabled             | True                             |
    | id                  | 84a0c3edd86a416a9c5bf0196e724843 |
    | name                | myuser                           |
    | options             | {}                               |
    | password_expires_at | None                             |
    +---------------------+----------------------------------+
    
    #创建角色
    [root@controller ~]# openstack role create myrole
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | None                             |
    | domain_id   | None                             |
    | id          | 8ec87a64484944d88e93d2a59f55bfe0 |
    | name        | myrole                           |
    | options     | {}                               |
    +-------------+----------------------------------+
    
    #关联角色与用户
    openstack role add --project service --user myuser myrole #为service项目指定用户角色
    

    四,验证keystone服务

    1,验证默认admin用户的keystone服务

    unset OS_AUTH_URL OS_PASSWORD
    openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue  #密码为:ADMIN_PASS
    
    Password: 
    Password: 
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Field      | Value                                                                                                                                                                                   |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | expires    | 2019-12-25T09:41:18+0000                                                                                                                                                                |
    | id         | gAAAAABeAyCuDHlhlbOL-JfSZp7r00O04-9_46jds7MKM-bTmHcxfyETreTkEg43cg8DLzPS_ktkRxFZ3rO-jZD8L3o7maFtaPN1g-uzfALr6lnCbL7mgDTAjyJgayjJRSNFzvQ7-SlqOHa59miW7CojG2qrazVY2eQuQbzK-HCYRLK2m8ygLy4 |
    | project_id | 4c0a56c8e5444a73a1eb0a4e3cb3d4a7                                                                                                                                                        |
    | user_id    | c5d3016e0873403487102264a4ba09e4                                                                                                                                                        |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    
    
    #
    

    2,验证myuser用户的keystone服务

    openstack --os-auth-url http://controller:5000/v3 
      --os-project-domain-name Default --os-user-domain-name Default 
      --os-project-name service --os-username myuser token issue
      #密码为ADMIN_PASS
      
    Password: 
    Password: 
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Field      | Value                                                                                                                                                                                   |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | expires    | 2019-12-25T09:51:23+0000                                                                                                                                                                |
    | id         | gAAAAABeAyMLS0gKUC_u33WJOQVpom0aT0-QB1XP6Q1RiPW16obhaYFNVD8xLBOJHSyG2DIlXwD7u56LyuNMCLek8NmEnMpCAcbX8MejxcN0DFk9euEClDwQzfUvFYJcxdStMdBPdjfWac9XDq_32K-lEDQtgogqkzct4GuI_ws2jL-nxnJ9apk |
    | project_id | 695024d064f84bcfa5a48170b4519fad                                                                                                                                                        |
    | user_id    | 84a0c3edd86a416a9c5bf0196e724843                                                                                                                                                        |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
      
      
    

    五,创建客户端环境变量脚本

    为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。
    如需切换用户,source 相对应的XXX.openrc文件即可

    1,验证admin客户端

    vim admin-openrc
    
    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=ADMIN_PASS
    export OS_AUTH_URL=http://controller:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    
    source admin-openrc
    
    openstack token issue
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Field      | Value                                                                                                                                                                                   |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | expires    | 2019-12-25T09:58:24+0000                                                                                                                                                                |
    | id         | gAAAAABeAySwb2okuaQkMF11C4ko1ZqW0XN8vZnwhjBwomHhjDOxSPEJSXdyXM52M6QVMSIeqfHOy6yml8CxzN5hSIpR8NaBoUyRNQThPScYsZw0-6TqCha9HmqgLgsdsTNdZELLjPnIxlhCbSnjmPQgB_-0H2D7NZri72OmfIEq2bzI5PX3iDM |
    | project_id | 4c0a56c8e5444a73a1eb0a4e3cb3d4a7                                                                                                                                                        |
    | user_id    | c5d3016e0873403487102264a4ba09e4                                                                                                                                                        |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    
    #验证结果与步骤四 命令行执行相同
    

    2,验证myuser

    vim myuser-openrc
    
    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=service
    export OS_USERNAME=myuser
    export OS_PASSWORD=ADMIN_PASS
    export OS_AUTH_URL=http://controller:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    
    source myuser-openrc
    
    openstack token issue
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Field      | Value                                                                                                                                                                                   |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | expires    | 2019-12-25T10:02:55+0000                                                                                                                                                                |
    | id         | gAAAAABeAyW_aaBMwaHmhxgBl88IpwDBSj_4TvMGTmWRtlCf7vakyxT-_tADfb0clHthdoC1S0kyoYYtBe0Bw31zNqfl3OlnoCc5wwGVp2hchysgdpTCWKMkgmD5N2wip0u-KsPBvIDZcKvxzizf7bOvr1bZWp0IS55qHHGAVjTwv7GlQ7P3Uy0 |
    | project_id | 695024d064f84bcfa5a48170b4519fad                                                                                                                                                        |
    | user_id    | 84a0c3edd86a416a9c5bf0196e724843                                                                                                                                                        |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    
    #验证结果与步骤四 命令行执行相同
    
    #测试通过套接字访问5000端口
    [root@controller ~]# curl http://controller:5000
    {"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://controller:5000/v3/", "rel": "self"}]}]}}
    
    

    至此,keystone安装完毕

  • 相关阅读:
    Linux PXE无人值守网络装机
    Linux 自动化部署DNS服务器
    Linux DNS服务配置
    Mysql数据库基础学习笔记
    Linux AIDE(文件完整性检测)
    mysql:[Err] 1068
    sql的date、时间函数、时间戳
    hive之建立分区表和分区
    excel转sql代码
    spark-submit之使用pyspark
  • 原文地址:https://www.cnblogs.com/peng-zone/p/12097793.html
Copyright © 2020-2023  润新知