一:版本信息

官网:http://docs.openstack.org/newton/install-guide-rdo/keystone.html

二:部署keystone

官网文档:http://docs.openstack.org/newton/install-guide-rdo/

查看系统信息:

[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

准备阶段:

yum -y install centos-release-openstack-newton #安装官方yum源
yum -y upgrade #更新
yum -y install python-openstackclient #安装工具
yum -y install openstack-selinux #安装openstack-selinux包自动管理openstack组件的安全策略

额外补充:

 
[root@localhost ~]# more /etc/yum.conf
[main]
cachedir=/newton 新建该目录
keepcache=1 把这个原本是0的改为1,是把yum缓存到本地
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
 

mkdir /newton

部署数据库

keystone支持ldap和mysql作为后端Driver,用来存放用户相关信息,catalog等,这里我们选用mariadb
yum -y install mariadb mariadb-server python2-PyMySQL 

配置

 
配置文件:/etc/my.cnf.d/openstack.cnf

[mysqld]
bind-address = 192.168.1.120 #本机管理网络ip default-storage-engine = innodb #mysql的存储引擎
innodb_file_per_table #独立表空间
max_connections = 4096 #最大链接数
collation-server = utf8_general_ci #默认排序规则
character-set-server = utf8 #字符集
 

启动服务并设置开机自启动且检查状态

 
[root@localhost ~]# systemctl start mariadb.service
[root@localhost ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@localhost ~]# systemctl status mariadb.service
● mariadb.service - MariaDB 10.1 database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2017-02-06 09:25:17 EST; 16s ago
Main PID: 43433 (mysqld)
Status: "Taking your SQL requests now..."
CGroup: /system.slice/mariadb.service
└─43433 /usr/libexec/mysqld --basedir=/usr Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Please report any problems at http://mariadb.org/jira
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: The latest information about MariaDB is available at http://mariadb.org/.
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: You can find additional information about the MySQL part at:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://dev.mysql.com
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Support MariaDB development by buying support/new features from MariaDB
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Corporation Ab. You can contact us about this at sales@mariadb.com.
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Alternatively consider joining our community based development effort:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/
Feb 06 09:25:16 localhost.localdomain mysqld[43433]: 2017-02-06 9:25:16 140101128218816 [Note] /usr/libexec/mysqld (mysqld 10.1.18-MariaD...433 ...
Feb 06 09:25:17 localhost.localdomain systemd[1]: Started MariaDB 10.1 database server.
Hint: Some lines were ellipsized, use -l to show in full.
 

MariaDB已经启动

初始化数据库

mysql_secure_installation

部署keystone

keystone关于数据库的操作

 
[root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.1.18-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE keystone;#新建数据库
Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY '123'; #新建本地访问keystone账号
Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY '123'; #新建远程访问keystone账号
Query OK, 0 rows affected (0.00 sec)
 

安装包:

#keystone软件包名openstack-keystone
#安装httpd和mod_wsgi的原因是,社区主推apache+keystone
#openstack-keystone本质就是一款基于wsgi协议的web app,而httpd本质就是一个兼容wsgi协议的web server,所以我们需要为httpd安装mod_wsgi模块
yum -y install openstack-keystone httpd mod_wsgi

配置:/etc/keystone/keystone.conf

#让openstack-keystone能够知道如何连接到后端的数据库keystone
#mysql+pymysql:pymysql是一个python库,使用python可以操作mysql原生sql
[database]
connection = mysql+pymysql://keystone:123@192.168.31.57/keystone #注意123没有引号哈
[token]
provider = fernet #fernet为生成token的方式

初始化数据库keystone

#初始化是因为python的orm对象关系映射,需要初始化来生成数据库表结构
su -s /bin/sh -c "keystone-manage db_sync" keystone

初始化Fernet key仓库

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

结合apache整合keystone

首先修改主机名

hostnamectl set-hostname controller

设置/etc/hosts

192.168.1.120 controller

配置/etc/httpd/conf/httpd.conf

ServerName controller

为mod_wsgi模块添加配置文件

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
注:直接复制也可以

启动apache,设置开机自启动

systemctl start httpd.service
systemctl enable httpd.service

三:keystone操作

①、创建keystone的catalog

配置/etc/keystone/keystone.conf 

[DEFAULT]
admin_token = 123

设置环境变量

 
#OS_TOKEN=配置文件中的admin_token
#会在filter过滤过程中被admin_token_auth中间间设置is_admin=True
#谁有这个admin_token谁就是管理员了。 export OS_TOKEN=123 #等于keystone.conf中admin_token的值
export OS_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3
 

为keystone创建catalog

 
#根据上一步给的权限,创建认证服务实体

[root@localhost ~]# openstack service create \
> --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 7ed3a973acd3460883efdc187225ef80 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
#根据上一步建立的服务实体,创建访问该实体的三个api端点
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity public http://192.168.1.120:5000/v3

+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 37d4397231f74a5b98c48fd1220d7cd0 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:5000/v3 |
+--------------+----------------------------------+
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity internal http://192.168.1.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 72b8b7a700124e3f8876c6e74fd7b0c5 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:5000/v3 |
+--------------+----------------------------------+
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity admin http://192.168.1.120:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b63e63c081b74dc3829cb9ae045f02f7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:35357/v3 |
+--------------+----------------------------------+

 

②、创建域,项目,用户,角色,把四个元素关联到一起

首先建立一个公共的域名:

 

[root@localhost ~]# openstack domain create --description "Default Domain" default 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 9526862455314cefbf4ad7faa4580582 |
| name | default |
+-------------+----------------------------------+

 

创建管理员各项信息:

 

#创建admin项目

[root@localhost ~]# openstack project create --domain default \
> --description "Admin Project" admin 
ole add --project admin --user admin admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | d2cac6cd998a4463abc5e83ec06f8996 |
| is_domain | False |
| name | admin |
| parent_id | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+
#创建admin用户
[root@localhost ~]# openstack user create --domain default \
> --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 97ecd026af9f46349b76c57af5f7f84c |
| name | admin |
| password_expires_at | None |
+---------------------+----------------------------------+

#创建admin角色

[root@localhost ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 81fcdb131f3d4a0d8b4fa3bc95cf7f46 |
| name | admin |
+-----------+----------------------------------+

三者关联(项目、用户、角色)
[root@localhost ~]# openstack role add --project admin --user admin admin

 

③、使用Bootstrap完成一和二的工作

#为keystone创建catalog
keystone-manage bootstrap --bootstrap-password 123 \
--bootstrap-admin-url http://192.168.1.120:35357/v3/ \
--bootstrap-internal-url http://192.168.1.120:35357/v3/ \
--bootstrap-public-url http://192.168.1.120:5000/v3/ \
--bootstrap-region-id RegionOne
设置环境变量(is_admin不会被设置成True,admin用户会获得一个Token)
export OS_USERNAME=admin
export OS_PASSWORD=123 #就是keystone-manage中设定的--bootstrap-password
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3

④、创建的项目,普通用户,项目,角色,建立关联

#创建project名为demo
[root@localhost ~]# openstack project create --domain default \
> --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 1d57f06fda06450298d5cf72777be63d |
| is_domain | False |
| name | demo |
| parent_id | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+
#创建普通用户demo
[root@localhost ~]# openstack user create --domain default \
> --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 8e28f8c353db487eb17477953e34452c |
| name | demo |
| password_expires_at | None |
+---------------------+----------------------------------+
#创建普通用户的角色即user
[root@localhost ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | d0094c83800043529c37401a28815497 |
| name | user |
+-----------+----------------------------------+
#建立三者关联
[root@localhost ~]# openstack role add --project demo --user demo user
 

⑤、为后续的服务创建统一租户service

#后面所有的服务公用一个项目service,都是管理员角色admin
#所以实际上后续的服务安装关于keysotne的操作只剩2,4
[root@localhost ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 75026d89c408438086f2314c003fdc8f |
| is_domain | False |
| name | service |
| parent_id | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+

小结:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建项目 2.建用户 3.建角色 4.做关联

查看信息

查看catalog信息,admin,internal,public

查看endpoint信息

查看服务列表

查看域列表

查看项目,角色,用户,以及他们的管理信息

四:验证

准备工作

出于安全考虑,需要关闭临时令牌认证机制(配置文件中的admin_token和keystone-manage的--bootstrap-password都是基于该机制)

该机制会将用户的请求设置is_admin=True,源码分析中会介绍,先暂且理解到这里
编辑/etc/keystone/keystone-paste.ini
这三个
[pipeline:public_api]
[pipeline:admin_api]
[pipeline:api_v3]
中的admin_token_auth都去掉
 

取消一切设置的环境变量,如

unset OS_AUTH_URL OS_PASSWORD

开始验证:用admin用户

报错了,这个错误的中文意思是:只有认证的用户才可以申请token,我也申请过了,这是什么原因?

原因有两个:第一:主机名/etc/hosts,配置不正确

第二:主机名修改后没有进行重新登录

最好这个第一步就做了,

验证成功

提示:一定要加上--os-identity-api-version 3!!!

用demo用户验证:

验证方法二:

 [root@controller ~]# curl -i \
> -H "Content-Type: application/json" \
> -d '
> {
> "auth": {
> "identity": {
> "methods": [
> "password"
> ],
> "password": {
> "user": {
> "domain":{
> "name": "default"
> },
> "name": "admin",
> "password": ""
> }
> }
> },
> "scope": {
> "project": {
> "domain": {
> "name":"default"
> },
> "name": "admin"
> }
> }
> }
> }' \
> http://127.0.0.1:5000/v3/auth/tokens
HTTP/1.1 201 Created
Date: Mon, 06 Feb 2017 15:32:25 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
X-Subject-Token: gAAAAABYmJcyCNVmoREAng1Q_KKedkdp3SVMnJdZeH1edN-lQk5OLM0_Nfqar-YeObaVn2Go90jFVCMbRk5UE-rRhDPqW33mlccjD2aTrf0U3cHNAj_dqSJJaXNfCPjpwSH2bopieKeOMaY87NtiUhZunTvvPRORsGUrrSR2KGBxRmM0dNpIX-A
Vary: X-Auth-Token
x-openstack-request-id: req-5ec4e24e-dc11-4d89-99f9-e9dabbe3a948
Content-Length: 1124
Content-Type: application/json {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "81fcdb131f3d4a0d8b4fa3bc95cf7f46", "name": "admin"}], "expires_at": "2017-02-06T16:33:00.000000Z", "project": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "d2cac6cd998a4463abc5e83ec06f8996", "name": "admin"}, "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "public", "id": "37d4397231f74a5b98c48fd1220d7cd0"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "internal", "id": "72b8b7a700124e3f8876c6e74fd7b0c5"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:35357/v3", "region": "RegionOne", "interface": "admin", "id": "b63e63c081b74dc3829cb9ae045f02f7"}], "type": "identity", "id": "7ed3a973acd3460883efdc187225ef80", "name": "keystone"}], "user": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "97ecd026af9f46349b76c57af5f7f84c", "name": "admin"}, "audit_ids": ["Jw80h1bURZ6u6vYzcRA3xg"], "issued_at": "2017-02-06T15:33:06.000000Z"}}
 

OpenStack组件系列☞Keystone搭建的更多相关文章

  1. OpenStack组件系列☞Keystone

    Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证.服务规则和服务令牌功能的模块.用户访问资源需要验证用户的身份与权限,服务执行操作 ...

  2. OpenStack组件系列☞horizon搭建

    第一步:部署horizon环境: 安装部署memcache 安装软件包 yum install memcached python-memcached 启动memcache并且设置开机自启动 syste ...

  3. OpenStack组件系列☞glance搭建

    第一步:glance关于数据库的操作 mysql -u root -p #登入数据库 CREATE DATABASE glance; #新建库keystone GRANT ALL PRIVILEGES ...

  4. Openstack组件部署 — keystone(domain, projects, users, and roles)

    目录 目录 前文列表 Create a domain projects users and roles domain projects users and roles的意义和作用 Create the ...

  5. Openstack组件部署 — Keystone Install & Create service entity and API endpoints

    目录 目录 前文列表 Install and configure Prerequisites 先决条件 Create the database for identity service 生成一个随机数 ...

  6. openstack组件之keystone

    一 什么是keystone keystone是 OpenStack Identity Service 的项目名称.它在整个体系中充当一个授权者的角色. Keystone项目的主要目的是给整个opens ...

  7. Openstack组件部署 — Keystone功能介绍与认证实现流程

    目录 目录 前文列表 Keystone认证服务 Keystone认证服务中的概念 Keystone的验证过程 简单来说 前文列表 Openstack组件部署 - Overview和前期环境准备 Ope ...

  8. OpenStack组件系列☞glance简介

    Glance项目提供虚拟机镜像的发现,注册,取得服务. Glance提供restful API可以查询虚拟机镜像的metadata,并且可以获得镜像. 通过Glance,虚拟机镜像可以被存储到多种存储 ...

  9. Openstack组件实现原理 — Keystone认证功能

    目录 目录 前言 Keystone安装列表 Keystone架构 Keystone的管理对象 一个理解Keystone管理对象功能的例子 Keystone管理对象之间的关系 Keystone V3的新 ...

随机推荐

  1. MarioTCP, take it..

    MrioTCP,超级马里奥,顾名思义,他不仅高效,而且超级简易和好玩.同时他可以是一个很简洁的Linux C 开发学习工程.毫不夸张的说,如果全部掌握这一个工程,你会成为一个Linux C的牛人:当然 ...

  2. 前后端分离后API交互如何保证数据安全性

    前后端分离后API交互如何保证数据安全性? 一.前言 前后端分离的开发方式,我们以接口为标准来进行推动,定义好接口,各自开发自己的功能,最后进行联调整合.无论是开发原生的APP还是webapp还是PC ...

  3. 各NoSQL数据库管理系统与模型比较

    提供:ZStack云计算 内容简介 NoSQL数据库的存在意义在于提供传统关系数据库管理系统所不具备的特定功能.无论是负责承载简单的键-值对存储以实现短期缓存,抑或是处理传统数据库及结构化查询语言(简 ...

  4. iOS -NSOperation并发编程

    http://www.cocoachina.com/game/20151201/14517.html http://blog.csdn.net/qinlicang/article/details/42 ...

  5. pstree进程管理

    功能:pstree命令列出当前的进程,以及它们的树状结构. 格式:pstree [选项] [pid|user] 主要选项如下: -a:显示执行程序的命令与完整参数. -c:取消同名程序,合并显示. - ...

  6. vue-router+iview(简单例子)

    根据上面我们已经建立好的工程项目,我们来加入路由等方法. 首先修改我们的HelloWorld.vue,加入iview的Layout组件 第二步,建立两个我们对应路由的文件 <style scop ...

  7. 支付宝 python alipay 集成(转)

    即时到帐只是支付宝众多商家服务中的一个,表示客户付款,客户用支付宝付款,支付宝收到款项后,马上通知你,并且此笔款项与交易脱离关系,商家可以马上使用. 即时到帐只对企业客户服务,注册成功企业账号以后,申 ...

  8. Redis-cli 命令不能用

    bash: redis-cli: command not found... 环境: Linux7.X 在运行redis-cli命令的时候提示错误: 解决方案: 1. wget http://downl ...

  9. 【水滴石穿】github_popular

    项目不难,就是文件摆放位置跟别的不一样 https://github.com/chenji336/github_popular //定义入口是app.js ///** @format */ impor ...

  10. fedora 安装ftp

    fedora默认不安装ftp服务(包括client程序/service程序),需要进行手动安装: yum install ftp(安装client) yum install vsftpd(安装serv ...