OpenStack组件系列☞Keystone搭建
一:版本信息
官网:http://docs.openstack.org/newton/install-guide-rdo/keystone.html
二:部署keystone
官网文档:http://docs.openstack.org/newton/install-guide-rdo/
查看系统信息:
[root@localhost ~]# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
[root@localhost ~]# uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
准备阶段:
yum -y install centos-release-openstack-newton #安装官方yum源
yum -y upgrade #更新
yum -y install python-openstackclient #安装工具
yum -y install openstack-selinux #安装openstack-selinux包自动管理openstack组件的安全策略
额外补充:
[root@localhost ~]# more /etc/yum.conf
[main]
cachedir=/newton 新建该目录
keepcache=1 把这个原本是0的改为1,是把yum缓存到本地
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release
mkdir /newton
部署数据库
keystone支持ldap和mysql作为后端Driver,用来存放用户相关信息,catalog等,这里我们选用mariadb
yum -y install mariadb mariadb-server python2-PyMySQL
配置
配置文件:/etc/my.cnf.d/openstack.cnf [mysqld]
bind-address = 192.168.1.120 #本机管理网络ip default-storage-engine = innodb #mysql的存储引擎
innodb_file_per_table #独立表空间
max_connections = 4096 #最大链接数
collation-server = utf8_general_ci #默认排序规则
character-set-server = utf8 #字符集
启动服务并设置开机自启动且检查状态
[root@localhost ~]# systemctl start mariadb.service
[root@localhost ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[root@localhost ~]# systemctl status mariadb.service
● mariadb.service - MariaDB 10.1 database server
Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
Active: active (running) since Mon 2017-02-06 09:25:17 EST; 16s ago
Main PID: 43433 (mysqld)
Status: "Taking your SQL requests now..."
CGroup: /system.slice/mariadb.service
└─43433 /usr/libexec/mysqld --basedir=/usr Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Please report any problems at http://mariadb.org/jira
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: The latest information about MariaDB is available at http://mariadb.org/.
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: You can find additional information about the MySQL part at:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://dev.mysql.com
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Support MariaDB development by buying support/new features from MariaDB
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Corporation Ab. You can contact us about this at sales@mariadb.com.
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Alternatively consider joining our community based development effort:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/
Feb 06 09:25:16 localhost.localdomain mysqld[43433]: 2017-02-06 9:25:16 140101128218816 [Note] /usr/libexec/mysqld (mysqld 10.1.18-MariaD...433 ...
Feb 06 09:25:17 localhost.localdomain systemd[1]: Started MariaDB 10.1 database server.
Hint: Some lines were ellipsized, use -l to show in full.
MariaDB已经启动
初始化数据库
mysql_secure_installation
部署keystone
keystone关于数据库的操作
[root@localhost ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.1.18-MariaDB MariaDB Server Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement. MariaDB [(none)]> CREATE DATABASE keystone;#新建数据库
Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY '123'; #新建本地访问keystone账号
Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY '123'; #新建远程访问keystone账号
Query OK, 0 rows affected (0.00 sec)
安装包:
#keystone软件包名openstack-keystone
#安装httpd和mod_wsgi的原因是,社区主推apache+keystone
#openstack-keystone本质就是一款基于wsgi协议的web app,而httpd本质就是一个兼容wsgi协议的web server,所以我们需要为httpd安装mod_wsgi模块
yum -y install openstack-keystone httpd mod_wsgi
配置:/etc/keystone/keystone.conf
#让openstack-keystone能够知道如何连接到后端的数据库keystone
#mysql+pymysql:pymysql是一个python库,使用python可以操作mysql原生sql
[database]
connection = mysql+pymysql://keystone:123@192.168.31.57/keystone #注意123没有引号哈
[token]
provider = fernet #fernet为生成token的方式
初始化数据库keystone
#初始化是因为python的orm对象关系映射,需要初始化来生成数据库表结构
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet key仓库
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
结合apache整合keystone
首先修改主机名
hostnamectl set-hostname controller
设置/etc/hosts
192.168.1.120 controller
配置/etc/httpd/conf/httpd.conf
ServerName controller
为mod_wsgi模块添加配置文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
注:直接复制也可以
启动apache,设置开机自启动
systemctl start httpd.service
systemctl enable httpd.service
三:keystone操作
①、创建keystone的catalog
配置/etc/keystone/keystone.conf
[DEFAULT]
admin_token = 123
设置环境变量
#OS_TOKEN=配置文件中的admin_token
#会在filter过滤过程中被admin_token_auth中间间设置is_admin=True
#谁有这个admin_token谁就是管理员了。 export OS_TOKEN=123 #等于keystone.conf中admin_token的值
export OS_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3
为keystone创建catalog
#根据上一步给的权限,创建认证服务实体
[root@localhost ~]# openstack service create \
> --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 7ed3a973acd3460883efdc187225ef80 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
#根据上一步建立的服务实体,创建访问该实体的三个api端点
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity public http://192.168.1.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 37d4397231f74a5b98c48fd1220d7cd0 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:5000/v3 |
+--------------+----------------------------------+
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity internal http://192.168.1.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 72b8b7a700124e3f8876c6e74fd7b0c5 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:5000/v3 |
+--------------+----------------------------------+
[root@localhost ~]# openstack endpoint create --region RegionOne \
> identity admin http://192.168.1.120:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b63e63c081b74dc3829cb9ae045f02f7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:35357/v3 |
+--------------+----------------------------------+
②、创建域,项目,用户,角色,把四个元素关联到一起
首先建立一个公共的域名:
[root@localhost ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 9526862455314cefbf4ad7faa4580582 |
| name | default |
+-------------+----------------------------------+
创建管理员各项信息:
#创建admin项目
[root@localhost ~]# openstack project create --domain default \
> --description "Admin Project" admin
ole add --project admin --user admin admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | d2cac6cd998a4463abc5e83ec06f8996 |
| is_domain | False |
| name | admin |
| parent_id | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+
#创建admin用户
[root@localhost ~]# openstack user create --domain default \
> --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 97ecd026af9f46349b76c57af5f7f84c |
| name | admin |
| password_expires_at | None |
+---------------------+----------------------------------+
#创建admin角色
[root@localhost ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 81fcdb131f3d4a0d8b4fa3bc95cf7f46 |
| name | admin |
+-----------+----------------------------------+
三者关联(项目、用户、角色)
[root@localhost ~]# openstack role add --project admin --user admin admin
③、使用Bootstrap完成一和二的工作
#为keystone创建catalog
keystone-manage bootstrap --bootstrap-password 123 \
--bootstrap-admin-url http://192.168.1.120:35357/v3/ \
--bootstrap-internal-url http://192.168.1.120:35357/v3/ \
--bootstrap-public-url http://192.168.1.120:5000/v3/ \
--bootstrap-region-id RegionOne
设置环境变量(is_admin不会被设置成True,admin用户会获得一个Token)
export OS_USERNAME=admin
export OS_PASSWORD=123 #就是keystone-manage中设定的--bootstrap-password
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3
④、创建的项目,普通用户,项目,角色,建立关联
#创建project名为demo
[root@localhost ~]# openstack project create --domain default \
> --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 1d57f06fda06450298d5cf72777be63d |
| is_domain | False |
| name | demo |
| parent_id | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+
#创建普通用户demo
[root@localhost ~]# openstack user create --domain default \
> --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 8e28f8c353db487eb17477953e34452c |
| name | demo |
| password_expires_at | None |
+---------------------+----------------------------------+
#创建普通用户的角色即user
[root@localhost ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | d0094c83800043529c37401a28815497 |
| name | user |
+-----------+----------------------------------+
#建立三者关联
[root@localhost ~]# openstack role add --project demo --user demo user
⑤、为后续的服务创建统一租户service
#后面所有的服务公用一个项目service,都是管理员角色admin
#所以实际上后续的服务安装关于keysotne的操作只剩2,4
[root@localhost ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 75026d89c408438086f2314c003fdc8f |
| is_domain | False |
| name | service |
| parent_id | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+
小结:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建项目 2.建用户 3.建角色 4.做关联
查看信息
查看catalog信息,admin,internal,public
查看endpoint信息
查看服务列表
查看域列表
查看项目,角色,用户,以及他们的管理信息
四:验证
准备工作
出于安全考虑,需要关闭临时令牌认证机制(配置文件中的admin_token和keystone-manage的--bootstrap-password都是基于该机制) 该机制会将用户的请求设置is_admin=True,源码分析中会介绍,先暂且理解到这里
编辑/etc/keystone/keystone-paste.ini
这三个
[pipeline:public_api]
[pipeline:admin_api]
[pipeline:api_v3]
中的admin_token_auth都去掉
取消一切设置的环境变量,如
unset OS_AUTH_URL OS_PASSWORD
开始验证:用admin用户
报错了,这个错误的中文意思是:只有认证的用户才可以申请token,我也申请过了,这是什么原因?
原因有两个:第一:主机名/etc/hosts,配置不正确
第二:主机名修改后没有进行重新登录
最好这个第一步就做了,
验证成功
提示:一定要加上--os-identity-api-version 3!!!
用demo用户验证:
验证方法二:
[root@controller ~]# curl -i \
> -H "Content-Type: application/json" \
> -d '
> {
> "auth": {
> "identity": {
> "methods": [
> "password"
> ],
> "password": {
> "user": {
> "domain":{
> "name": "default"
> },
> "name": "admin",
> "password": ""
> }
> }
> },
> "scope": {
> "project": {
> "domain": {
> "name":"default"
> },
> "name": "admin"
> }
> }
> }
> }' \
> http://127.0.0.1:5000/v3/auth/tokens
HTTP/1.1 201 Created
Date: Mon, 06 Feb 2017 15:32:25 GMT
Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
X-Subject-Token: gAAAAABYmJcyCNVmoREAng1Q_KKedkdp3SVMnJdZeH1edN-lQk5OLM0_Nfqar-YeObaVn2Go90jFVCMbRk5UE-rRhDPqW33mlccjD2aTrf0U3cHNAj_dqSJJaXNfCPjpwSH2bopieKeOMaY87NtiUhZunTvvPRORsGUrrSR2KGBxRmM0dNpIX-A
Vary: X-Auth-Token
x-openstack-request-id: req-5ec4e24e-dc11-4d89-99f9-e9dabbe3a948
Content-Length: 1124
Content-Type: application/json {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "81fcdb131f3d4a0d8b4fa3bc95cf7f46", "name": "admin"}], "expires_at": "2017-02-06T16:33:00.000000Z", "project": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "d2cac6cd998a4463abc5e83ec06f8996", "name": "admin"}, "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "public", "id": "37d4397231f74a5b98c48fd1220d7cd0"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "internal", "id": "72b8b7a700124e3f8876c6e74fd7b0c5"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:35357/v3", "region": "RegionOne", "interface": "admin", "id": "b63e63c081b74dc3829cb9ae045f02f7"}], "type": "identity", "id": "7ed3a973acd3460883efdc187225ef80", "name": "keystone"}], "user": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "97ecd026af9f46349b76c57af5f7f84c", "name": "admin"}, "audit_ids": ["Jw80h1bURZ6u6vYzcRA3xg"], "issued_at": "2017-02-06T15:33:06.000000Z"}}
OpenStack组件系列☞Keystone搭建的更多相关文章
- OpenStack组件系列☞Keystone
Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证.服务规则和服务令牌功能的模块.用户访问资源需要验证用户的身份与权限,服务执行操作 ...
- OpenStack组件系列☞horizon搭建
第一步:部署horizon环境: 安装部署memcache 安装软件包 yum install memcached python-memcached 启动memcache并且设置开机自启动 syste ...
- OpenStack组件系列☞glance搭建
第一步:glance关于数据库的操作 mysql -u root -p #登入数据库 CREATE DATABASE glance; #新建库keystone GRANT ALL PRIVILEGES ...
- Openstack组件部署 — keystone(domain, projects, users, and roles)
目录 目录 前文列表 Create a domain projects users and roles domain projects users and roles的意义和作用 Create the ...
- Openstack组件部署 — Keystone Install & Create service entity and API endpoints
目录 目录 前文列表 Install and configure Prerequisites 先决条件 Create the database for identity service 生成一个随机数 ...
- openstack组件之keystone
一 什么是keystone keystone是 OpenStack Identity Service 的项目名称.它在整个体系中充当一个授权者的角色. Keystone项目的主要目的是给整个opens ...
- Openstack组件部署 — Keystone功能介绍与认证实现流程
目录 目录 前文列表 Keystone认证服务 Keystone认证服务中的概念 Keystone的验证过程 简单来说 前文列表 Openstack组件部署 - Overview和前期环境准备 Ope ...
- OpenStack组件系列☞glance简介
Glance项目提供虚拟机镜像的发现,注册,取得服务. Glance提供restful API可以查询虚拟机镜像的metadata,并且可以获得镜像. 通过Glance,虚拟机镜像可以被存储到多种存储 ...
- Openstack组件实现原理 — Keystone认证功能
目录 目录 前言 Keystone安装列表 Keystone架构 Keystone的管理对象 一个理解Keystone管理对象功能的例子 Keystone管理对象之间的关系 Keystone V3的新 ...
随机推荐
- php 抽奖概率算法
lottery.php <?php //转自https://segmentfault.com/a/1190000007431893 /* * 不同概率的抽奖原理就是把0到*(比重总数)的区间分块 ...
- 洛谷P1083 [NOIP2012提高组Day2T2]借教室
P1083 借教室 题目描述 在大学期间,经常需要租借教室.大到院系举办活动,小到学习小组自习讨论,都需要向学校申请借教室.教室的大小功能不同,借教室人的身份不同,借教室的手续也不一样. 面对海量租借 ...
- 模拟20 题解(waiting)
留坑待填 T2 #include<cstdio> #include<vector> #include<cstring> #include<iostream&g ...
- notepad++ 退出后关闭所有文档(关闭“记住最后打开的文件”)
旧版本: 设置->首选项->其他->取消勾选Remember current session for next launch 新版本: 设置->首选项->备份->取 ...
- Vue--通过button跳转到其他组件并携带id参数
一.创建vue文件 ’ <template> <div> goodsCommon<br/> goodsCommon<br/> goodsCommon&l ...
- RegExp实例方法和字符串的模式匹配方法的总结
RegExp实例方法 ECMAScript通过RegExp类型来支持正则表达式,创建正则表达式有两种方式: //使用字面量形式定义正则表达式 var pattern1 = /[bc]at/i //使用 ...
- Hdu 2389 二分匹配
题目链接 Rain on your Parade Time Limit: 6000/3000 MS (Java/Others) Memory Limit: 655350/165535 K (Ja ...
- YouTube上最受欢迎的十大机器学习视频(最新)
2017-05-04 机器之心 选自KDnuggets 作者:Thuy T. Pham 机器之心编译 参与:微胖.黄小天 虽然 YouTube 有很多不错的机器学习视频,但是很难搞清楚是否值得一看,何 ...
- python3.7的celery报错TypeError: wrap_socket() got an unexpected keyword argument '_context'
原启动方法为: 起执行任务的服务 elery worker -A celery_task -l info -P eventlet 起提交任务的服务 celery beat -A celery_task ...
- linux守护进程配置文件
守护进程是一种运行在非交互模式下的程序.一般来说,守护进程任务是和联网区域有关的:它们等待连接,以便通过连接提供服务.Linux 可以使用从 Web 服务器到 ftp 服务器的很多守护进程. /etc ...