003-官网安装openstack之-keystone身份认证服务
以下操作均在控制节点进行
1.控制节点安装keystone服务
概念理解:
Keystone是OpenStack框架中,负责身份验证、服务规则和服务令牌的功能, 它实现了OpenStack的Identity API。Keystone类似一个服务总线,是整个Openstack框架的注册表, 其他服务通过在keystone中注册其服务的Endpoint(服务访问的URL),任何服务之间相互的调用,每次的调用都需要经过Keystone的身份验证,来获得目标服务的相关Endpoint来找到目标服务。Keystone为openstack中认证管理,授权管理和服务目录服务管理提供单点整合。其它OpenStack服务将身份认证服务当做通用统一API来使用。此外,还用来提供用户相关信息。服务名为:identity service
keystone中相关术语理解:
User 用户
project(Tenant) 租户
Token 令牌
Role 角色
Service 服务
Endpoint 端点
1)登录mysql,创建keystone数据库,赋予相关权限
[root@controller ~]# mysql -uroot -p
Enter password: 密码123456
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec) MariaDB [keystone]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'controller' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.00 sec) MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
| test |
+--------------------+
5 rows in set (0.01 sec) MariaDB [(none)]> select user,host from mysql.user;
+----------+------------+
| user | host |
+----------+------------+
| keystone | % |
| root | 127.0.0.1 |
| root | ::1 |
| | controller |
| root | controller |
| | localhost |
| keystone | localhost |
| root | localhost |
+----------+------------+
8 rows in set (0.00 sec) MariaDB [(none)]> quit
Bye
[root@controller ~]#
2.控制节点安装keystone认证服务相关软件包
# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务依然监听
1)安装keystone软件包
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
#安装openstack命令工具 openstack-utils,后期则可以使用openstack-config 命令配置openstack
[root@controller ~]# yum install openstack-keystone python-keystoneclient openstack-utils -y
2)修改keystone配置文件
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
3).查看配置是否修改成功
方法1:(个人常用)
[root@controller ~]# grep ^[a-Z] /etc/keystone/keystone.conf
connection = mysql+pymysql://keystone:keystone@controller/keystone
provider = fernet
方法2:
[root@controller ~]# egrep -v "^#|^$" /etc/keystone/keystone.conf
注意:## keystone不需要启动,通过http服务进行调用。keystone不需要启动,而是通过http服务进行调用
3.初始化keystone数据库,进行数据库同步操作
1)同步keystone数据库
##keyston数据库同步成功后,会生成44张表
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
2)keystone数据库的连接测试
[root@controller ~]# mysql -ukeystone -pkeystone -hcontroller -e "use keystone;show tables;"
#统计keystone中有多少张表生成
[root@controller ~]# mysql -ukeystone -pkeystone -hcontroller -e "use keystone;show tables;"|wc -l
4.初始化fernet令牌库
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5.修改配置apache(httpdf服务)
1)修改httpd主配置文件
方法1
[root@controller ~]# vim /etc/httpd/conf/httpd.conf +95
ServerName controller
方法2
使用sed命令直接替换
[root@controller ~]# sed -i "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf
grep "ServerName" /etc/httpd/conf/httpd.conf |
2)配置虚拟主机
[root@controller ~]#ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3)启动httpd服务且设置开机自启动
[root@controller ~]# systemctl start httpd
[root@controller ~]# systemctl enable httpd
[root@controller ~]# netstat -lntpv|grep httpd
4)查看是否已经设置开机自启动
[root@controller ~]# systemctl list-unit-files |grep httpd
6.初始化keystone身份认证服务
1)创建keystone用户,初始化service实体和endpoint api端点
#在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),最新版本通过同一个端口提供服务
# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。需要创建一个admin的密码,此处设置为123456
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
注意
# 运行这条命令,会在keystone数据库中增加以下任务,在之前的版本需要手动创建:
<1>在endpoint表增加3个服务实体的API端点
<2>在local_user表中创建admin用户
<3>在project表中创建admin和Default项目(默认域)
<4>在role表创建3种角色,admin,member和reader
<5>在service表中创建identity服务
2)使用export临时导入管理员相关变量进行认证管理
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Defaul
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=123456
[root@controller ~]# export OS_AUTH_URL=http://control
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
3)查看是否导入成功
[root@controller ~]# env |grep OS_
OS_USER_DOMAIN_NAME=Default
OS_PROJECT_NAME=admin
OS_IDENTITY_API_VERSION=3
OS_PASSWORD=123456
OS_AUTH_URL=http://controller:5000/v3
OS_USERNAME=admin
OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]#
可能会遇到的问题:
1.提示以下错误
[root@controller ~]# openstack endpoint list
Failed to discover available identity versions when contacting http://controller:5000/v3. Attempting to parse version from URL.
Unable to establish connection to http://controller:5000/v3/auth/tokens: HTTPConnectionPool(host='controller', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fd8c8d7cf90>: Failed to establish a new connection: [Errno 111] Connection refused',))
解决:
1)检查apache服务是否出现问题
查看apache服务是否启动
2)keystone的wsgi-keystone.conf软连接是否正确
[root@controller conf.d]# pwd
/etc/httpd/conf.d
[root@controller conf.d]# ls
autoindex.conf README userdir.conf welcome.conf wsgi-keystone.conf
[root@controller conf.d]#
3)重启httpd
[root@controller conf.d]# systemctl restart httpd
4)验证openstack命令查看是否有返回信息
[root@controller conf.d]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 5d52ade18b88414bb3ab5a29b8709da0 | admin |
+----------------------------------+-------+
[root@controller conf.d]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
| 4958b09872894953b50257fd3ee41cfa | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ |
| 8191331923ef477aa9eb08c33c968671 | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ |
| d239bdcfaa0046f89919833333ef01d4 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
[root@controller conf.d]# openstack project list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| ddaa0a6cfeb448bc9a7cc3427366bf10 | admin |
+----------------------------------+-------+
[root@controller conf.d]#
7.创建keystone相关认证信息
# Create a domain, projects, users, and roles
---参考openstack官方文档
https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
1)创建keystone域,名称为example
[root@controller conf.d]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 6ea97972027e43a0a8e74132636e5a59 |
| name | example |
| tags | [] |
+-------------+----------------------------------+
[root@controller conf.d]#
2)keystone系统环境创建名为service的项目提供服务
# 用于普通(非管理)任务,需要使用无特权的用户
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 6560a25781764bd4ba4abea849980d31 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller ~]#
3)创建myproject项目和对应的用户及角色
[root@controller ~]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 7bda925fd8924e5caf7f4f8d628f83f0 |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller ~]#
4)在默认域创建myuser用户
非交互式设置密码
[root@controller ~]#openstack user create --domain default --password=myuser myuse
交互式设置密码
[root@controller ~]#openstack user create --domain default --password=myuser myuse
5)在role表创建myrole角色
[root@controller ~]# openstack role create myrole
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | bebc009484f445299c368281e16c8053 |
| name | myrole |
+-----------+----------------------------------+
[root@controller ~]#
6)将myrole角色添加到myproject项目中和myuser用户组
[root@controller ~]# openstack role add --project myproject --user myuser myrole
8.验证以上keystone相关操作是否成功
1)使用unset去除环境变量
#关闭临时认证令牌机制,查看是否可以正常获取token,来验证keystone是否配置成功
unset OS_AUTH_URL
unset OS_PASSWORD
env |grep OS
2)以admin管理员用户去请求token
# 测试是否可以使用admin账户进行登陆认证,请求认证令牌
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-11-29T08:11:16+0000 |
| id | gAAAAABd4MSUoRA8SHhaIxsJYzg6uH20LwoM1eN8sN6GeUZ0Z7JifZy4a_1BkEIJWVIc9S6nEXfJSCdv5HviLovjmcJ04ZcfFuqRVMU1zG4nAGpOeMzTxV7s6oREYMb_55CDMrxDpRYiF4pNdDdWZP19Z2XZ95c_-rrCAZsx5PvwYeSOwXHXtUc |
| project_id | ddaa0a6cfeb448bc9a7cc3427366bf10 |
| user_id | 5d52ade18b88414bb3ab5a29b8709da0 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@controller ~]#
3)使用普通用户获取认证token
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
Password: 密码为myuser用户的密码,也为myuser
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-11-29T08:13:42+0000 |
| id | gAAAAABd4MUm-zT8q8FJNnfRMvwad3VxxFzKAVzPLISyHqlIa4ldbl_Is359-E4esI609UgMwSPAiIt0LMz_WPLy6g23VAA7fpnm2lo79Haizpg95iqAJTTNiXLiuiyw6p077__J-v-_ia09XkbpIMAyKitF0YAPXTRYCFpPCN0leVrvWXYpDp0 |
| project_id | 7bda925fd8924e5caf7f4f8d628f83f0 |
| user_id | 35a3fdebbc6c4a9797397ae0aa036bf3 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@controller ~]#
9.创建openstack客户端环境变量脚本
#先前内容中使用环境变量和命令选项的组合通过``openstack``客户端与身份认证服务交互。为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件。这些脚本通常包含客户端所有常见的选项,当然也支持独特的选项。具体可参考: http://docs.openstack.org/user-guide/common/
1)编辑客户端环境变量脚本
admin用户环境变量脚本
[root@controller ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
myuser用户环境变量脚本:
[root@controller ~]# cat myuser-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=myuser
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller ~]#
2)使环境变量脚本生效
[root@controller ~]# source admin-openrc
3)检查环境变量脚本是否生效
[root@controller ~]# openstack user list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 35a3fdebbc6c4a9797397ae0aa036bf3 | myuser |
| 5d52ade18b88414bb3ab5a29b8709da0 | admin |
+----------------------------------+--------+
[root@controller ~]#
4)token请求认证令牌
#对比获取到的 user_id与获取到的是否一致
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-11-29T08:19:38+0000 |
| id | gAAAAABd4MaKC_aPAFlYRLx4oK4oNA7V0ymp66c7XNiQu5pJ6b-Tvkj5ch56-WH9M2oP6G8UMIxs291HkII_iirhGxfEKLRglf38vhTWEefv8J2ZK9NiPrMPM1wNXQNWkc5LMTlVQcZp5FYzDD2ndLjciM_mkXSMlnL8_xse4lR2SCwnp3ksAVI |
| project_id | ddaa0a6cfeb448bc9a7cc3427366bf10 |
| user_id | 5d52ade18b88414bb3ab5a29b8709da0 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@controller ~]#
至此,openstack keystone身份认证服务配置完毕。
003-官网安装openstack之-keystone身份认证服务的更多相关文章
- openstack核心组件——keystone身份认证服务(5)
云计算openstack核心组件——keystone身份认证服务(5) 部署公共环境 ntp openstack mariadb-server rabbitmq-server memcache 1.w ...
- 云计算openstack核心组件——keystone身份认证服务
一.Keystone介绍: keystone 是OpenStack的组件之一,用于为OpenStack家族中的其它组件成员提供统一的认证服务,包括身份验证.令牌的发放和校验.服务列表.用户 ...
- 云计算OpenStack核心组件---keystone身份认证服务(5)
一.Keystone介绍: keystone 是OpenStack的组件之一,用于为OpenStack家族中的其它组件成员提供统一的认证服务,包括身份验证.令牌的发放和校验.服务列表.用户权限的定义等 ...
- 云计算openstack核心组件——keystone身份认证服务(5)
一.Keystone介绍: keystone 是OpenStack的组件之一,用于为OpenStack家族中的其它组件成员提供统一的认证服务,包括身份验证.令牌的发放和校验.服务列表.用户 ...
- Ubuntu16.04下Neo4j图数据库官网安装部署步骤(图文详解)(博主推荐)
不多说,直接上干货! 说在前面的话 首先,查看下你的操作系统的版本. root@zhouls-virtual-machine:~# cat /etc/issue Ubuntu LTS \n \l r ...
- Ubuntu14.04下Neo4j图数据库官网安装部署步骤(图文详解)(博主推荐)
不多说,直接上干货! 说在前面的话 首先,查看下你的操作系统的版本. root@zhouls-virtual-machine:~# cat /etc/issue Ubuntu 14.04.4 LTS ...
- unity官网安装教程
于今天起记录与回忆游戏开发相关一些小目标 2020-12-01 第一篇正式的博客就从软件的安装开始吧 unity个人版是免费的不用刻意去找破解版什么的 unity官网安装 1.unity.cn uni ...
- keystone身份认证服务
Keystone介绍 keystone 是OpenStack的组件之一,用于为OpenStack家族中的其它组件成员提供统一的认证服务,包括身份验证.令牌的发放和校验.服务列表.用户权限的定义等等.云 ...
- OpenStack基础组件安装keystone身份认证服务
域名解析 vim /etc/hosts 192.168.245.172 controller01 192.168.245.171 controller02 192.168.245.173 contro ...
随机推荐
- Oracle 表的导入与导出
周末任务:将一个表从一个库导到另一个库大致思路:用expdp 将表从一个实例导出 ,再用impdp将导出的 .dmp文件导入到另一个实例1.在实例 orcl 中准备一个用于导出的表: 进入实例为orc ...
- knox 编译 源码
1. git clone https://gitbox.apache.org/repos/asf/knox.git cd knox mvn clean install https://cwiki.ap ...
- WCF-初识DEMO
类库 System.ServiceModle WCF类库 契约IUser1,实现User1 [ServiceContract] public interface IUser1 { [Operation ...
- LeetCode. 阶乘后的零
题目要求: 给定一个整数 n,返回 n! 结果尾数中零的数量. 示例: 输入: 3 输出: 0 解释: 3! = 6, 尾数中没有零. 解法: class Solution { public: int ...
- WUSTOJ 1251: 报数游戏(Java)
1251: 报数游戏 原题链接 Description n个人站成一行玩一个报数游戏.所有人从左到右编号为1到n.游戏开始时,最左边的人报1,他右边的人报2,编号为3的人报3,等等.当编号为n的人(即 ...
- java——值传递和引用传递
值传递 在方法被调用时,实参通过形参把它的内容副本传入方法内部,此时形参接收到的内容是实参值的一个拷贝,因此在方法内对形参的任何操作,都仅仅是对这个副本的操作,不影响原始值的内容. 先来看个例子: p ...
- java中单双引号的区别
单引号: 单引号包括的是单个字符,表示的是char类型.例如: char a='1' 双引号: 双引号可以包括0个或者多个字符,表示的是String类型. 例如: String s="ab ...
- ftp-server(对象存储)
1.背景 在腾讯云弄了一个对象存储,想通过ftp上传照片 说明连接: 腾讯云:https://cloud.tencent.com/document/product/436/7214 GitHub:ht ...
- IMPDPORA-27046,dump文件损坏
客户提出导入报错 一.报错如下 SYMPTOMS DataPump Import (IMPDP) fails with the following errors: ORA-: invalid oper ...
- substr函数索引创建测试
技术群里小伙伴,沟通说一条经常查询的SQL缓慢,单表SQL一个列作为条件,列是int数值类型,索引类型默认创建. 一.SQL文本substr函数索引创建测试 ,) nm1 ')需求,将上述SQL执行速 ...