Openstack Keystone 认证服务(四)
Openstack Keystone 认证服务(四)
keystone 的安装完全依赖ocata的源, 如果没有建议自己搭建. 否则用的源不对会产生各种奇葩问题.
创建keystone库和用户:
## 建库和用户:mysql -u root -p123456CREATE DATABASE keystone;GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';flush privileges;*** 做完后去2台控制机上测试一下keystone 账号是否能够正常登录.
控制节点安装内容(2台):
# 控制节点安装:yum install -y openstack-keystone httpd mod_wsgi## 编辑文件 /etc/keystone/keystone.conf 并完成如下动作,在 [database] 部分,配置数据库访问:vim /etc/keystone/keystone.conf[database]......#connection = <None> # 574行connection = mysql+pymysql://keystone:123456@openstack-linux36-vip.magedu.net/keystonekeystone:123456 # 用户名和密码openstack-linux36-vip.magedu.net # 内部域名可以直接指向DB或者VIP,写成域名方便后期自行切换.## 写入/etc/hosts ***vim /etc/hosts10.10.5.140 openstack-linux36-vip.magedu.net*** 测试一下: mysql -h openstack-linux36-vip.magedu.net -u keystone -p123456## 在``[token]``部分,配置Fernet UUID令牌的提供者。[token]# ...provider = fernet## 添加admin验证token(手工生成并添加):[root@cont-1 ~]# openssl rand -hex 1099251e93898c371cb0c1vim +15 /etc/keystone/keystone.conf[DEFAULT]......[DEFAULT]admin_token = 99251e93898c371cb0c1### 总结一下内容(省略默认的内容):[root@cro-1 yum.repos.d]# grep -vE '^$|^#' /etc/keystone/keystone.conf[DEFAULT]admin_token = 99251e93898c371cb0c1[database]connection = mysql+pymysql://keystone:123456@openstack-linux36-vip.magedu.net/keystone[token]provider = fernet......####################################################################################### 初始化keystone 身份认证服务的数据库:su -s /bin/sh -c "keystone-manage db_sync" keystone*** 连接数据库查看keystone 库,如果配置文件的mysql连接正常,会生成很多表.### 初始化Fernet key:keystone-manage fernet_setup --keystone-user keystone --keystone-group keystonekeystone-manage credential_setup --keystone-user keystone --keystone-group keystone*** 会在/etc/keystone 下生成2个目录,credential-keys , fernet-keys### 创建自定义的配置文件:ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/vim /etc/httpd/conf.d/wsgi-keystone.confListen 5000Listen 35357<VirtualHost *:5000>WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-publicWSGIScriptAlias / /usr/bin/keystone-wsgi-publicWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization OnErrorLogFormat "%{cu}t %M"ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin>Require all granted</Directory></VirtualHost><VirtualHost *:35357>WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}WSGIProcessGroup keystone-adminWSGIScriptAlias / /usr/bin/keystone-wsgi-adminWSGIApplicationGroup %{GLOBAL}WSGIPassAuthorization OnErrorLogFormat "%{cu}t %M"ErrorLog /var/log/httpd/keystone-error.logCustomLog /var/log/httpd/keystone-access.log combined<Directory /usr/bin>Require all granted</Directory></VirtualHost>########################################################################################################################## 启动httpd:systemctl enable httpdsystemctl start httpd## 添加环境变量让我们可以跳过密码通过token创建项目:*** 目前没有方法可以认证keystone 通过环境变量的方法去做一下认证:export OS_TOKEN=99251e93898c371cb0c1export OS_AUTH_URL=http://10.10.5.138:35357/v3export OS_IDENTITY_API_VERSION=3export OS_URL=http://10.10.5.138:35357/v3## 测试一下 是否可以不出错误:openstack user list
创建并初始化一个项目:
# 初始化:openstack domain create --description "Default Domain" default
查看并删除一个domain:
# 查看domain list:[root@cont-1 ~]# openstack domain list+----------------------------------+---------+---------+----------------+| ID | Name | Enabled | Description |+----------------------------------+---------+---------+----------------+| 317ace63cb8f4562af682ca6c7bdf955 | default | True | Default Domain |+----------------------------------+---------+---------+----------------+## 删除一个domain id:** openstack domain delete + IDopenstack domain delete 317ace63cb8f4562af682ca6c7bdf955
创建一个admin的项目:
## 创建admin 项目:[root@cont-1 ~]# openstack project create --domain default --description "Admin Project" admin+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Admin Project || domain_id | 317ace63cb8f4562af682ca6c7bdf955 || enabled | True || id | 7895c74b24e640498acb869a790f7092 || is_domain | False || name | admin || parent_id | 317ace63cb8f4562af682ca6c7bdf955 |+-------------+----------------------------------+## 创建admin 账号(我设置的是:123456):[root@cont-1 ~]# openstack user create --domain default --password-prompt adminUser Password:Repeat User Password:+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 317ace63cb8f4562af682ca6c7bdf955 || enabled | True || id | 7e5fe95e8caa48f78e218919d05693d5 || name | admin || options | {} || password_expires_at | None |+---------------------+----------------------------------+## 创建admin role(创建admin角色, 账号和role角色关联后就有了admin role的权限.(角色即权限)):[root@cont-1 ~]# openstack role create admin+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | ff08ecd7583542bc94ac3eb56794638a || name | admin |+-----------+----------------------------------+## 给admin 用户授权(角色即权限):#将admin用户授予admin项目的admin 角色,即给admin项目添加一个用户叫做admin, 并将其添加至admin角色,角色是权限的一种集合:[root@cont-1 ~]# openstack role add --project admin --user admin admin*** --project admin # 给admin项目*** --user admin # 添加admin用户账号*** 最后的admin # 角色名称(role admin)############################ 现在 admin 才是一个真正的管理员账号 拥有权限和项目 ##############################################
创建一个Demo 项目:
# 创建一个Demo 项目组(没啥大用处,给其他人演示可以放在这个项目里面。):[root@cont-1 ~]# openstack project create --domain default --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | 317ace63cb8f4562af682ca6c7bdf955 || enabled | True || id | bebe93941d3d4203a2c630ff4da4596c || is_domain | False || name | demo || parent_id | 317ace63cb8f4562af682ca6c7bdf955 |+-------------+----------------------------------+# 创建demo用户并设置密码为demo:[root@cont-1 ~]# openstack user create --domain default --password-prompt demoUser Password:Repeat User Password:+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | 317ace63cb8f4562af682ca6c7bdf955 || enabled | True || id | 00ff302f8c924bb1b171965c5d5aca92 || name | demo || options | {} || password_expires_at | None |+---------------------+----------------------------------+## 创建一个User角色:[root@cont-1 ~]# openstack role create user+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | 66a589c005b0410eb71f5e4aaa5f0418 || name | user |+-----------+----------------------------------+## 把Demo 用户添加到Demo 项目:[root@cont-1 ~]# openstack role add --project demo --user demo user#############################至此 demo 用户已经被添加到user role里,权限就没有admin 那么大了#####################################
创建一个service项目:
*** 各服务之间与keystone进行访问和认证,service用于给服务创建用户:
openstack project create --domain default --description "Service Project" service[root@cont-1 ~]# openstack project create --domain default --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | 317ace63cb8f4562af682ca6c7bdf955 || enabled | True || id | 89067cca56fd477d86aed5c221b4c55d || is_domain | False || name | service || parent_id | 317ace63cb8f4562af682ca6c7bdf955 |+-------------+----------------------------------+
XX 服务注册:
*** 将Keystone 服务地址注册到 openstack ***
# 3.9.1 创建一个keystone 认证服务:[root@cont-1 ~]# openstack service list[root@cont-1 ~]# openstack service create --name keystone --description "Openstack Identity" identity # identity 是验证方式+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Openstack Identity || enabled | True || id | 376d49d3d59147a49e5f5081cb04a2b1 || name | keystone || type | identity |+-------------+----------------------------------+[root@cont-1 ~]# openstack service list ## 验证服务是否创建成功+----------------------------------+----------+----------+| ID | Name | Type |+----------------------------------+----------+----------+| 376d49d3d59147a49e5f5081cb04a2b1 | keystone | identity |+----------------------------------+----------+----------+# 3.9.2 创建端点 (public interntl admin)public # 公共端点internal # 私有端点admin # 管理端点# 注册以上3个端点服务,后面的所有服务都执行以上操作:*** 此处注册一定要写上域名 或者 VIP地址,这样以后方便扩容和更换设备:*** 不记得是哪个 可以看/etc/hosts 里面的绑定IP 和 keystone 里面的"connection"*** 既然写了VIP 地址或者域名,也要去haproxy 上做一下 端口转发.openstack endpoint create --region RegionOne identity public http://openstack-linux36-vip.magedu.net:5000/v3openstack endpoint create --region RegionOne identity internal http://openstack-linux36-vip.magedu.net:5000/v3openstack endpoint create --region RegionOne identity admin http://openstack-linux36-vip.magedu.net:35357/v3## 执行过程:[root@cont-1 ~]# openstack endpoint create --region RegionOne identity public http://openstack-linux36-vip.magedu.net:5000/v3+--------------+-------------------------------------------------+| Field | Value |+--------------+-------------------------------------------------+| enabled | True || id | 65605d57632a4c8ba0521b20f28bbcc2 || interface | public || region | RegionOne || region_id | RegionOne || service_id | 376d49d3d59147a49e5f5081cb04a2b1 || service_name | keystone || service_type | identity || url | http://openstack-linux36-vip.magedu.net:5000/v3 |+--------------+-------------------------------------------------+[root@cont-1 ~]# openstack endpoint create --region RegionOne identity internal http://openstack-linux36-vip.magedu.net:5000/v3+--------------+-------------------------------------------------+| Field | Value |+--------------+-------------------------------------------------+| enabled | True || id | ec3647ea42f347008d7e35b52324d995 || interface | internal || region | RegionOne || region_id | RegionOne || service_id | 376d49d3d59147a49e5f5081cb04a2b1 || service_name | keystone || service_type | identity || url | http://openstack-linux36-vip.magedu.net:5000/v3 |+--------------+-------------------------------------------------+[root@cont-1 ~]# openstack endpoint create --region RegionOne identity admin http://openstack-linux36-vip.magedu.net:35357/v3+--------------+--------------------------------------------------+| Field | Value |+--------------+--------------------------------------------------+| enabled | True || id | 858dee6eafb54902826175be76954094 || interface | admin || region | RegionOne || region_id | RegionOne || service_id | 376d49d3d59147a49e5f5081cb04a2b1 || service_name | keystone || service_type | identity || url | http://openstack-linux36-vip.magedu.net:35357/v3 |+--------------+--------------------------------------------------+## 验证是否添加成功:[root@cont-1 ~]# openstack endpoint list+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+| ID | Region | Service Name | Service Type | Enabled | Interface | URL |+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+| 65605d57632a4c8ba0521b20f28bbcc2 | RegionOne | keystone | identity | True | public | http://openstack-linux36-vip.magedu.net:5000/v3 || 858dee6eafb54902826175be76954094 | RegionOne | keystone | identity | True | admin | http://openstack-linux36-vip.magedu.net:35357/v3 || ec3647ea42f347008d7e35b52324d995 | RegionOne | keystone | identity | True | internal | http://openstack-linux36-vip.magedu.net:5000/v3 |+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+## 去haproxy 上配置转发服务:*** 目前就一台服务器在做这个验证, 所以呢 haproxy也只能吧5000 35357 80 这几个端口给转发到 10。10.5.138 上.########### keystone ###########listen openstack_keystone_port_5000bind 0.0.0.0:5000mode tcplog globalserver 10.10.5.138 10.10.5.138:5000 check inter 3000 fall 2 rise 5listen openstack_keystone_port_35357bind 0.0.0.0:35357mode tcplog globalserver 10.10.5.138 10.10.5.138:35357 check inter 3000 fall 2 rise 5########################################/etc/init.d/haproxy restart########### 重启 搞定 ################# 测试Keystone 是否可以做用户验证:*** 验证admin用户, 密码123456 , 新打开一个窗口并进行一下操作:*** 验证demo用户, 密码demo , 新打开一个窗口并进行一下操作:1 打开新窗口2 查看/etc/hosts文件,内容一定要对 "10.10.5.140 openstack-linux36-vip.magedu.net"3 测试本机IP, VIP(haproxy) 随便切换,最后都能通过keystone的验证就行.export OS_IDENTITY_API_VERSION=3 # 设置环境变量,openstack --os-auth-url http://10.10.5.138:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issueopenstack --os-auth-url http://openstack-linux36-vip.magedu.net:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue# 测试结果如下[root@cont-1 ~]# export OS_IDENTITY_API_VERSION=3[root@cont-1 ~]# openstack --os-auth-url http://10.10.5.140:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issuePassword:+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2020-05-21T10:43:32+0000 || id | gAAAAABexk1E0Ya99oG-mHnbZ2s95Uy-HCRuii7rMraVmv5Mk2IEz41Hj0gysnaknb65H-D8RtimuXmlmxUqn4c9EC8lYDy6iMM- || | UYrw0ChvWrJ1HxGwC7IxsVGEFsYEApjgINyrT9fDtYQQZPh3GBFcuP8mGokiPb0PTZNMTWrxMSxZpRfJlr0 || project_id | bebe93941d3d4203a2c630ff4da4596c || user_id | 00ff302f8c924bb1b171965c5d5aca92 |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[root@cont-1 ~]# openstack --os-auth-url http://openstack-linux36-vip.magedu.net:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issuePassword:+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2020-05-21T10:44:51+0000 || id | gAAAAABexk2TBJXILbxI3l2F56SLisp7IIC9EqPM- || | fPpgR4p_DoHe_YGsz5z6rcPHtkEuHNvwD2OInIZFC33LknuuLRmGEXMXlYbLXkiyJ2_TlgROPEz1J3MU3Jkxbz6NcCxHJD1mR16VgY5_OPLpJ1bKowxFisM3khnnQVD62_NcSqLVbCcOlA || project_id | 7895c74b24e640498acb869a790f7092 || user_id | 7e5fe95e8caa48f78e218919d05693d5 |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
使用脚本设置环境变量:
## 验证admin 用户[root@cont-1 ~]# cat admin.sh#!/bin/bashexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=123456export OS_AUTH_URL=http://10.10.5.140:35357/v3 # 注意此处端口是35357export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2[root@cont-1 ~]# source admin.sh[root@cont-1 ~]# sh s.sh+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2020-05-21T19:06:47+0000 || id | gAAAAABexsM3OugdYsDazpfSVf34OUH4Vp4Zb0HJdA21eHQ8mHHLuxxtoXbvL4nRDsgJHW5_zT8mPdLc64HXClqIgT6nZluWqnoGSwroGjdXaSQV08ij5h02qZYRIxnZxLi5N4FkijuArwq_6GiFhUedCBMq4jt8EZEk_2KZwa4y || | fgTQ-s44Sm8 || project_id | 7895c74b24e640498acb869a790f7092 || user_id | 7e5fe95e8caa48f78e218919d05693d5 |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------## 验证demo 用户:[root@cont-1 ~]# cat demo.sh#!/bin/bashexport OS_PROJECT_DOMAIN_NAME=defaultexport OS_USER_DOMAIN_NAME=defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://10.10.5.140:5000/v3 # 注意此处端口是5000export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2[root@cont-1 ~]# source demo.sh[root@cont-1 ~]# sh s.sh+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| Field | Value |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+| expires | 2020-05-21T19:05:16+0000 || id | gAAAAABexsLcyDOe4bL1Y5QLApF0i6OXu-S6iE-psbXCS3ZuySwPpkYyAieK2Ffe85mc5SUDJc_uN1vJsS9Wx7DOU6X16HF7anyWNYY4mKaWplcJPCDn9lQlOIPgMs48hodyHiDWrIjQDdLcY- || | UZIt6jvpfvqGsgGDSrRz4VI4G7iogJ546aPCY || project_id | bebe93941d3d4203a2c630ff4da4596c || user_id | 00ff302f8c924bb1b171965c5d5aca92 |+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Openstack Keystone 认证服务(四)的更多相关文章
- keystone认证服务
实验操作平台:OpenStack单节点操作 一.相关概念 1.认证(authentication) 认证是确认允许一个用户访问的进程 2.证书(credentials) 用于确认用户身份的数据 3.令 ...
- OpenStack Keystone安装部署流程
之前介绍了OpenStack Swift的安装部署,采用的都是tempauth认证模式,今天就来介绍一个新的组件,名为Keystone. 1. 简介 本文将详细描述Keystone的安装部署流程,并给 ...
- OpenStack Keystone架构
一. Keystone简介 1. OpenStack Keystone简介 2. Keystone安装与部署 2.1 包安装Keystone 2.2 源码安装源码安装 3 配置运行Keystone 3 ...
- Openstack keystone组件详解
OpenStack Keystone Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证.服务规则和服务令牌功能的模块.用户访问资源 ...
- (转)理解Keystone的四种Token
Token 是什么 通俗的讲,token 是用户的一种凭证,需拿正确的用户名/密码向 Keystone 申请才能得到.如果用户每次都采用用户名/密码访问 OpenStack API,容易泄露用户信息, ...
- Ubuntu 14.04 LTS 安装 Juno 版 OpenStack Keystone
本文介绍如何在Ubuntu 14.04 LTS 上安装Juno版的Keystone, 我们采用的是手动安装的方式, 同时仅针对OpenStack的身份与访问管理系统Keystone. 事实上OpenS ...
- 3.openstack之mitaka搭建keystone认证服务
认证服务keystone部署 一:安装和配置服务 1.建库建用户 mysql -u root -p CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON ...
- openstack Q版部署-----keystone认证服务安装配置(3)
一.新建数据库及用户(控制节点) 登录数据库,创建db以及用户: CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'ke ...
- openstack 部署(Q版)-----keystone认证服务安装配置
一.新建数据库及用户 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' ID ...
随机推荐
- Day9 python高级特性-- 列表生成式 List Comprehensions
Python内置的非常简单却强大的可以用来创建list的生成式. 私理解为,就是for循环出来的结果搞成个list~~~~ 要生成顺序增量list可以使用list(range(x,y))来 ...
- JavaSE15-集合·其二
1.Set集合 1.1 Set集合概述和特点 Set集合的特点 元素存取无序 没有索引.只能通过迭代器或增强for循环遍历 不能存储重复元素 1.2 哈希值 哈希值简介 是JDK根据对象的地址或者字符 ...
- 第二篇:docker 简单入门(二)
本篇目录 写在最前面的话 最常用的docker命令 获取远程仓库镜像 写在最前面的话 如上图大家看到的这样,以后此类文章请到其他平台查阅,由于博客园提示说,内容太多简单,所以以后简单的内容我会放在cs ...
- Linux下安装mysql-5.7.24
Mysql数据库的安装对于开发者来说,是我们必然会面对的问题,它的安装过程其实并不复杂,并且网络上的安装教程也非常多,但是对于新手来说,各种不同形式的安装教程,又给新手们带来了要选择哪种方式进行安装的 ...
- flink安装及standalone模式启动、idea中项目开发
安装 环境 Ubuntu 18 jdk8 flink-1.8.1 安装步骤 安装jdk(略) 下载flink-1.8.1-bin-scala_2.12.tgz,解压到指定目录 wget http:// ...
- IO流(03)--序列化流、打印流
序列化流 Java提供了一种对象序列化的机制,用一个字节序列可以表示一个对象,该字节序列包含该对象的数据.对象的类型和对象中存储的属性等信息.字节序列写入到文件中后,就相当于在文件中保存了一个对象信息 ...
- Sharding-JDBC使用jasypt3.0及以上版本加密数据库连接密码
本文中介绍的是基于Sharding-JDBC 4.0和jasypt 3.0及其以上版本对数据库连接密码进行加密操作 引入依赖 项目的pom.xml中引入maven依赖 <dependency&g ...
- 【命令】vmstat命令和pmap命令
博客链接地址:https://www.cnblogs.com/l75790/articles/9197733.html
- Winform 去掉 最大化 最小化 关闭按钮(不是关闭按钮变灰)终极解决办法
using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; usin ...
- Selenium ActionChains、TouchAction方法
ActionChains和TouchAction可以用来模拟点击.双击.滑动等事件.ActionChains用于执行PC端的鼠标移动.按键.拖拽等事件:TouchActions用法与ActionCha ...