Openstack_O版(otaka)部署_认证服务keystone部署
安装和配置服务
1. 建keystone库建用户
在控制节点执行
mysql -uroot -p123456 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY ''; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY ''; flush privileges;
2.软件安装
yum install openstack-keystone httpd mod_wsgi -y
3. 编辑配置文件
vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = b4164396208d7fe6d48b # 建议用命令制作 token:openssl rand -hex 10
[database]
connection = mysql+pymysql://keystone:123456@controller01/keystone
[token]
provider = fernet
4. 同步修改到数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
5. 初始化fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6. 配置apache服务
vim /etc/httpd/conf/httpd.conf
ServerName controller01
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
7. 启动Web服务
systemctl enable httpd.service
systemctl restart httpd.service
创建服务实体和访问端点
1. 实现配置管理员环境变量,用于获取后面创建的权限
export OS_TOKEN=b4164396208d7fe6d48b export OS_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3
2. 基于上一步给的权限,创建认证服务实体(目录服务)
openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | aa47cd781e53430dad37b0c9944b688b |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
3. 基于上一步建立的服务实体,创建访问该实体的三个api端点
openstack endpoint create --region RegionOne identity public http://controller01:5000/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 41fee09de7cc4e9b8d08c0b73e9f39d3 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+ openstack endpoint create --region RegionOne identity internal http://controller01:5000/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | d5dcf1954a414131913f7fa4ea5182ee |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+ openstack endpoint create --region RegionOne identity admin http://controller01:35357/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 93fe3d113327455f9c973d3b42579268 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:35357/v3 |
+--------------+----------------------------------+
创建域,租户,用户,角色,把四个元素关联到一起
1. 建立一个公共的域名
openstack domain create --description "Default Domain" default +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 135e691ebbb74fefb5086970eac74706 |
| name | default |
+-------------+----------------------------------+
2. 建立一个管理员
openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | a3f24ce750034504876c0132c427306e |
| is_domain | False |
| name | admin |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+ openstack user create --domain default --password-prompt admin +---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 1a1f6cf671474f45b81bf4150d8f6a67 |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
3. 建立一个角色:admin
openstack role create admin +-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | a442951d5ed044b78c80c223aef2bf3a |
| name | admin |
+-----------+----------------------------------+ openstack role add --project admin --user admin admin
4. 建立一个普通用户
openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 890abe6826374c4d94b371d035f3f6ee |
| is_domain | False |
| name | demo |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+ openstack user create --domain default --password-prompt demo +---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 8f26fad523ed4b6e9c30fbfa21cc8544 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
5. 建立一个普通角色
openstack role create user +-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 3065224e5e32425a8d84775fe0fadbbc |
| name | user |
+-----------+----------------------------------+ openstack role add --project demo --user demo user
6. 为后续的服务创建统一租户service
# 解释:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建租户 2.建用户 3.建角色 4.做关联 # 后面所有的服务公用一个租户service,都是管理员角色admin,所以实际上后续的服务安装关于keysotne的操作只剩2,4 openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 38fce9de65f2455088be6196678e2090 |
| is_domain | False |
| name | service |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+
验证操作
vim /etc/keystone/keystone-paste.ini
在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三个地方
移走:admin_token_auth
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller01:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-02-02T02:45:24+0000 |
| id | gAAAAABac8K0yoQzaByOrSYlzDGUAASjSuz-4mcyk6neOMNoCh_pkqXZH20wW3n6RXOQ4fk2IZQyM1yt0MMghtYakyurzghBFsuVYBw- |
| | 76mA2yQRGDTtL_3XTcg8AHD2Oaw0_UTZ59ROda_l6deP_BFGnyxIvO80pcUXBqp6HN7xzgP5ssnnXkQ |
| project_id | a3f24ce750034504876c0132c427306e |
| user_id | 1a1f6cf671474f45b81bf4150d8f6a67 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
新建客户端脚本文件
管理员:admin-openrc
vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
普通用户demo:demo-openrc
vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=che001 export OS_AUTH_URL=http://controller01:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
效果:
source admin-openrc openstack token issue
Openstack_O版(otaka)部署_认证服务keystone部署的更多相关文章
- Openstack_O版(otaka)部署_准备环境和依赖软件
架构介绍 本次案列为基本的三节点部署 一:网络: 1.管理网络:192.168.198.0/24 2.数据网络:10.0.0.0/24 二:操作系统: CentOS Linux release 7.3 ...
- Openstack_O版(otaka)部署_镜像服务glance部署
安装和配置服务 1. 建库建用户 mysql -u root -p CREATE DATABASE glance; GRANT ALL PRIVILEGES ON glance.* TO '; GRA ...
- Openstack_O版(otaka)部署_网络服务Neutron部署
控制节点配置 1. 建库建用户 CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO '; GRANT ALL PRIVILEGE ...
- Openstack_O版(otaka)部署_Nova部署
控制节点配置 1. 建库建用户 CREATE DATABASE nova_api; CREATE DATABASE nova; GRANT ALL PRIVILEGES ON nova_api.* T ...
- Openstack_O版(otaka)部署_Horizon部署
控制节点 1. 安装软件包 yum install openstack-dashboard -y 2. 修改配置文件 vim /etc/openstack-dashboard/local_settin ...
- OpenStack 认证服务 KeyStone部署(三)
Keystone 介绍 Keystone作用: 用户与认证:用户权限与用户行为跟踪: 服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 SOA相关知识 Keystone主要两大功能用户认证 ...
- OpenStack 认证服务 KeyStone部署 (四)
Keystone作用: 用户与认证:用户权限与用户行为跟踪: 服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 SOA相关知识 Keystone主要两大功能用户认证和服务目录(相当于一个注 ...
- openstack项目【day24】:keystone部署及操作
阅读目录 一 前言 二 版本信息 三 部署keystone 四 keystone操作 五 验证 六 创建脚本 七 keystone使用套路总结 一 前言 任何软件的部署都是没有技术含量的,任何就部署讲 ...
- keystone系列四:keystone部署及操作
一 前言 任何软件的部署都是没有技术含量的,任何就部署讲部署的人都是江湖骗子. 部署的本质就是拷贝,粘贴,回车.我们家养了条狗,它可以胜任这件事情. 我们搞技术的,一定不能迂腐:轻信或者一概不信. 轻 ...
随机推荐
- Keil中搭建自动化单元测试框架Unity
前言: 虽然一些C++的自动化单元测试框架也能用来C语言单元测试,但那样我们编写C语言程序时需要符合C++的标准,这样有一些C的特性是无法使用的,限制C的特性使用不太好,于是找了一个全部用C实现的自动 ...
- HDU 4372 Count the Buildings [第一类斯特林数]
有n(<=2000)栋楼排成一排,高度恰好是1至n且两两不同.现在从左侧看能看到f栋,从右边看能看到b栋,问有多少种可能方案. T组数据, (T<=100000) 自己只想出了用DP搞 发 ...
- 测试SM图床
- MySQL Community Server 5.7安装详细步骤
mysql社区版安装配置步骤较繁琐,几经搜索之后才成功安装,此文将所有的安装步骤及安装过程中遇到的问题进行了总结 1. 下载MySQL社区版 最新版下载地址:https://dev.mysql ...
- Google Chrome 圆形进度条
Conmajia © 2012 Updated on Feb. 21, 2018 Google Chrome 的圆形进度条. Demo 功能 显示百分比(0-100).如果进度值达到 100%,则将闪 ...
- CA证书扫盲,https讲解。
很多关于CA证书的讲解. 1.什么是CA证书. 看过一些博客,写的比较形象具体. ◇ 普通的介绍信 想必大伙儿都听说过介绍信的例子吧?假设 A 公司的张三先生要到 B 公司去拜访,但是 B 公司的所有 ...
- c++项目范例
#include<iostream> #include<string.h> #include<stdlib.h> using namespace std; clas ...
- unity爬坑记录
这里记一下平时遇到的unity bug: unity2017最好不要在prefab上面修改它上面的组件参数 最好是拖放到场景之后修改场景内的物体组件参数 完事了apply一下删掉 不这样做的话 可能u ...
- bzoj[1835][ZJOI2010]base 基地选址
bzoj[1835][ZJOI2010]base 基地选址 标签: 线段树 DP 题目链接 题解 这个暴力DP的话应该很容易看出来. dp[i][j]表示造了i个通讯站,并且j是第i个的最小费用. \ ...
- 奥酷流媒体服务系统AMS5.0
2016年6月29日,北极星通对外发布AMS5.0版本,AMS是北极星通公司独立研发的高性能流媒体服务系统软件,可广泛应用于视频直播,视频点播,视频转码,视频录播等场合. AMS5.0增加功能: ...