Openstack_O版(otaka)部署_认证服务keystone部署
安装和配置服务
1. 建keystone库建用户
在控制节点执行
mysql -uroot -p123456 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY ''; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY ''; flush privileges;
2.软件安装
yum install openstack-keystone httpd mod_wsgi -y
3. 编辑配置文件
vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = b4164396208d7fe6d48b # 建议用命令制作 token:openssl rand -hex 10
[database]
connection = mysql+pymysql://keystone:123456@controller01/keystone
[token]
provider = fernet
4. 同步修改到数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
5. 初始化fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6. 配置apache服务
vim /etc/httpd/conf/httpd.conf
ServerName controller01
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
7. 启动Web服务
systemctl enable httpd.service
systemctl restart httpd.service
创建服务实体和访问端点
1. 实现配置管理员环境变量,用于获取后面创建的权限
export OS_TOKEN=b4164396208d7fe6d48b export OS_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3
2. 基于上一步给的权限,创建认证服务实体(目录服务)
openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | aa47cd781e53430dad37b0c9944b688b |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
3. 基于上一步建立的服务实体,创建访问该实体的三个api端点
openstack endpoint create --region RegionOne identity public http://controller01:5000/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 41fee09de7cc4e9b8d08c0b73e9f39d3 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+ openstack endpoint create --region RegionOne identity internal http://controller01:5000/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | d5dcf1954a414131913f7fa4ea5182ee |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+ openstack endpoint create --region RegionOne identity admin http://controller01:35357/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 93fe3d113327455f9c973d3b42579268 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:35357/v3 |
+--------------+----------------------------------+
创建域,租户,用户,角色,把四个元素关联到一起
1. 建立一个公共的域名
openstack domain create --description "Default Domain" default +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 135e691ebbb74fefb5086970eac74706 |
| name | default |
+-------------+----------------------------------+
2. 建立一个管理员
openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | a3f24ce750034504876c0132c427306e |
| is_domain | False |
| name | admin |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+ openstack user create --domain default --password-prompt admin +---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 1a1f6cf671474f45b81bf4150d8f6a67 |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
3. 建立一个角色:admin
openstack role create admin +-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | a442951d5ed044b78c80c223aef2bf3a |
| name | admin |
+-----------+----------------------------------+ openstack role add --project admin --user admin admin
4. 建立一个普通用户
openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 890abe6826374c4d94b371d035f3f6ee |
| is_domain | False |
| name | demo |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+ openstack user create --domain default --password-prompt demo +---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 8f26fad523ed4b6e9c30fbfa21cc8544 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
5. 建立一个普通角色
openstack role create user +-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 3065224e5e32425a8d84775fe0fadbbc |
| name | user |
+-----------+----------------------------------+ openstack role add --project demo --user demo user
6. 为后续的服务创建统一租户service
# 解释:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建租户 2.建用户 3.建角色 4.做关联 # 后面所有的服务公用一个租户service,都是管理员角色admin,所以实际上后续的服务安装关于keysotne的操作只剩2,4 openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 38fce9de65f2455088be6196678e2090 |
| is_domain | False |
| name | service |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+
验证操作
vim /etc/keystone/keystone-paste.ini
在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三个地方
移走:admin_token_auth
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller01:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-02-02T02:45:24+0000 |
| id | gAAAAABac8K0yoQzaByOrSYlzDGUAASjSuz-4mcyk6neOMNoCh_pkqXZH20wW3n6RXOQ4fk2IZQyM1yt0MMghtYakyurzghBFsuVYBw- |
| | 76mA2yQRGDTtL_3XTcg8AHD2Oaw0_UTZ59ROda_l6deP_BFGnyxIvO80pcUXBqp6HN7xzgP5ssnnXkQ |
| project_id | a3f24ce750034504876c0132c427306e |
| user_id | 1a1f6cf671474f45b81bf4150d8f6a67 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
新建客户端脚本文件
管理员:admin-openrc
vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
普通用户demo:demo-openrc
vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=che001 export OS_AUTH_URL=http://controller01:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
效果:
source admin-openrc openstack token issue
Openstack_O版(otaka)部署_认证服务keystone部署的更多相关文章
- Openstack_O版(otaka)部署_准备环境和依赖软件
架构介绍 本次案列为基本的三节点部署 一:网络: 1.管理网络:192.168.198.0/24 2.数据网络:10.0.0.0/24 二:操作系统: CentOS Linux release 7.3 ...
- Openstack_O版(otaka)部署_镜像服务glance部署
安装和配置服务 1. 建库建用户 mysql -u root -p CREATE DATABASE glance; GRANT ALL PRIVILEGES ON glance.* TO '; GRA ...
- Openstack_O版(otaka)部署_网络服务Neutron部署
控制节点配置 1. 建库建用户 CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO '; GRANT ALL PRIVILEGE ...
- Openstack_O版(otaka)部署_Nova部署
控制节点配置 1. 建库建用户 CREATE DATABASE nova_api; CREATE DATABASE nova; GRANT ALL PRIVILEGES ON nova_api.* T ...
- Openstack_O版(otaka)部署_Horizon部署
控制节点 1. 安装软件包 yum install openstack-dashboard -y 2. 修改配置文件 vim /etc/openstack-dashboard/local_settin ...
- OpenStack 认证服务 KeyStone部署(三)
Keystone 介绍 Keystone作用: 用户与认证:用户权限与用户行为跟踪: 服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 SOA相关知识 Keystone主要两大功能用户认证 ...
- OpenStack 认证服务 KeyStone部署 (四)
Keystone作用: 用户与认证:用户权限与用户行为跟踪: 服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 SOA相关知识 Keystone主要两大功能用户认证和服务目录(相当于一个注 ...
- openstack项目【day24】:keystone部署及操作
阅读目录 一 前言 二 版本信息 三 部署keystone 四 keystone操作 五 验证 六 创建脚本 七 keystone使用套路总结 一 前言 任何软件的部署都是没有技术含量的,任何就部署讲 ...
- keystone系列四:keystone部署及操作
一 前言 任何软件的部署都是没有技术含量的,任何就部署讲部署的人都是江湖骗子. 部署的本质就是拷贝,粘贴,回车.我们家养了条狗,它可以胜任这件事情. 我们搞技术的,一定不能迂腐:轻信或者一概不信. 轻 ...
随机推荐
- PLSQL Developer软件使用大全
PLSQL Developer软件使用大全 第一章 PLSQL Developer特性 PL/SQL Developer是一个集成开发环境,专门面向Oracle数据库存储程序单元的开发.如今,有越来越 ...
- Spring源码情操陶冶-PropertyPlaceholderBeanDefinitionParser注解配置解析器
本文针对spring配置的context:property-placeholder作下简单的分析,承接前文Spring源码情操陶冶-自定义节点的解析 spring配置文件应用 <context: ...
- linux常用命令(不断更新)
睡眠命令(第一步可省去): 1.查看你的系统支持什么模式:cat /sys/power/state(我的系统为:freeze mem disk) 2.切换到管理员模式下,执行命令:echo " ...
- qt中的tcp编程
server .server.h #define DIALOG_H #include <QDialog> #include <QTcpServer> #include < ...
- css居中方法与双飞翼布局
居中 类型 方法 对应属性 水平 垂直 水平&垂直 1.父元素使用外边距自动 2.子元素显示行内块级元素,写入内容,父元素设置文本居中 3.给父元素开启非绝对和固定定位作为子元素开启绝对定位的 ...
- ajaxfileupload批量上传文件+图片尺寸限制
1.首先展示ajaxfileupload代码,在这里修改为批量上传 //ajaxfileupload不展示全部代码,这是修改前与修改后代码对比,目的是上传多个文件 createUploadForm: ...
- [翻译] 编写高性能 .NET 代码--第二章 GC -- 将长生命周期对象和大对象池化
将长生命周期对象和大对象池化 请记住最开始说的原则:对象要么立即回收要么一直存在.它们要么在0代被回收,要么在2代里一直存在.有些对象本质是静态的,生命周期从它们被创建开始,到程序停止才会结束.其它对 ...
- 韩信点兵(hanxin)
相传韩信才智过人,从不直接清点自己军队的人数,只要让士兵先后以三人一排.五人一排.七人一排地变换队形,而他每次只掠一眼队伍的排尾就知道总人数了.输入包含多组数据,每组数据包含3个非负整数a,b,c,表 ...
- java中的Collection集合类
随着1998年JDK 1.2的发布,同时新增了常用的Collections集合类,包含了Collection和Map接口.而Dictionary类是在1996年JDK 1.0发布时就已经有了.它们都可 ...
- React Native填坑之旅 -- 回归小插曲
回归RN,非常开心啊! 在React Native 0.49.5上开发,直接遇到一个ios模拟器的问题.这个问题很简单就是Bundle URL not present. 在网上找了很多的解决方法,都不 ...