OpenStack Keystone安装部署流程
之前介绍了OpenStack Swift的安装部署,采用的都是tempauth认证模式,今天就来介绍一个新的组件,名为Keystone。
1. 简介
本文将详细描述Keystone的安装部署流程,并给出一些简单的使用实例。
Keystone是Openstack框架中的一个重要组成部分,负责身份认证、服务管理、服务规则和服务令牌的功能, 它实现了Openstack的Identity API。Keystone类似一个服务总线,或者说是整个Openstack框架的注册表,其他服务通过Keystone来注册其服务,任何服务之间相互的调用,都需要经过Keystone的身份验证来获得目标服务。Keystone包含两个主要部件:验证与服务目录。
验证部件提供了一套基于令牌的验证服务,主要包含以下几个概念:
- 租户(Tenant):使用相关服务的一个组织(一个租户可以代表一个客户、账号、公司、组织或项目),必须指定一个相应的租户(Tenant)才可以申请OpenStack服务。在Swift中,一个租户可以拥有一定的存储空间,拥有多个容器,可以理解为一个公司拥有一大块存储空间。
- 用户(User):表示拥有用户名、密码、邮箱等账号信息的个人,用户能够申请并获得访问资源的授权。用户拥有证书,可以与一个或多个租户关联。经过身份验证后,会为每个关联的租户提供一个特定的令牌。一个用户可以在不同的租户中被分配不同的角色。以Swift为例,我们可以这样理解:租户是一个公司,拥有一大块存储空间,用户是个人,是该公司的员工,能够根据用户的角色访问公司的部分或全部存储空间,当然这个员工可以同时在其他公司兼职,拥有其他公司的存储空间;如果某个公司只有一个员工,即该员工拥有公司的全部存储空间,此时的用户就类似于金山快盘的用户了。
- 证书(Credentials):为了给用户提供一个令牌,需要用证书来唯一标识一个用户的密码或其它信息。
- 令牌(Token):一个令牌是一个任意比特的文本,用于与其它OpenStack服务来共享信息,Keystone以此来提供一个Central Location,以验证访问OpenStack服务的用户。一个令牌可以是scoped或unscoped。一个scoped令牌代表为某个租户验证过的用户,而unscoped令牌则仅代表一个用户。令牌的有效期是有限的,可以随时被撤回。
- 角色(Role):代表特定的租户中的用户操作权限,一个角色是应用于某个租户的使用权限集合,以允许某个指定用户访问或使用特定操作。角色是使用权限的逻辑分组,它使得通用的权限可以简单地分组并绑定到与某个指定租户相关的用户。
服务目录部件(Service Catalog)提供了一套REST API服务端点列表并以此作为决策参考,主要包含以下几个概念:
- 服务(Service):一个OpenStack服务,例如Nova、Swift、Glance或Keystone。一个服务可以拥有一个或多个端点,用户可以通过它与OpenStack的服务或资源进行交互。
- 端点(Endpoint):一个可以通过网络访问的地址(例如一个URL),代表了OpenStack服务的API入口。端点也可以分组为模板,每个模板代表一组可用的OpenStack服务,这些服务是跨区域(regions)可用的,例如将多个Swift Proxy Server分别配置为不同的域(regionOne、regionTwo等)。
- 模板(Template):一个端点集合,代表一组可用的OpenStack服务端点。
2. 安装部署
2.1 准备环境
环境类型 |
详细信息 |
机器类型: |
PC物理机 |
操作系统: |
Ubuntu-11.10-desktop-64位 |
用户类型: |
root |
数据库: |
sqlite3 |
IP地址: |
192.168.3.67 |
2.2 版本说明
如果你使用的是Ubuntu,那么也可以直接通过apt-get来安装Keystone,不过本文介绍的是从git(https://github.com/openstack/keystone)上获取Master分支的最新代码来进行安装部署。请务必确保各处安装的Keystone与python-keystoneclient的版本统一,这在Keystone与其他服务(如Swift)整合使用时尤为重要,可关注后续文档《Keystone与Swift(集群)整合使用说明》,你就会明白其中的道理了。
2.3 安装软件环境
首先,需要安装Keystone所需的软件环境(确保你的机器可以访问互联网),例如git用于获取Keystone代码,sqlite3作为本地数据库。
# apt-get install git python-dev sqlite3 libxml2-dev libxslt1-dev libsasl2-dev libsqlite3-dev libssl-dev libldap2-dev |
2.4 安装Keystone
从git上获取最新的Keystone Service代码。
# cd ~ # git clone https://github.com/openstack/keystone.git |
安装Keystone的依赖项与主体程序(Keystone会被安装到python的dist-packages中)。
# cd ~/keystone # pip install -r tools/pip-requires # pip install -r tools/test-requires(本条命令可不执行) # python setup.py install |
文件~/keystone/tools/pip-requires中(内容如下所示)记录了运行Keystone程序所需的依赖项,setup.py就是根据该文件来检查依赖项并自动下载安装的。其中指明了python-keystoneclient为依赖项,python-keystoneclient作为本地客户端组件,用于访问Keystone。python-keystoneclient与Keystone的版本需要统一,否则可能会出现版本兼容性问题,采用依赖项的方式安装python-keystoneclient,可确保不会出现版本兼容性问题。
# keystone dependencies pam>=0.1.4 WebOb==1.2.3 eventlet greenlet PasteDeploy paste routes sqlalchemy>=0.7.8,<=0.7.9 sqlalchemy-migrate>=0.7.2 passlib lxml iso8601>=0.1.4 python-keystoneclient>=0.2.1,<0.3 oslo.config>=1.1.0 |
文件~/keystone/tools/test-requires中(内容如下所示)记录了Keystone动态开发与测试所需的依赖项。这些依赖项不是运行Keystone所必须的,所以可以不安装(即不执行上面的命令:pip install -r tools/test-requires)。
# Optional backend: SQL pysqlite # Optional backend: Memcache python-memcached # Optional backend: LDAP python-ldap==2.3.13 # authenticate against an existing LDAP server # Testing coverage # computes code coverage percentages mox # mock object framework nose # for test discovery and console feedback nosexcover openstack.nose_plugin nosehtmloutput pylint # static code analysis pep8==1.3.3 # checks for PEP8 code style compliance Sphinx>=1.1.2 # required to build documentation unittest2 # backport of unittest lib in python 2.7 webtest # test wsgi apps without starting an http server distribute>=0.6.24 # for python-keystoneclient httplib2 # keystoneclient <0.2.1 requests>=1.0.0 # replaces httplib2 in keystoneclient >=0.2.1 keyring # swift_auth test dependencies http://tarballs.openstack.org/swift/swift-master.tar.gz#egg=swift netifaces # For translations processing Babel |
需要特别注意的是,安装tools/test-requires依赖项时会自动下载swift-master.tar.gz包并重新安装Swift。因此,如果电脑上已经安装了Swift,就不可以再执行“pip install -r tools/test-requires”命令了(该命令会覆盖掉之前安装的Swift程序)。
如果你不小心覆盖掉了之前安装的Swift程序,也无需担心,执行以下命令,重新安装你的Swift程序即可。(假设Swift的源代码在目录~/swift/swift_1.7.6下,python-swiftclient的源代码在目录~/swift/python-swiftclient_1.2.0下)
# cd ~/swift/swift_1.7.6 # python setup.py develop # cd ~/swift/python-swiftclient_1.2.0 # python setup.py develop |
2.5 配置Keystone
由于是从git上获取的代码,所以我们需要手动将代码中的配置文件复制到系统中正确的目录下。配置文件在~/keystone/etc目录下,共有四个,包括default_catalog.templates、keystone.conf.sample、logging.conf.sample和policy.json。将这四个配置文件复制到/etc/keystone目录下,并重命名(去掉“.sample”)。用户需要注意下文中的红色标注部分。
# mkdir -p /etc/keystone # cp ~/keystone/etc/* /etc/keystone/ # cp mv /etc/keystone/keystone.conf.sample /etc/keystone/keystone.conf # cp mv /etc/keystone/logging.conf.sample /etc/keystone/logging.conf |
其中keystone.conf是核心配置文件,logging.conf是日志配置文件,default_catalog.templates是目录模版文件,policy.json定义了Identity服务的访问策略。我们需要修改核心配置文件/etc/keystone/keystone.conf。
[DEFAULT] # A "shared secret" between keystone and other openstack services # admin_token = ADMIN # 注意该信息,admin_token参数是用来访问Keystone服务的,即Keystone服务的Token。默认为ADMIN,当然也可以改成别的。客户端可以使用该Token访问Keystone服务、查看信息、创建其他服务等。 # The IP address of the network interface to listen on # bind_host = 0.0.0.0 # The port number which the public service listens on # public_port = 5000 # Keystone提供的认证授权服务监听的端口,通常为公网(外网),也可以是内网。 # The port number which the public admin listens on # admin_port = 35357 # Keystone提供的认证授权、系统管理服务监听的端口,通常为内网。除了认证授权功能外,用户需要访问该端口来进行管理员操作,如创建删除Tenant、User、Role、Service、Endpoint等。 # The port number which the OpenStack Compute service listens on # compute_port = 8774 # Path to your policy definition containing identity actions # TODO(dolph): This config method will probably be deprecated during grizzly # policy_file = policy.json # Rule to check if no matching policy definition is found # FIXME(dolph): This should really be defined as [policy] default_rule # policy_default_rule = admin_required # === Logging Options === # Print debugging output # verbose = False # Print more verbose output # (includes plaintext request logging, potentially including passwords) # debug = False # Name of log file to output to. If not set, logging will go to stdout. # log_file = keystone.log # The directory to keep log files in (will be prepended to --logfile) # log_dir = /var/log/keystone # Use syslog for logging. # use_syslog = False # syslog facility to receive log lines # syslog_log_facility = LOG_USER # If this option is specified, the logging configuration file specified is # used and overrides any other logging options specified. Please see the # Python logging module documentation for details on logging configuration # files. # log_config = logging.conf # A logging.Formatter log message format string which may use any of the # available logging.LogRecord attributes. # log_format = %(asctime)s %(levelname)8s [%(name)s] %(message)s # Format string for %(asctime)s in log records. # log_date_format = %Y-%m-%d %H:%M:%S # onready allows you to send a notification when the process is ready to serve # For example, to have it notify using systemd, one could set shell command: # onready = systemd-notify --ready # or a module with notify() method: # onready = keystone.common.systemd [sql] # The SQLAlchemy connection string used to connect to the database # connection = sqlite:///keystone.db # 此处为数据库参数,默认使用sqlite,并且指定数据库文件的存放位置,keystone.db表示在主目录下创建keystone.db文件,用于存放数据。也可以指定其他存储位置,例如sqlite:////var/lib/keystone/keystone.db。 # 当然也可以使用mysql,如mysql://root:123456@192.168.3.67/keystone,其中192.168.3.67为数据库地址,keystone为数据库名称,root为用户名,123456为访问密码。需要事先安装mysql,并且创建名为keystone的数据库,设置用户名密码。 # the timeout before idle sql connections are reaped # idle_timeout = 200 [identity] # driver = keystone.identity.backends.sql.Identity [catalog] # dynamic, sql-based backend (supports API/CLI-based management commands) # driver = keystone.catalog.backends.sql.Catalog # static, file-based backend (does *NOT* support any management commands) # driver = keystone.catalog.backends.templated.TemplatedCatalog # template_file = default_catalog.templates [token] # driver = keystone.token.backends.kvs.Token # Amount of time a token should remain valid (in seconds) # expiration = 86400 [policy] # driver = keystone.policy.backends.sql.Policy [ec2] # driver = keystone.contrib.ec2.backends.kvs.Ec2 [ssl] #enable = True #certfile = /etc/keystone/ssl/certs/keystone.pem #keyfile = /etc/keystone/ssl/private/keystonekey.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #cert_required = True [signing] # token_format = PKI # 此处需要特别注意,新版本中默认Token为PKI,因而需要为此设置PKI认证,较为麻烦,可改为UUID以方便使用,UUID是一个几十位的随机字符串。
token_format = UUID #certfile = /etc/keystone/ssl/certs/signing_cert.pem #keyfile = /etc/keystone/ssl/private/signing_key.pem #ca_certs = /etc/keystone/ssl/certs/ca.pem #key_size = 1024 #valid_days = 3650 #ca_password = None [ldap] # url = ldap://localhost # user = dc=Manager,dc=example,dc=com # password = None # suffix = cn=example,cn=com # use_dumb_member = False # allow_subtree_delete = False # dumb_member = cn=dumb,dc=example,dc=com # user_tree_dn = ou=Users,dc=example,dc=com # user_filter = # user_objectclass = inetOrgPerson # user_id_attribute = cn # user_name_attribute = sn # user_mail_attribute = email # user_pass_attribute = userPassword # user_enabled_attribute = enabled # user_enabled_mask = 0 # user_enabled_default = True # user_attribute_ignore = tenant_id,tenants # user_allow_create = True # user_allow_update = True # user_allow_delete = True # tenant_tree_dn = ou=Groups,dc=example,dc=com # tenant_filter = # tenant_objectclass = groupOfNames # tenant_id_attribute = cn # tenant_member_attribute = member # tenant_name_attribute = ou # tenant_desc_attribute = desc # tenant_enabled_attribute = enabled # tenant_attribute_ignore = # tenant_allow_create = True # tenant_allow_update = True # tenant_allow_delete = True # role_tree_dn = ou=Roles,dc=example,dc=com # role_filter = # role_objectclass = organizationalRole # role_id_attribute = cn # role_name_attribute = ou # role_member_attribute = roleOccupant # role_attribute_ignore = # role_allow_create = True # role_allow_update = True # role_allow_delete = True [filter:debug] paste.filter_factory = keystone.common.wsgi:Debug.factory [filter:token_auth] paste.filter_factory = keystone.middleware:TokenAuthMiddleware.factory [filter:admin_token_auth] paste.filter_factory = keystone.middleware:AdminTokenAuthMiddleware.factory [filter:xml_body] paste.filter_factory = keystone.middleware:XmlBodyMiddleware.factory [filter:json_body] paste.filter_factory = keystone.middleware:JsonBodyMiddleware.factory [filter:user_crud_extension] paste.filter_factory = keystone.contrib.user_crud:CrudExtension.factory [filter:crud_extension] paste.filter_factory = keystone.contrib.admin_crud:CrudExtension.factory [filter:ec2_extension] paste.filter_factory = keystone.contrib.ec2:Ec2Extension.factory [filter:s3_extension] paste.filter_factory = keystone.contrib.s3:S3Extension.factory [filter:url_normalize] paste.filter_factory = keystone.middleware:NormalizingFilter.factory [filter:stats_monitoring] paste.filter_factory = keystone.contrib.stats:StatsMiddleware.factory [filter:stats_reporting] paste.filter_factory = keystone.contrib.stats:StatsExtension.factory [app:public_service] paste.app_factory = keystone.service:public_app_factory [app:service_v3] paste.app_factory = keystone.service:v3_app_factory [app:admin_service] paste.app_factory = keystone.service:admin_app_factory [pipeline:public_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug ec2_extension user_crud_extension public_service [pipeline:admin_api] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension crud_extension admin_service [pipeline:api_v3] pipeline = stats_monitoring url_normalize token_auth admin_token_auth xml_body json_body debug stats_reporting ec2_extension s3_extension service_v3 [app:public_version_service] paste.app_factory = keystone.service:public_version_app_factory [app:admin_version_service] paste.app_factory = keystone.service:admin_version_app_factory [pipeline:public_version_api] pipeline = stats_monitoring url_normalize xml_body public_version_service [pipeline:admin_version_api] pipeline = stats_monitoring url_normalize xml_body admin_version_service [composite:main] use = egg:Paste#urlmap /v2.0 = public_api /v3 = api_v3 / = public_version_api [composite:admin] use = egg:Paste#urlmap /v2.0 = admin_api /v3 = api_v3 / = admin_version_api |
2.6 查看Keystone帮助信息
在终端执行keystone-all --help、keystone-manage --help、keystone --help命令,即可查看Keystone的帮助信息。
执行keystone-all --help命令,查看Keystone服务端程序的帮助信息。
# keystone-all --help usage: keystone-all [-h] [--version] [--debug] [--nodebug] [--verbose] [--noverbose] [--use-syslog] [--nouse-syslog] [--standard-threads] [--nostandard-threads] [--pydev-debug-port PYDEV_DEBUG_PORT] [--config-file PATH] [--log-config PATH] [--log-format FORMAT] [--log-date-format DATE_FORMAT] [--log-file PATH] [--log-dir LOG_DIR] [--syslog-log-facility SYSLOG_LOG_FACILITY] [--pydev-debug-host PYDEV_DEBUG_HOST] [--config-dir DIR] optional arguments: -h, --help show this help message and exit --version show program's version number and exit --debug, -d Print debugging output (set logging level to DEBUG instead of default WARNING level). --nodebug The inverse of --debug --verbose, -v Print more verbose output (set logging level to INFO instead of default WARNING level). --noverbose The inverse of --verbose --use-syslog Use syslog for logging. --nouse-syslog The inverse of --use-syslog --standard-threads --nostandard-threads The inverse of --standard-threads --pydev-debug-port PYDEV_DEBUG_PORT --config-file PATH Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. The default files used are: ['/etc/keystone/keystone.conf'] --log-config PATH If this option is specified, the logging configuration file specified is used and overrides any other logging options specified. Please see the Python logging module documentation for details on logging configuration files. --log-format FORMAT A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. --log-date-format DATE_FORMAT Format string for %(asctime)s in log records. --log-file PATH Name of log file to output. If not set, logging will go to stdout. --log-dir LOG_DIR The directory in which to store log files. (will be prepended to --log-file) --syslog-log-facility SYSLOG_LOG_FACILITY syslog facility to receive log lines. --pydev-debug-host PYDEV_DEBUG_HOST --config-dir DIR Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are over-ridden. The set is parsed after the file(s), if any, specified via --config-file, hence over-ridden options in the directory take precedence. |
执行keystone-manage --help命令,查看Keystone管理程序的帮助信息。
# keystone-manage --help usage: keystone-manage [db_sync|export_legacy_catalog|import_legacy|import_nova_auth|pki_setup] optional arguments: -h, --help show this help message and exit --version show program's version number and exit --debug, -d Print debugging output (set logging level to DEBUG instead of default WARNING level). --nodebug The inverse of --debug --verbose, -v Print more verbose output (set logging level to INFO instead of default WARNING level). --noverbose The inverse of --verbose --use-syslog Use syslog for logging. --nouse-syslog The inverse of --use-syslog --standard-threads --nostandard-threads The inverse of --standard-threads --pydev-debug-port PYDEV_DEBUG_PORT --config-file PATH Path to a config file to use. Multiple config files can be specified, with values in later files taking precedence. The default files used are: ['/etc/keystone/keystone.conf'] --log-config PATH If this option is specified, the logging configuration file specified is used and overrides any other logging options specified. Please see the Python logging module documentation for details on logging configuration files. --log-format FORMAT A logging.Formatter log message format string which may use any of the available logging.LogRecord attributes. --log-date-format DATE_FORMAT Format string for %(asctime)s in log records. --log-file PATH Name of log file to output. If not set, logging will go to stdout. --log-dir LOG_DIR The directory in which to store log files. (will be prepended to --log-file) --syslog-log-facility SYSLOG_LOG_FACILITY syslog facility to receive log lines. --pydev-debug-host PYDEV_DEBUG_HOST --config-dir DIR Path to a config directory to pull *.conf files from. This file set is sorted, so as to provide a predictable parse order if individual options are over-ridden. The set is parsed after the file(s), if any, specified via --config-file, hence over-ridden options in the directory take precedence. Commands: {db_sync,export_legacy_catalog,import_legacy,import_nova_auth,pki_setup} Available commands db_sync Sync the database. export_legacy_catalog Export the service catalog from a legacy database. import_legacy Import a legacy database. import_nova_auth Import a dump of nova auth data into keystone. pki_setup Set up Key pairs and certificates for token signing and verification. |
执行keystone --help命令,查看Keystone客户端程序的帮助信息。
# keystone --help usage: keystone [--version] [--timeout <seconds>] [--os-username <auth-user-name>] [--os-password <auth-password>] [--os-tenant-name <auth-tenant-name>] [--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>] [--os-region-name <region-name>] [--os-identity-api-version <identity-api-version>] [--os-token <service-token>] [--os-endpoint <service-endpoint>] [--os-cacert <ca-certificate>] [--insecure] [--os-cert <certificate>] [--os-key <key>] [--os-cache] [--force-new-token] [--stale-duration <seconds>] <subcommand> ... Command-line interface to the OpenStack Identity API. Positional arguments: <subcommand> catalog ec2-credentials-create Create EC2-compatible credentials for user per tenant ec2-credentials-delete Delete EC2-compatible credentials ec2-credentials-get Display EC2-compatible credentials ec2-credentials-list List EC2-compatible credentials for a user endpoint-create Create a new endpoint associated with a service endpoint-delete Delete a service endpoint endpoint-get endpoint-list List configured service endpoints password-update Update own password role-create Create new role role-delete Delete role role-get Display role details role-list List all roles service-create Add service to Service Catalog service-delete Delete service from Service Catalog service-get Display service from Service Catalog service-list List all services in Service Catalog tenant-create Create new tenant tenant-delete Delete tenant tenant-get Display tenant details tenant-list List all tenants tenant-update Update tenant name, description, enabled status token-get user-create Create new user user-delete Delete user user-get Display user details. user-list List users user-password-update Update user password user-role-add Add role to user user-role-list List roles granted to a user user-role-remove Remove role from user user-update Update user's name, email, and enabled status discover Discover Keystone servers, supported API versions and extensions. bootstrap Grants a new role to a new user on a new tenant, after creating each. bash-completion Prints all of the commands and options to stdout. help Display help about this program or one of its subcommands. Optional arguments: --version Shows the client version and exits --timeout <seconds> Set request timeout (in seconds) --os-username <auth-user-name> Name used for authentication with the OpenStack Identity service. Defaults to env[OS_USERNAME] --os-password <auth-password> Password used for authentication with the OpenStack Identity service. Defaults to env[OS_PASSWORD] --os-tenant-name <auth-tenant-name> Tenant to request authorization on. Defaults to env[OS_TENANT_NAME] --os-tenant-id <tenant-id> Tenant to request authorization on. Defaults to env[OS_TENANT_ID] --os-auth-url <auth-url> Specify the Identity endpoint to use for authentication. Defaults to env[OS_AUTH_URL] --os-region-name <region-name> Defaults to env[OS_REGION_NAME] --os-identity-api-version <identity-api-version> Defaults to env[OS_IDENTITY_API_VERSION] or 2.0 --os-token <service-token> Specify an existing token to use instead of retrieving one via authentication (e.g. with username & password). Defaults to env[OS_SERVICE_TOKEN] --os-endpoint <service-endpoint> Specify an endpoint to use instead of retrieving one from the service catalog (via authentication). Defaults to env[OS_SERVICE_ENDPOINT] --os-cacert <ca-certificate> Specify a CA bundle file to use in verifying a TLS (https) server certificate. Defaults to env[OS_CACERT] --insecure Explicitly allow keystoneclient to perform "insecure" TLS (https) requests. The server's certificate will not be verified against any certificate authorities. This option should be used with caution. --os-cert <certificate> Defaults to env[OS_CERT] --os-key <key> Defaults to env[OS_KEY] --os-cache Use the auth token cache. Defaults to env[OS_CACHE] --force-new-token If the keyring is available and in use, token will always be stored and fetched from the keyring until the token has expired. Use this option to request a new token and replace the existing one in the keyring. --stale-duration <seconds> Stale duration (in seconds) used to determine whether a token has expired when retrieving it from keyring. This is useful in mitigating process or network delays. Default is 30 seconds. See "keystone help COMMAND" for help on a specific command. |
2.7 同步数据库并运行Keystone
同步数据库schema,Keystone会自动连接数据库,完成Table创建等工作。
# keystone-manage db_sync |
然后,sqlite3数据库会创建文件~/keystone.db(视上文中的配置文件而定),我们可以查看数据库中的Table。首先使用sqlite3 ~/keystone.db命令打开数据库,然后使用.table命令查看所有Table,包括Tenant、User、Role、Service、Endpoint等。
# sqlite3 ~/keystone.db SQLite version 3.7.7 2011-06-23 19:49:22 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .table credential migrate_version token domain policy user ec2_credential role user_domain_metadata endpoint service user_tenant_membership metadata tenant sqlite>.exit # |
至此,我们已经成功地完成了Keystone服务的安装与配置,完事具备,可以启动Keystone服务了。
# keystone-all |
2.8 导入环境变量
为了访问Keystone服务,客户端需要导入环境变量,当然也可以选择在执行访问Keystone的命令时加上相关参数。在本文档所描述的部署环境中,Keystone客户端与服务端处在同一台PC上。导入环境变量的方式有两种:
1. 在终端使用export命令,这种方式使得该环境变量的有效范围仅限于本终端。
# export SERVICE_TOKEN=ADMIN # export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0 |
这里需要解释一下:
- “SERVICE_ENDPOINT”是Keystone的Endpoint,即API入口。其中,“192.168.3.67”为安装Keystone服务的机器的IP,“35357”为Keystone提供的认证授权和系统管理服务监听的端口(通常为内网),用户需要访问该端口来进行管理员操作,如创建删除Tenant、User、Role、Service、Endpoint等,这在《配置Keystone》章节中已进行了说明。
- “SERVICE_TOKEN”就是Keystone服务的Token,在《配置Keystone》章节中也已进行了说明。
2. 修改~/.bashrc文件,在文件尾部添加如下内容。(该文件包含当前用户Bash Shell的环境变量信息)
export SERVICE_TOKEN=ADMIN export SERVICE_ENDPOINT=http://192.168.3.67:35357/v2.0 |
然后执行如下命令,以使修改生效。一旦生效,终生有效哦亲!
# . ~/.bashrc |
针对上述环境变量作如下说明:
- SERVICE_TOKEN变量表示访问Keystone服务时使用的Token,与配置文件keystone.conf中的信息相对应,默认为ADMIN。
- SERVICE_ENDPOINT变量表示Keystone服务的接入口,其中IP地址表明Keystone服务的安装位置,35357为默认访问端口。
于是,客户端就可以使用名为ADMIN的Token,通过给定的访问地址http://192.168.3.67:35357/v2.0来访问Keystone服务了。
3. 使用实例
3.1 初次查看Keystone中的信息
首先,我们分别执行以下命令,通过访问Keystone服务来查看几个重要数据库Table的内容,包括Tenant、User、Role、Service和Endpoint。当然,结果必然是空的,因为我们还没有添加任何Tenant、User、Role、Service以及Endpoint,但结果已经证明Keystone已经在正常工作了。
# keystone tenant-list |
# keystone user-list |
# keystone role-list |
# keystone service-list |
# keystone endpoint-list |
3.2 手动添加自定义的信息
下面,我们将按照自己的要求来手动添加Tenant、User、Role、Service、Endpoint等信息。
我们将创建名称为adminTenant的Tenant(租户)、名称为admin的User(用户)以及名称为adminRole的Role(角色),并将它们关联起来。最终的结果表现为:一个名叫admin的用户,其拥有名为adminRole的角色身份,并且能够使用名为adminTennant的租户。
1. 创建Tenant,租户名为adminTenant,描述信息为Admin Tenant。请记住该命令生成的Tenant id,下面添加User时需要用到。
# keystone tenant-create --name adminTenant --description "Admin Tenant" --enabled true |
+-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Admin Tenant | | enabled | True | | id | 4803098ff0b44f13bb33e7c9665e59d4 | | name | adminTenant | +-------------+----------------------------------+ |
2. 创建User,用户名为admin,密码为openstack。请记住该命令生成的User id,下面的关联命令需要用到。
# keystone user-create --tenant_id 4803098ff0b44f13bb33e7c9665e59d4 --name admin --pass openstack --enabled true |
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | | | enabled | True | | id | c2c40638681041aca9625869c260ba51 | | name | admin | | tenantId | 4803098ff0b44f13bb33e7c9665e59d4 | +----------+----------------------------------+ |
3. 创建Role,角色名为adminRole。请记住该命令生成的Role id,下面的关联命令需要用到。
# keystone role-create --name adminRole |
+----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | id | 675c497fdf314e74a3f4bd6e1710d45d | | name | adminRole | +----------+----------------------------------+ |
至此,我们已经创建了一个Ttenant,一个Uuser以及一个Rrole,它们的id分别是:
tenant_id:4803098ff0b44f13bb33e7c9665e59d4 user_id:c2c40638681041aca9625869c260ba51 role_id:675c497fdf314e74a3f4bd6e1710d45d |
4. 最后,我们要使用上述三个id,并通过下面的命令来将三者关联起来。
# keystone user-role-add --user-id c2c40638681041aca9625869c260ba51 --tenant-id 4803098ff0b44f13bb33e7c9665e59d4 --role-id 675c497fdf314e74a3f4bd6e1710d45d |
此时,让我们再使用list命令查看一下Tenant、User、Role、Service和Endpoint的信息。
# keystone tenant-list |
+----------------------------------+-------------+---------+ | id | name | enabled | +----------------------------------+-------------+---------+ | 4803098ff0b44f13bb33e7c9665e59d4 | adminTenant | True | +----------------------------------+-------------+---------+ |
# keystone user-list |
+----------------------------------+-------+---------+-------+ | id | name | enabled | email | +----------------------------------+-------+---------+-------+ | c2c40638681041aca9625869c260ba51 | admin | True | | +----------------------------------+-------+---------+-------+ |
# keystone role-list |
+----------------------------------+-----------+ | id | name | +----------------------------------+-----------+ | 675c497fdf314e74a3f4bd6e1710d45d | adminRole | +----------------------------------+-----------+ |
# keystone service-list |
# keystone endpoint-list |
3.3 访问Keystone获取Token
上面已经完成了Tenant、User和Role的创建,并将三者关联起来,于是我们就可以使用User的用户名和密码来访问Keystone,获取用于访问Tenant的Token了。我们将使用curl命令来访问Keyston以获取授权,该命令需要给定四个参数,即tenantName(租户名)、username(用户名)、password(用户密码)以及认证授权申请地址(http://192.168.3.67:35357/v2.0/tokens或http://192.168.3.67:5000/v2.0/tokens都可以)。此外,返回信息会以json格式展现。
先尝试使用错误的密码进行访问,结果获取授权失败。返回信息中给出了相关错误提示信息。
# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "xxx"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool |
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 219 100 116 100 103 2547 2262 --:--:-- --:--:-- --:--:-- 2577 { "error": { "code": 401, "message": "The request you have made requires authentication.", "title": "Not Authorized" } } |
然后使用正确的密码访问(http://192.168.3.67:35357/v2.0/tokens),结果成功获取授权。返回信息中包含了我们所需的Token,同时也显示了与本次请求相关的Tenant、User以及Role的信息。我们可以看到,Token的id为55e9889a646e467693f2e11b58ccf78d,其授权通过的时间为2013-03-15T12:42:00.096694,其授权过期的时间为2013-03-16T12:42:00Z。
# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:35357/v2.0/tokens | python -mjson.tool |
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 618 100 509 100 109 8811 1886 --:--:-- --:--:-- --:--:-- 8929 { "access": { "metadata": { "is_admin": 0, "roles": [ "675c497fdf314e74a3f4bd6e1710d45d" ] }, "serviceCatalog": [], "token": { "expires": "2013-03-16T12:42:00Z", "id": "55e9889a646e467693f2e11b58ccf78d", "issued_at": "2013-03-15T12:42:00.096694", "tenant": { "description": "Admin Tenant", "enabled": true, "id": "4803098ff0b44f13bb33e7c9665e59d4", "name": "adminTenant" } }, "user": { "id": "c2c40638681041aca9625869c260ba51", "name": "admin", "roles": [ { "name": "adminRole" } ], "roles_links": [], "username": "admin" } } } |
再试一下认证授权地址http://192.168.3.67:5000/v2.0/tokens,同样成功获取授权。
# curl -d '{"auth": {"tenantName": "adminTenant", "passwordCredentials":{"username": "admin", "password": "openstack"}}}' -H "Content-type: application/json" http://192.168.3.67:5000/v2.0/tokens | python -mjson.tool |
% Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 618 100 509 100 109 9030 1933 --:--:-- --:--:-- --:--:-- 9254 { "access": { "metadata": { "is_admin": 0, "roles": [ "675c497fdf314e74a3f4bd6e1710d45d" ] }, "serviceCatalog": [], "token": { "expires": "2013-04-05T07:36:56Z", "id": "bfe30305790c46e2a4b5bfc80060246b", "issued_at": "2013-04-04T07:36:56.283627", "tenant": { "description": "Admin Tenant", "enabled": true, "id": "4803098ff0b44f13bb33e7c9665e59d4", "name": "adminTenant" } }, "user": { "id": "c2c40638681041aca9625869c260ba51", "name": "admin", "roles": [ { "name": "adminRole" } ], "roles_links": [], "username": "admin" } } } |
上述使用实例阐述了Keystone的基本操作,并且表明Keystone正确地为我们提供了身份验证与授权服务。以后的文档将延续该主题,介绍Keystone与Swift的联合部署,我们将使用Keystone为Swift提供身份验证与授权服务。
4. 参考链接
4.1 官方链接
- Installing Keystone
http://docs.openstack.org/developer/keystone/installing.html
- Setting up a Keystone development environment
http://docs.openstack.org/developer/keystone/setup.html
- Configuring Keystone
http://docs.openstack.org/developer/keystone/configuration.html
- keystone.conf
http://docs.openstack.org/trunk/openstack-compute/install/yum/content/keystone-conf-file.html
- Setting up tenants, users, and roles
http://docs.openstack.org/trunk/openstack-compute/install/yum/content/setting-up-tenants-users-and-roles.html
- OpenStack/Keystone - GitHub
https://github.com/openstack/keystone
4.2 非官方链接
- OpenStack Hands on lab 1: Keystone安装
http://liangbo.me/index.php/2012/03/27/11/
- OpenStack安装 - keystone
http://articles.csdn.net/shangwuzhuanqu/OpenStackzhuanqu/jishufenxiangyemia/2012/0820/2808852.html
- OpenStack Essex版安装 - keystone
http://blog.csdn.net/nocturne1210/article/details/7877307
- OpenStack Keystone的理解
http://blog.csdn.net/xiangmin2587/article/details/8224042
- OpenStack Identity(Keystone)身份服务体系结构与中间件
http://blog.sina.com.cn/s/blog_6a9ae9e501014w3p.html
- OpenStack Keystone install - border / keystone.conf
https://gist.github.com/border/4070200
- OpenStack云第三天
http://www.linuxidc.com/Linux/2012-12/75424.htm
OpenStack Keystone安装部署流程的更多相关文章
- 完整的 LDAP + phpLDAPadmin安装部署流程 (ubuntu18.04)
LDAP 安装部署以及基础使用 因工作需求需要使用ldap管理用户权限,在踩了一系列坑之后,总结了一些流畅的文档,希望可以帮到和曾经的我一样迷茫的人. 基础环境:Ubuntu 18.04 一.安装 r ...
- GeoServer安装部署流程
1.双击geoserver-2.13.0.exe进行安装,点击Next进行下一步 2.GeoServer遵循GPL许可,点击I agree继续 3.选择要安装的程序文件目录,点击Next继续 4.点击 ...
- OpenStack Swift集群部署流程与简单使用
之前介绍了<OpenStack Swift All In One安装部署流程与简单使用>,那么接下来就说一说Swift集群部署吧. 1. 简介 本文档详细描述了使用两台PC部署一个小型Sw ...
- hadoop入门(3)——hadoop2.0理论基础:安装部署方法
一.hadoop2.0安装部署流程 1.自动安装部署:Ambari.Minos(小米).Cloudera Manager(收费) 2.使用RPM包安装部署:Apache ...
- flask+uwsgi+supervisor部署流程
背景: 小鱼最近搞了个工程,python用的2.7(用3也可以),后端使用的是flask,服务器用的linux,使用 flask+uwsgi+supervisor部署 ,查阅相关博客.调试.实操,已经 ...
- CentOS7.4安装部署openstack [Liberty版] (二)
继上一篇博客CentOS7.4安装部署openstack [Liberty版] (一),本篇继续讲述后续部分的内容 一.添加块设备存储服务 1.服务简述: OpenStack块存储服务为实例提供块存储 ...
- (原创)OpenStack服务如何使用Keystone (二)---部署和配置Keystone中间件
(一)Keystone端的操作 (二)如何在OpenStack服务上部署Keystone中间件 (三)详细配置keystonemiddleware 部署OpenStack时一般先安装Keystone服 ...
- Ubuntu 14.04 LTS 安装 Juno 版 OpenStack Keystone
本文介绍如何在Ubuntu 14.04 LTS 上安装Juno版的Keystone, 我们采用的是手动安装的方式, 同时仅针对OpenStack的身份与访问管理系统Keystone. 事实上OpenS ...
- 4 云计算系列之Openstack简介与keystone安装
preface KVM 是openstack虚拟化的基础, 再介绍了kvm虚拟化技术之后,我们介绍下openstack和如何搭建. Openstack组件 openstack架构图如下所示 那么我们就 ...
随机推荐
- 锋利的jQuery-7--编写插件基础知识
插件的基本要点: 1.命名推荐:jquery.[插件名].js,避免和其他js库插件混淆. 2.对象方法附加到:jQuery.fn上,全局函数附加到:jQuery对象本身. 3.在插件内部,this指 ...
- TFS2008解除独占式锁定文件命令(转载)
使用场景:如果项目团队成员A对项目某个文件以独占式方式签出,恰好那天该成员A没有来上班而成员需要对此文件进入修改并check in,这时需要先把A对该文件的锁定解除.没有IDE可以使用,只能使用下面的 ...
- SQL Server 2005导入Excel表问题
EXCEL导入到SQL Server经常出现“文本被截断,或者一个或多个字符在目标代码页中没有匹配项” 原因: SQL Server的导入导出为了确定数据表的字段类型,取excel文件的前8行来判别. ...
- ICMP Internet控制报文协议
ICMP是(Internet Control Message Protocol)Internet控制报文协议.它是TCP/IP协议族的一个子协议,用于在IP主机.路由器之间传递控制消息.控制消息是指网 ...
- vim设置语法高亮
在vim安装目录中的_vimrc修改,加上以下的代码. set nu! colorscheme desert syntax enable syntax on
- Java EE学习--Quartz基本用法
新浪博客完全不适合写技术类文章.本来是想找一个技术性的博客发发自己最近学的东西,发现博客园起源于咱江苏,一个非常质朴的网站,行,咱要养成好习惯,以后没事多总结总结经验吧.很多时候都在网上搜索别人的总结 ...
- MATLAB对话框设计[转]
Matlab之对话框 对话框设计:在图形用户界面程序设计中,对话框是重要的信息显示和获取输入数据的用户界面对象. 1.公共对话框: 公共对话框是利用windows资源的对话框,包括文件打开.文件保存. ...
- PHP error_log() 函数
定义和用法 error_log() 函数向服务器错误记录.文件或远程目标发送一个错误. 若成功,返回 true,否则返回 false. 语法 error_log(error,type,destinat ...
- TASKKILL命令使用大全
Mr.Savin Mr.Savin 2009-08-07 183315TASKKILL [S system [U username [P [password]] { [FI filter] [PID ...
- [Effective JavaScript 笔记]第35条:使用闭包存储私有数据
js的对象系统并没有特别鼓励或强制信息隐藏.所有的属性名都是一个字符串,任意一个程序都可以简单地通过访问属性名来获取相应的对象属性.例如,for...in循环.ES5的Object.keys()和Ob ...