首页 > 代码库 > openstack之keystone

openstack之keystone

keystone在openstack中充当认证作用

用户与认证:用户权限和用户行为跟踪

服务目录:提供一个服务目录,包括所有服务项和API端点


1、安装keystone

yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached -y


[root@controller ~]# systemctl enable memcached.service

Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.

[root@controller ~]# systemctl start memcached.service


2、配置keystone配置文件

[root@controller keystone]#  grep -n  "^[a-Z]" /etc/keystone/keystone.conf

12:admin_token = ADMIN

107:verbose = true

495:connection = mysql://keystone:keystone@172.16.80.130/keystone

1313:servers = 172.16.80.130:11211

1718:driver = sql

1911:provider = uuid

1916:driver = memcache


3、导入数据库

[root@controller keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone  

4、检查导入结果

[root@controller keystone]# mysql -e ‘use keystone;show tables;‘

+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| mapping                |
| migrate_version        |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+

5、配置keystone的http服务

[root@controller ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller

[root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@controller ~]# systemctl start httpd.service

6、注册keystone api服务,创建project.user,role

[root@controller ~]# export OS_TOKEN=ADMIN
[root@controller ~]# export OS_URL=http://172.16.80.130:35357/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3

[root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | a5c2ef28a5d5402195e761761f438b15 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用
[root@controller ~]# openstack endpoint create --region RegionOne identity public http://172.16.80.130:5000/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 0c199cc25852452d8b4a428edd4af515 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://172.16.80.130:5000/v2.0   |
+--------------+----------------------------------+
[root@controller ~]# 
[root@controller ~]#  openstack endpoint create --region RegionOne identity internal http://172.16.80.130:5000/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 09a1cd321fd64049980096e7a940f6f8 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://172.16.80.130:5000/v2.0   |
+--------------+----------------------------------+
[root@controller ~]# 
[root@controller ~]# openstack endpoint create --region RegionOne identity admin http://172.16.80.130:35357/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 1b875e33729a4ea4aa9f1e3f5d28bfd1 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://172.16.80.130:35357/v2.0  |
+--------------+----------------------------------+


7、创建admin项目

[root@controller ~]# openstack project create --domain default   --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | None                             |
+-------------+----------------------------------+
[root@controller ~]# 
[root@controller ~]# openstack user create --domain default --password-prompt admin 
User Password:  密码设定为123456
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | default                          |
| enabled   | True                             |
| id        | d1ea9577f35247a794f92598fbb6cd00 |
| name      | admin                            |
+-----------+----------------------------------+

[root@controller ~]# openstack role create admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 0e98eecac3e94b22a51404a79848bdb7 |
| name  | admin                            |
+-------+----------------------------------+
[root@controller ~]# openstack role add --project admin --user admin admin

8、创建一个普通用户demo,demo项目,角色为普通用户(uesr)

[root@controller ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 3653ec22551f472b94e9438bcd9097bf |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | None                             |
+-------------+----------------------------------+
[root@controller ~]# openstack user create --domain default --password=demo demo
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | default                          |
| enabled   | True                             |
| id        | da1ed7fb5f494091a633afd6da29f900 |
| name      | demo                             |
+-----------+----------------------------------+
[root@controller ~]# openstack role create user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 770c40490791437d97481465f8dd7251 |
| name  | user                             |
+-------+----------------------------------+
[root@controller ~]# openstack role add --project demo --user demo user

创建项目service
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 38e8f9eb1cb44d428f589703e663d995 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | None                             |
+-------------+----------------------------------+


9、验证相关

[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| d1ea9577f35247a794f92598fbb6cd00 | admin |
| da1ed7fb5f494091a633afd6da29f900 | demo  |
+----------------------------------+-------+
[root@controller ~]# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 3653ec22551f472b94e9438bcd9097bf | demo    |
| 38e8f9eb1cb44d428f589703e663d995 | service |
| 8a3b7f9f1b2c4f7eaf7780d268e672d1 | admin   |
+----------------------------------+---------+
[root@controller ~]# openstack role list   
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 0e98eecac3e94b22a51404a79848bdb7 | admin |
| 770c40490791437d97481465f8dd7251 | user  |
+----------------------------------+-------+
[root@controller ~]# 
[root@controller ~]# 
[root@controller ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                             |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| 09a1cd321fd64049980096e7a940f6f8 | RegionOne | keystone     | identity     | True    | internal  | http://172.16.80.130:5000/v2.0  |
| 0c199cc25852452d8b4a428edd4af515 | RegionOne | keystone     | identity     | True    | public    | http://172.16.80.130:5000/v2.0  |
| 1b875e33729a4ea4aa9f1e3f5d28bfd1 | RegionOne | keystone     | identity     | True    | admin     | http://172.16.80.130:35357/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
[root@controller ~]# 
[root@controller ~]# 
[root@controller ~]# unset OS_TOKEN
[root@controller ~]#  unset OS_URL

[root@controller ~]#  openstack --os-auth-url http://172.16.80.130:35357/v3 >   --os-project-domain-id default --os-user-domain-id default >   --os-project-name admin --os-username admin --os-auth-type password >   token issue
Password: 
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-10-29T17:53:21.237891Z      |
| id         | 1d3fc859a41848a7a4af688e3f9efcd0 |
| project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| user_id    | d1ea9577f35247a794f92598fbb6cd00 |
+------------+----------------------------------+


10、创建环境变量

[root@controller ~]# cat admin-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://172.16.80.130:35357/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# 
[root@controller ~]# cat demo-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://172.16.80.130:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# 
[root@controller ~]# source admin-openrc.sh 
[root@controller ~]# 
[root@controller ~]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-10-29T18:00:54.127266Z      |
| id         | 2e9bfe2f30b941e391a987784ad31daf |
| project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| user_id    | d1ea9577f35247a794f92598fbb6cd00 |
+------------+----------------------------------+
[root@controller ~]# 
[root@controller ~]# 
[root@controller ~]# source demo-openrc.sh 
[root@controller ~]# 
[root@controller ~]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-10-29T18:01:05.293502Z      |
| id         | f2b7f727e4d74aa88a315012f6f7d1f0 |
| project_id | 3653ec22551f472b94e9438bcd9097bf |
| user_id    | da1ed7fb5f494091a633afd6da29f900 |
+------------+----------------------------------+


本文出自 “厚德载物” 博客,谢绝转载!

openstack之keystone