首页 > 代码库 > 4-opensatck之keystone下
4-opensatck之keystone下
4.1 查看修改的keystone的配置文件
[root@linux-node1~]# grep -En ‘^[a-Z]‘/etc/keystone/keystone.conf 152:debug = true default模块 17:admin_token= 0eed56d434cbac30394c DEFAULT模块,token机制 640:connection= mysql://keystone:keystone@192.168.56.11/keystone #database模块 认证数据库所在的地址 1472:servers= 192.168.56.11:11211 memcache模块,token存放的地址 2294:driver= sql #revoke 模块 2655:provider= uuid #token模块 2665:driver= memcache #token模块
4.2 启动memcache服务
[root@linux-node1~]# systemctl start memcached.service [root@linux-node1 ~]# systemctl enable memcached.service
4.3配置keystone的web界面,通过apache代理python
4.3.1 apache的住配置文件
[root@linux-host1~]# vim /etc/httpd/conf/httpd.conf 95 ServerName 192.168.10.11:80
4.3.2增加配置文件
[root@linux-host1~]# vim /etc/httpd/conf.d/wsgi-keystone.conf Listen5000 Listen35357 <VirtualHost*:5000> WSGIDaemonProcess keystone-publicprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias //usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog/var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost> <VirtualHost*:35357> WSGIDaemonProcess keystone-adminprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias //usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog/var/log/httpd/keystone-access.log combined <Directory /usr/bin> Require all granted </Directory> </VirtualHost>
4.3.3 启动httpd服务
[root@linux-node1~]# systemctl enable httpd Createdsymlink from /etc/systemd/system/multi-user.target.wants/httpd.service to/usr/lib/systemd/system/httpd.service. [root@linux-node1~]# systemctl restart httpd
4.4.4 查看启动的结果
[root@linux-node1~]# Keystone的端口5000和35357 5000外部访问 35357 管理端口 [root@linux-node1~]# netstat -lntup |grep httpd tcp6 0 0 :::80 :::* LISTEN 17731/httpd tcp6 0 0 :::35357 :::* LISTEN 17731/httpd tcp6 0 0 :::5000 :::* LISTEN 17731/httpd
4.5 创建keystone的域 项目 角色 用户
keystone默认没有管理员,通过自己设置的token登陆设置
4.5.1 设置环境变量
[root@linux-node1bin]# export OS_TOKEN=0eed56d434cbac30394c [root@linux-node1bin]# export OS_URL=http://192.168.56.11:35357/v3 [root@linux-node1bin]# export OS_IDENTITY_API_VERSION=3
4.5.2 首先查看下用户
查看有哪些用户(没有) [root@linux-node1bin]# openstack user list [root@linux-node1bin]#
4.5.3 创建默认的域
[root@linux-node1bin]# openstack domain create --description "Default Domain" default +-------------+----------------------------------+ |Field | Value | +-------------+----------------------------------+ |description | Default Domain | |enabled | True | | id | d1d9728ef1d64905b1ebf54982dc7991 | |name | default | +-------------+----------------------------------+ [root@linux-node1bin]#
4.5.4 创建项目
[root@linux-node1bin]# openstack project create --domain default --description "AdminProject" admin +-------------+----------------------------------+ |Field | Value | +-------------+----------------------------------+ |description | Admin Project | |domain_id | d1d9728ef1d64905b1ebf54982dc7991| |enabled | True | | id | 83504041aae94275a03600bb38e9f43a | |is_domain | False | |name | admin | |parent_id | d1d9728ef1d64905b1ebf54982dc7991| +-------------+----------------------------------+
4.5.4 创建一个角色
[root@linux-node1bin]# openstack role create admin +-----------+----------------------------------+ |Field | Value | +-----------+----------------------------------+ |domain_id | None | | id | 0d07754d4422483a87285c2eaf7216ed | |name | admin | +-----------+----------------------------------+ [root@linux-node1bin]#
4.5.5 创建一个用户
openstack user create --domain default--password-prompt admin
4.5.6 将admin用户授予admin项目的admin角色,即给admin项目添加一个用户叫admin,并将其添加至admin角色,角色是权限的一种集合
[root@linux-node1bin]# openstack role add --project admin --user admin admin
4.7 demo用户
4.7.1 demo项目创建
[root@linux-node1bin]# openstack project create --domain default --description "DemoProject" demo +-------------+----------------------------------+ |Field | Value | +-------------+----------------------------------+ |description | Demo Project | |domain_id |d1d9728ef1d64905b1ebf54982dc7991 | |enabled | True | | id | 553af6a94bb64d918c21cfe7b84bd4fe | |is_domain | False | |name | demo | |parent_id |d1d9728ef1d64905b1ebf54982dc7991 | +-------------+----------------------------------+ [root@linux-node1bin]#
4.7.2 user 角色
[root@linux-node1 bin]# openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 1064c9c2f8e44c6f87daa05eda7a418d | | name | user | +-----------+-------
4.7.3 demo用户
[root@linux-node1 bin]# openstack user create --domain default --password-prompt demo User Password: Repeat User Password: +---------------------+----------------------------------+ | Field | Value | +---------------------+----------------------------------+ | domain_id | d1d9728ef1d64905b1ebf54982dc7991 | | enabled | True | | id | ce8d50b126b446bcbbf948bfa6c78ddd | | name | demo | | password_expires_at | None | +---------------------+----------------------------------+
4.7.4 把demo用户赋予user的角色,添加到demo项目里面
[root@linux-node1 bin]# openstack role add --project demo --user demo user
4.7.5 查看用户
[root@linux-node1 ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 49f7496df3da4892b78903021b733541 | admin | | ce8d50b126b446bcbbf948bfa6c78ddd | demo | +----------------------------------+-------+ [root@linux-node1 ~]# [root@linux-node1 ~]#
4.7.6 查看角色
[root@linux-node1 ~]# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 0d07754d4422483a87285c2eaf7216ed | admin | | 1064c9c2f8e44c6f87daa05eda7a418d | user | +----------------------------------+-------+ [root@linux-node1 ~]#
4.7.7 查看项目
[root@linux-node1 ~]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 553af6a94bb64d918c21cfe7b84bd4fe | demo | | 83504041aae94275a03600bb38e9f43a | admin | | 8437cbb8cd8d4982bedb6ef944d9423b | service | +----------------------------------+---------+ [root@linux-node1 ~]#
4.8 keystone本身也会往keystone注册
创建keystone [root@linux-node1bin]# openstack service create --namekeystone --description "OpenStack Identity" identity +-------------+----------------------------------+ |Field | Value | +-------------+----------------------------------+ |description | OpenStack Identity | |enabled | True | | id | fb736ae810e44272956dfd24307aa903 | |name | keystone | |type | identity | +-------------+----------------------------------+
4.9 keystone管理
4.9.1 公共管理点,可以是公网的IP
[root@linux-node1 bin]# openstack endpoint create --region RegionOne identity public http://192.168.56.11:5000/v3 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | c1a69a3fc8494e839dea7d1f13b06815 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | fb736ae810e44272956dfd24307aa903 | | service_name | keystone | | service_type | identity | | url | http://192.168.56.11:5000/v3 | +--------------+----------------------------------+
4.9.2 内部的管理点
[root@linux-node1bin]# openstack endpoint create --region RegionOne identity internalhttp://192.168.56.11:5000/v3 +--------------+----------------------------------+ |Field | Value | +--------------+----------------------------------+ |enabled | True | | id | ce3c353e9e924f32bcbc15af2c3169d4 | |interface | internal | |region | RegionOne | |region_id | RegionOne | |service_id |fb736ae810e44272956dfd24307aa903 | |service_name | keystone | |service_type | identity | |url |http://192.168.56.11:5000/v3 | +--------------+----------------------------------
4.9.3 管理员节点
[root@linux-node1bin]# openstack endpoint create --region RegionOne identity adminhttp://192.168.56.11:35357/v3 +--------------+----------------------------------+ |Field | Value | +--------------+----------------------------------+ |enabled | True | | id | c57c406393104470860775514fe601c3 | |interface | admin | | region | RegionOne | |region_id | RegionOne | |service_id |fb736ae810e44272956dfd24307aa903 | |service_name | keystone | |service_type | identity | |url |http://192.168.56.11:35357/v3 | +--------------+----------------------------------+
4.9.5 查看所有节点
[root@linux-node1 ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+ | 2c3b5ab42845453e82cc47945a447667 | RegionOne | keystone | identity | True | public | http://192.168.56.11:5000/v3 | | ac8478dc89ce4368932fcdab58d84747 | RegionOne | keystone | identity | True | admin | http://192.168.56.11:35357/v3 | | ce3c353e9e924f32bcbc15af2c3169d4 | RegionOne | keystone | identity | True | internal | http://192.168.56.11:5000/v3 | | fd0f6d73af444e67b322b047d060c783 | RegionOne | keystone | identity | True | admin | http://192.168.56.11:35357/v3 | +----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+ [root@linux-node1 ~]#
备注:如果后边发现添加错了,可以删除 openstack endpoint ID(例如:
2c3b5ab42845453e82cc47945a447667) 但是得保证前面三个export环境变量存在
4.10 测试keystone(不用token登录了,取消环境变脸)
[root@linux-node1 ~]# unset OS_TOKEN [root@linux-node1 ~]# unset OS_URL
测试是否能拿到token
[root@linux-node1bin]# openstack --os-auth-url http://192.168.56.11:35357/v3 >--os-project-domain-name default --os-user-domain-name default >--os-project-name admin --os-username admin token issue Password: #此处是admin +------------+----------------------------------+ |Field | Value | +------------+----------------------------------+ |expires | 2016-12-1714:01:09+00:00 | | id | 0b5c3d0dd9d14bc4b096d09f856cba40 | |project_id | 83504041aae94275a03600bb38e9f43a | |user_id |49f7496df3da4892b78903021b733541 | +------------+----------------------------------+ [root@linux-node1bin]#
4.11 设置用户变量,以后不用这样验证了麻烦
[root@linux-node1 ~]# cat admin-openstack.sh export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=admin export OS_AUTH_URL=http://192.168.56.11:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@linux-node1 ~]# cat demo-openstack.sh export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://192.168.56.11:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 [root@linux-node1 ~]# [root@linux-node1 ~]# chmod +x demo-openstack.sh admin-openstack.sh [root@linux-node1 ~]# source admin-openstack.sh [root@linux-node1 ~]# openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2016-12-17 14:59:36+00:00 | | id | af6d349000414d60b6f2141e7468cccf | | project_id | 83504041aae94275a03600bb38e9f43a | | user_id | 49f7496df3da4892b78903021b733541 | +------------+----------------------------------+ [root@linux-node1 ~]#
本文出自 “砖家博客” 博客,请务必保留此出处http://wsxxsl.blog.51cto.com/9085838/1883649
4-opensatck之keystone下