首页 > 代码库 > 4-opensatck之keystone下

4-opensatck之keystone下

4.1 查看修改的keystone的配置文件

[root@linux-node1~]# grep -En  ‘^[a-Z]‘/etc/keystone/keystone.conf
152:debug = true   default模块
17:admin_token= 0eed56d434cbac30394c    DEFAULT模块,token机制
640:connection= mysql://keystone:keystone@192.168.56.11/keystone #database模块 认证数据库所在的地址
1472:servers= 192.168.56.11:11211  memcache模块,token存放的地址
2294:driver= sql   #revoke 模块
2655:provider= uuid  #token模块
2665:driver= memcache  #token模块

4.2 启动memcache服务

[root@linux-node1~]# systemctl start  memcached.service
[root@linux-node1 ~]# systemctl enable  memcached.service

4.3配置keystone的web界面,通过apache代理python

  4.3.1 apache的住配置文件

[root@linux-host1~]# vim /etc/httpd/conf/httpd.conf
 95 ServerName 192.168.10.11:80

 4.3.2增加配置文件

[root@linux-host1~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen5000
Listen35357
 
<VirtualHost*:5000>
    WSGIDaemonProcess keystone-publicprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias //usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog/var/log/httpd/keystone-access.log combined
 
    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>
 
<VirtualHost*:35357>
    WSGIDaemonProcess keystone-adminprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias //usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog/var/log/httpd/keystone-access.log combined
 
    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

 4.3.3 启动httpd服务  

[root@linux-node1~]# systemctl enable httpd
Createdsymlink from /etc/systemd/system/multi-user.target.wants/httpd.service to/usr/lib/systemd/system/httpd.service.
[root@linux-node1~]# systemctl restart  httpd

 4.4.4 查看启动的结果

[root@linux-node1~]#
Keystone的端口5000和35357  5000外部访问   35357 管理端口
 
[root@linux-node1~]# netstat  -lntup |grep  httpd
tcp6       0     0 :::80                  :::*                    LISTEN      17731/httpd        
tcp6       0     0 :::35357               :::*                    LISTEN      17731/httpd        
tcp6      0      0 :::5000                 :::*                    LISTEN      17731/httpd

4.5 创建keystone的域 项目 角色 用户

  keystone默认没有管理员,通过自己设置的token登陆设置

 4.5.1 设置环境变量  

[root@linux-node1bin]# export OS_TOKEN=0eed56d434cbac30394c
[root@linux-node1bin]# export  OS_URL=http://192.168.56.11:35357/v3
[root@linux-node1bin]# export  OS_IDENTITY_API_VERSION=3

 4.5.2 首先查看下用户

查看有哪些用户(没有)
[root@linux-node1bin]# openstack  user  list
 
[root@linux-node1bin]#

 4.5.3 创建默认的域

[root@linux-node1bin]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
|Field       | Value                            |
+-------------+----------------------------------+
|description | Default Domain                  |
|enabled     | True                             |
| id          | d1d9728ef1d64905b1ebf54982dc7991 |
|name        | default                          |
+-------------+----------------------------------+
[root@linux-node1bin]#

 4.5.4 创建项目

[root@linux-node1bin]# openstack project create --domain default --description "AdminProject" admin
+-------------+----------------------------------+
|Field       | Value                            |
+-------------+----------------------------------+
|description | Admin Project                   |
|domain_id   | d1d9728ef1d64905b1ebf54982dc7991|
|enabled     | True                             |
| id          | 83504041aae94275a03600bb38e9f43a |
|is_domain   | False                            |
|name        | admin                            |
|parent_id   | d1d9728ef1d64905b1ebf54982dc7991|
+-------------+----------------------------------+

4.5.4 创建一个角色

[root@linux-node1bin]# openstack role create admin
+-----------+----------------------------------+
|Field     | Value                            |
+-----------+----------------------------------+
|domain_id | None                            |
| id        | 0d07754d4422483a87285c2eaf7216ed |
|name      | admin                            |
+-----------+----------------------------------+
[root@linux-node1bin]#

4.5.5 创建一个用户

openstack user create --domain default--password-prompt admin

技术分享

4.5.6 将admin用户授予admin项目的admin角色,即给admin项目添加一个用户叫admin,并将其添加至admin角色,角色是权限的一种集合

[root@linux-node1bin]# openstack role add --project admin --user admin admin

4.7 demo用户

 4.7.1 demo项目创建

[root@linux-node1bin]# openstack project create --domain default --description "DemoProject" demo
+-------------+----------------------------------+
|Field       | Value                            |
+-------------+----------------------------------+
|description | Demo Project                    |
|domain_id   |d1d9728ef1d64905b1ebf54982dc7991 |
|enabled     | True                             |
| id          | 553af6a94bb64d918c21cfe7b84bd4fe |
|is_domain   | False                            |
|name        | demo                             |
|parent_id   |d1d9728ef1d64905b1ebf54982dc7991 |
+-------------+----------------------------------+
[root@linux-node1bin]#

 4.7.2 user 角色

[root@linux-node1 bin]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 1064c9c2f8e44c6f87daa05eda7a418d |
| name      | user                             |
+-----------+-------

 4.7.3 demo用户

[root@linux-node1 bin]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | d1d9728ef1d64905b1ebf54982dc7991 |
| enabled             | True                             |
| id                  | ce8d50b126b446bcbbf948bfa6c78ddd |
| name                | demo                             |
| password_expires_at | None                             |
+---------------------+----------------------------------+

 4.7.4 把demo用户赋予user的角色,添加到demo项目里面

[root@linux-node1 bin]# openstack role add --project demo --user demo user

 4.7.5 查看用户

[root@linux-node1 ~]# openstack user  list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 49f7496df3da4892b78903021b733541 | admin |
| ce8d50b126b446bcbbf948bfa6c78ddd | demo  |
+----------------------------------+-------+
[root@linux-node1 ~]# 
[root@linux-node1 ~]#

 4.7.6 查看角色

[root@linux-node1 ~]# openstack role  list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 0d07754d4422483a87285c2eaf7216ed | admin |
| 1064c9c2f8e44c6f87daa05eda7a418d | user  |
+----------------------------------+-------+
[root@linux-node1 ~]#

4.7.7 查看项目

[root@linux-node1 ~]# openstack  project  list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 553af6a94bb64d918c21cfe7b84bd4fe | demo    |
| 83504041aae94275a03600bb38e9f43a | admin   |
| 8437cbb8cd8d4982bedb6ef944d9423b | service |
+----------------------------------+---------+
[root@linux-node1 ~]#

4.8 keystone本身也会往keystone注册

 创建keystone
 [root@linux-node1bin]# openstack service create  --namekeystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
|Field       | Value                            |
+-------------+----------------------------------+
|description | OpenStack Identity              |
|enabled     | True                             |
| id          | fb736ae810e44272956dfd24307aa903 |
|name        | keystone                         |
|type        | identity                         |
+-------------+----------------------------------+

4.9 keystone管理

  4.9.1 公共管理点,可以是公网的IP

[root@linux-node1 bin]# openstack endpoint create --region RegionOne 
identity public http://192.168.56.11:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | c1a69a3fc8494e839dea7d1f13b06815 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | fb736ae810e44272956dfd24307aa903 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.56.11:5000/v3     |
+--------------+----------------------------------+

 4.9.2 内部的管理点

[root@linux-node1bin]# openstack endpoint create --region RegionOne identity internalhttp://192.168.56.11:5000/v3
+--------------+----------------------------------+
|Field        | Value                            |
+--------------+----------------------------------+
|enabled      | True                             |
| id           | ce3c353e9e924f32bcbc15af2c3169d4 |
|interface    | internal                         |
|region       | RegionOne                        |
|region_id    | RegionOne                        |
|service_id   |fb736ae810e44272956dfd24307aa903 |
|service_name | keystone                        |
|service_type | identity                        |
|url          |http://192.168.56.11:5000/v3     |
+--------------+----------------------------------

4.9.3 管理员节点

[root@linux-node1bin]# openstack endpoint create --region RegionOne identity adminhttp://192.168.56.11:35357/v3
+--------------+----------------------------------+
|Field        | Value                            |
+--------------+----------------------------------+
|enabled      | True                             |
| id           | c57c406393104470860775514fe601c3 |
|interface    | admin                            |
| region       | RegionOne                        |
|region_id    | RegionOne                        |
|service_id   |fb736ae810e44272956dfd24307aa903 |
|service_name | keystone                        |
|service_type | identity                        |
|url          |http://192.168.56.11:35357/v3    |
+--------------+----------------------------------+

4.9.5 查看所有节点

[root@linux-node1 ~]# openstack endpoint list 
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
| ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                           |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
| 2c3b5ab42845453e82cc47945a447667 | RegionOne | keystone     | identity     | True    | public    | http://192.168.56.11:5000/v3  |
| ac8478dc89ce4368932fcdab58d84747 | RegionOne | keystone     | identity     | True    | admin     | http://192.168.56.11:35357/v3 |
| ce3c353e9e924f32bcbc15af2c3169d4 | RegionOne | keystone     | identity     | True    | internal  | http://192.168.56.11:5000/v3  |
| fd0f6d73af444e67b322b047d060c783 | RegionOne | keystone     | identity     | True    | admin     | http://192.168.56.11:35357/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
[root@linux-node1 ~]#

 备注:如果后边发现添加错了,可以删除 openstack endpoint ID(例如:

2c3b5ab42845453e82cc47945a447667) 但是得保证前面三个export环境变量存在

4.10 测试keystone(不用token登录了,取消环境变脸)

[root@linux-node1 ~]# unset OS_TOKEN
[root@linux-node1 ~]# unset OS_URL

测试是否能拿到token

[root@linux-node1bin]# openstack --os-auth-url http://192.168.56.11:35357/v3 >--os-project-domain-name default --os-user-domain-name default >--os-project-name admin --os-username admin token issue
Password:  #此处是admin
+------------+----------------------------------+
|Field      | Value                            |
+------------+----------------------------------+
|expires    | 2016-12-1714:01:09+00:00        |
| id         | 0b5c3d0dd9d14bc4b096d09f856cba40 |
|project_id | 83504041aae94275a03600bb38e9f43a |
|user_id    |49f7496df3da4892b78903021b733541 |
+------------+----------------------------------+
[root@linux-node1bin]#

4.11 设置用户变量,以后不用这样验证了麻烦

[root@linux-node1 ~]# cat admin-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2


[root@linux-node1 ~]# cat demo-openstack.sh 
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@linux-node1 ~]#
[root@linux-node1 ~]# chmod +x demo-openstack.sh  admin-openstack.sh
[root@linux-node1 ~]# source admin-openstack.sh 
[root@linux-node1 ~]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-12-17 14:59:36+00:00        |
| id         | af6d349000414d60b6f2141e7468cccf |
| project_id | 83504041aae94275a03600bb38e9f43a |
| user_id    | 49f7496df3da4892b78903021b733541 |
+------------+----------------------------------+
[root@linux-node1 ~]#


本文出自 “砖家博客” 博客,请务必保留此出处http://wsxxsl.blog.51cto.com/9085838/1883649

4-opensatck之keystone下