openstack---keystone

keystone

作用:
1)用户管理 记录用户以及他们的权限
2)服务目录 提供一个可用服务的目录 以及访问他们的调用端点(endpoint)

基础软件包的安装

安装openstack仓库
[[email protected] yum.repos.d]# yum install -y centos-release-openstack-mitaka
安装openstack客户端
[[email protected] yum.repos.d]# yum install -y python-openstackclient
安装openstack SElinux管理包
[[email protected] yum.repos.d]# yum install -y openstack-selinux

Mysql数据库部署
#状态数据存放于mysql
[[email protected] yum.repos.d]# yum install -y mariadb mariadb-server python2-PyMysql

#消息代理rabbitmq
[[email protected] yum.repos.d]# yum install -y rabbitmq-server

# Openstack验证服务keystone 其中openstack-keystone是基础包 httpd是web服务器 wsgi是Python的网关接口 memcached存放token的缓存 Python-memcached是Python连接memcached的包
[[email protected] yum.repos.d]# yum install -y openstack-keystone httpd mod_wsgi memcached python-memcached

数据库操作:
0)[[email protected] my.cnf.d]# mysql_secure_installation #设置密码,删除测试库等
1)创建以下文件并导入数据库
[[email protected] ~]# more /tmp/mysql.sql
drop database keystone;
create database keystone;
grant all on keystone.* to ‘keystone‘@‘localhost‘ identified by ‘keystone‘;
grant all on keystone.* to ‘keystone‘@‘%‘ identified by ‘keystone‘;

drop database glance;
create database glance;
grant all on glance.* to ‘glance‘@‘localhost‘ identified by ‘glance‘;
grant all on glance.* to ‘glance‘@‘%‘ identified by ‘glance‘;

drop database glance;
create database nova;
grant all on nova.* to ‘nova‘@‘localhost‘ identified by ‘nova‘;
grant all on nova.* to ‘nova‘@‘%‘ identified by ‘nova‘;

create database nova_api;
grant all on nova_api.* to ‘nova‘@‘localhost‘ identified by ‘nova‘;
grant all on nova_api.* to ‘nova‘@‘%‘ identified by ‘nova‘;

create database neutron;
grant all on neutron.* to ‘neutron‘@‘localhost‘ identified by ‘neutron‘;
grant all on neutron.* to ‘neutron‘@‘%‘ identified by ‘neutron‘;

消息中间件操作 ##端口是5672
yum install -y rabbitmq-server  #安装
systemctl enable rabbitmq-server.service #开机自启
systemctl start rabbitmq-server.service  #启动
rabbitmqctl add_user openstack openstack  #新建用户并赋予权限
rabbitmqctl set_permissions openstack ".*" ".*" ".*"
[[email protected] mnesia]# rabbitmq-plugins list
[[email protected] mnesia]# rabbitmq-plugins enable rabbitmq_management #开启rabbitmq的web管理界面

[[email protected] mnesia]# grep ‘^[a-z]‘ /etc/keystone/keystone.conf
admin_token = a4ec1d2a4abe99f4ae66
connection = mysql+pymysql://keystone:[email protected]/keystone
servers = 192.168.142.166:11211
provider = fernet
driver = memcache
#初始化身份认证服务的数据库:
[[email protected] mnesia]# su -s /bin/sh -c "keystone-manage db_sync" keystone
#初始化Fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

配置Apache服务器
[[email protected] ~]# grep ServerName /etc/httpd/conf/httpd.conf
# ServerName gives the name and port that the server uses to identify itself.
ServerName 192.168.142.166:80

[[email protected] ~]# more /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

# systemctl enable httpd.service
# systemctl start httpd.service

利用token来登陆keystone
export OS_TOKEN=040a9b2b6fd46cc54910
export OS_URL=http://192.168.142.166:35357/v3
export OS_IDENTITY_API_VERSION=3

#创建一个域default,类似机房的概念
openstack domain create --description "Default Domain" default
#创建一个project  指定域和名称
openstack project create --domain default   --description "Admin Project" admin
#创建一个用户 指定域和名称
openstack user create --domain default   --password-prompt admin
#创建一个角色
openstack role create admin
#把admin用户添加到admin项目 并授权admin的角色
openstack role add --project admin --user admin admin

#创建一个demo的项目  一个demo用户 创建角色user(配置文件定义好的)
openstack project create --domain default   --description "Demo Project" demo
openstack user create --domain default   --password-prompt demo
openstack role create user
openstack role add --project demo --user demo user

#创建service项目
openstack project create --domain default  --description "Service Project" service 

openstack user create --domain default --password-prompt glance
openstack role add --project service --user glance admin

openstack user create --domain default --password-prompt nova
openstack role add --project service --user nova admin

openstack user create --domain default --password-prompt neutron
openstack role add --project service --user neutron admin

#服务注册
openstack service create   --name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne   identity public http://192.168.142.166:5000/v3
openstack endpoint create --region RegionOne   identity internal http://192.168.142.166:5000/v3
openstack endpoint create --region RegionOne   identity admin http://192.168.142.166:35357/v3

openstack --os-auth-url http://192.168.142.166:35357/v3 --os-project-domain-name default --os-user-domain-name default  --os-project-name admin --os-username admin token issue

  openstack --os-auth-url http://192.168.142.166:5000/v3   --os-project-domain-name default --os-user-domain-name default   --os-project-name demo --os-username demo token issue

创建脚本:
#admin
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

#demo
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

验证
#写一堆环境变量
.  admin.sh
#环境变量设置成功
[[email protected] ~]# echo $OS_USERNAME
admin
[[email protected] openstack token issue
+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                    |
+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-07-09T03:32:21.000000Z                                                                                                                              |
| id         | gAAAAABZYZW2x-HD15z2mjnu6JGTZVJosa90ZUFAD0LkbLh3Eya9og2XKICxuZ6p1hvFzdKGzB2Y8bZI7BboOi_Oj-                                                               |
|            | 66q_fvxNTSJth7zuoQT9OM5dNeMSgfmvwudqz6f5qnJHRaPjckqyIugwU0cPg9c4NLtm7nN1nVndCZhgDQVL6IoAyvgcs                                                            |
| project_id | 3e83baa0b3d64188b036ce423002aac7                                                                                                                         |
| user_id    | 2614b525036b47e6a9a5b51ff385a06d                                                                                                                         |
+------------+----------------------------------------------------------------------------------------------------------------------------------------------------------+

  

时间: 2024-10-13 11:59:17

openstack---keystone的相关文章

openstack keystone 用户管理

openstack的keystone模块有用户管理和服务管理这两大块内容.这篇文章,先分析下用户管理. 一.概念理解 在讲用户管理,一定要先理解这三个概念: 用户(user):现实生活中的你.我,他.在通俗点,就是一个人的账号名和密码. openstack/keystone user-creat --name=xiaoming  --pass=password [email protected],com 租户(tenant):一个项目,也叫一个组织.一个租户里面,可以有一个或者多个用户.一个用户

Openstack keystone组件详解

OpenStack Keystone Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证.服务规则和服务令牌功能的模块.用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理.Keystone类似一个服务总线, 或者说是整个Openstack框架的注册表, 其他服务通过keystone来注册其服务的Endpoint(服务访问的URL),任何服务之间相互的调用, 需要经过Ke

openstack keystone整体架构与功能

关于keystone模块,我将从整体架构与功能,用户信息管理,认证服务3个模块用3篇文章进行分析. 1. keystone的基本功能 keystone作为openstack的Identity Service,提供了用户信息管理和完成各个模块认证服务. 用户信息管理:user/tenant基本信息,tenant管理 认证服务:登录认证,各个组件API的权限控制 2.keystone的架构 既然keystone为各个模块提供认证服务,所以各个模块与keystone都有所交互.其中登录认证体现在用户访

OpenStack Keystone V3

Keystone V3 Keystone 中主要涉及到如下几个概念:User.Tenant.Role.Token.下面对这几个概念进行简要说明. User:顾名思义就是使用服务的用户,可以是人.服务或者是系统,只要是使用了 Openstack 服务的对象都可以称为用户. Tenant:租户,可以理解为一个人.项目或者组织拥有的资源的合集.在一个租户中可以拥有很多个用户,这些用户可以根据权限的划分使用租户中的资源. Role:角色,用于分配操作的权限.角色可以被指定给用户,使得该用户获得角色对应的

Openstack - keystone异常

新安装的openstack节点发现keystone异常 当时查看了openstack的dns-server服务是否正常 ----查看结果:服务正常运行 尝试使用nslookup keystone的url  发现解析失败 原因:由于DNS的域名还是默认的域名,导致无法解析keystone的url 解决方法:更正DNS域名

《转》OpenStack Keystone的基本概念理解

Keystone简介 Keystone(OpenStack Identity Service)是OpenStack框架中,负责身份验证.服务规则和服务令牌的功能, 它实现了OpenStack的Identity API.Keystone类似一个服务总线, 或者说是整个Openstack框架的注册表, 其他服务通过keystone来注册其服务的Endpoint(服务访问的URL),任何服务之间相互的调用, 需要经过Keystone的身份验证, 来获得目标服务的Endpoint来找到目标服务. Key

OpenStack 学习笔记(三):OpenStack keystone服务搭建

--先决条件 1.)创建数据库 MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.00 sec) MariaDB [(none)]> GRANT ALL ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; Query OK, 0 rows affected (0.01 sec) MariaDB [(none)]> GRANT ALL

OpenStack Keystone v3 API新特性

原连接 http://blog.chinaunix.net/uid-21335514-id-3497996.html keystone的v3 API与v2.0相比有很大的不同,从API的请求格式到response的返回结果都有差别,主要几点如下: 1. 引入了domain的概念,domain是在project,user, group之上抽象出的一个概念,是指 container for projects, users and groups 2. v3中用project代替了以前的v2.0的ten

openstack keystone 安装依赖关系

python setup.py install Downloading/unpacking pbr>=0.6,!=0.7,<1.0 Downloading/unpacking WebOb>=1.2.3 Downloading/unpacking eventlet>=0.15.1 Downloading/unpacking greenlet>=0.3.2 Downloading/unpacking netaddr>=0.7.12 Downloading/unpacking

openstack controller ha测试环境搭建记录(六)——配置keystone

在所有节点的hosts文件添加:10.0.0.10 myvip 在所有节点安装# yum install -y openstack-keystone python-keystoneclient# yum install -y openstack-utils 在所有节点设置keystone.conf文件使用mysql集群地址:# openstack-config --set /etc/keystone/keystone.conf database connection mysql://keysto