Openstack组件部署 — keystone(domain, projects, users, and roles)

目录

  • 目录
  • 前文列表
  • Create a domain projects users and roles
    • domain projects users and roles的意义和作用
    • Create the default domain
    • Create the service projecttenant
    • 创建用于管理的用户租户和角色
      • Create the admin projecttenant
      • Create the admin user
      • Create the admin role
      • Add the admin role to the admin project and user
    • 创建一般用户租户和角色
      • Create the demo projecttenant
      • Create the demo user
      • Create the user role
      • Add the user role to the demo project and user
  • Verify operation 验证操作
  • Create OpenStack client environment scripts
    • Edit the admin-openrc file and add the following content
    • Edit the demo-openrc file and add the following content
    • Using the scripts
  • 最后

前文列表

Openstack组件部署 — Overview和前期环境准备

Openstack组建部署 — Environment of Controller Node

Openstack组件部署 — Keystone功能介绍与认证实现流程

Openstack组件部署 — Keystone Install & Create service entity and API endpoints

Create a domain, projects, users, and roles

The Identity service provides authentication services for each OpenStack service. The authentication service uses a combination of domains, projects (tenants), users, and roles.

Identity service为每一个Openstack service都提供了身份认证的服务,而身份认证服务使用domains, projects (tenants), users, and roles的组合来实现。

domain, projects, users, and roles的意义和作用

Create the default domain

在上一篇Openstack组件部署 — Keystone Install & Create service entity and API endpoints中解释了,因为MySQL数据库里默认是没有任何authentication catalog services信息的,但是在调用Keystone的服务时,首先就需要进行token的校验,这样显然无法完成。所以如果想在这样的情况下使用Keystone服务,我们可以为其指定一个临时的Token(keystone.conf中的admin_token参数项),并且定义一个OS_TOKEN系统变量,Keystone会通过匹配OS_TOKENadmin_token的值是否一致来确定是否能够使用Keystone的服务。如果不一致时,就会触发An unexpected error prevented the server from fulfilling your request. 的ERROR。

加载临时token的环境变量

[root@controller ~]# cat auth_token
export OS_TOKEN=c44048d3212d3f977643
export OS_URL=http://controller.jmilk.com:35357/v3
export OS_IDENTITY_API_VERSION=3

[root@controller ~]# source auth_token

创建domain

[[email protected] ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 011fbf8c04f1479ab1a4e49b019b22d1 |
| name        | default                          |
+-------------+----------------------------------+

Create the service project(tenant)

This guide uses a service project that contains a unique user for each service that you add to your environment.

每一个Openstack service在service tenant都含有唯一的user。Openstack需要使用这个service tenant来将所有的Openstack service关联起来。

[[email protected] ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 011fbf8c04f1479ab1a4e49b019b22d1 |
| enabled     | True                             |
| id          | 358f241ed9ad4a2faf1e9796d761e4bf |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 011fbf8c04f1479ab1a4e49b019b22d1 |
+-------------+----------------------------------+

创建用于管理的用户、租户和角色

Create the admin project(tenant)

Create an administrative project, user, and role for administrative operations in your environment

为了在你的环境上执行管理操作,需要创建管理项目、用户和角色。

创建一个属于default域的tenant(租户)

[[email protected] ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 011fbf8c04f1479ab1a4e49b019b22d1 |
| enabled     | True                             |
| id          | 6c04f1d3ecd04aafb427f4f8d01be534 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 011fbf8c04f1479ab1a4e49b019b22d1 |
+-------------+----------------------------------+

Note:Openstack会使用动态的id

Create the admin user

需要为user设定密码

[[email protected] ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 011fbf8c04f1479ab1a4e49b019b22d1 |
| enabled   | True                             |
| id        | d5e5331d665540159f1bfabb7327eca5 |
| name      | admin                            |
+-----------+----------------------------------+

Create the admin role

[[email protected] ~]# openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 192f3667f323410b83497d8898d2ec80 |
| name      | admin                            |
+-----------+----------------------------------+

Add the admin role to the admin project and user

添加admin tenant、admin user到admin role中

[[email protected] ~]# openstack role add --project admin --user admin admin

Note:Any roles that you create must map to roles specified in the policy.json file in the configuration file directory of each OpenStack service. The default policy for most services grants administrative access to the admin role.

注意:所有创建的roles都必须要映射到每一个Openstack service特定的policy.json配置文件中,默认的policy会将大多数的services的管理权限授予admin角色。所以上面我们创建了default domainadmin tenantadmin useradmin role,并且将tenantuser绑定到了roles中,这样的话tenantuser就拥有了admin role的权限。

/etc/keystone/policy.json

创建一般用户、租户和角色

Create the demo project(tenant)

Regular (non-admin) tasks should use an unprivileged project and user. As an example, this guide creates the demo project and user.

在Openstack中一般的任务我们都应该使用一个没有太多权限的project(tenant)user来操作。在这里我们创建一个demo user。

[[email protected] ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 011fbf8c04f1479ab1a4e49b019b22d1 |
| enabled     | True                             |
| id          | 4e069f1af37c4a37910e838365213530 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 011fbf8c04f1479ab1a4e49b019b22d1 |
+-------------+----------------------------------+

Note:Do not repeat this step when creating additional users for this project.

Create the demo user:

[[email protected] ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 011fbf8c04f1479ab1a4e49b019b22d1 |
| enabled   | True                             |
| id        | 27549a09628a453ea4fea34feb201855 |
| name      | demo                             |
+-----------+----------------------------------+

Create the user role

[[email protected] ~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | ed533bf15c0b4487a7023c3d489c9411 |
| name      | user                             |
+-----------+----------------------------------+

Add the user role to the demo project and user

[[email protected] ~]# openstack role add --project demo --user demo user

Verify operation 验证操作

在安装Openstack的其他services之前,我们需要确定Keystone service能够正常使用。

Step1.For security reasons, disable the temporary authentication token mechanism

出于安全考虑,我们现在可以禁用掉临时的认证token机制。

Edit the /etc/keystone/keystone-paste.ini file and remove admin_token_auth from the [pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] sections.

/etc/keystone/keystone-paste.ini文件中的节点[pipeline:public_api][pipeline:admin_api][pipeline:api_v3]中的admin_token_auth参数删除。

vim /etc/keystone/keystone-paste.ini

[pipeline:public_api]
# The last item in this pipeline must be public_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service

[pipeline:admin_api]
# The last item in this pipeline must be admin_service or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service

[pipeline:api_v3]
# The last item in this pipeline must be service_v3 or an equivalent
# application. It cannot be a filter.
pipeline = cors sizelimit url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3

Step2.Unset the temporary OS_TOKEN and OS_URL environment variables

[root@controller ~]# unset OS_TOKEN OS_URL

Step3.As the admin user, request an authentication token

使用admin user来请求获取authentication token

获取一个authentication token需要指定:

  • --os-auth-url确定keystone service,并且admin用户需要使用Post:35357来区分,Post:35357是admin专用的Endpoint。
  • --os-project-domain-name确定一个admin tenant所处在的domain
  • --os-user-domain-name确定admin user所处在的domain
  • os-project-name确定admin tenant
  • --os-username确定admin user,这样才能唯一的定位到一个user,之后在指定申请token

    注意:因为在之前创建了admin tenant、admin user、admin role,就是说现在数据库中已经存在了admin user的相关信息,所以keystone可以在不需要使用临时token的情况下直接申请admin user的token。 —— 也就是说如果一个User希望从Keystone上申请到一个Token并以此来登陆Openstack进行操作的话,首先需要创建这个User和对应的tenant并将其加入role中。

[[email protected] ~]# openstack --os-auth-url http://controller.jmilk.com:35357/v3 >   --os-project-domain-name default --os-user-domain-name default >   --os-project-name admin --os-username admin token issue
Password:
+------------+----------------------------------------------------------------------------+
| Field      | Value                                                                      |
+------------+----------------------------------------------------------------------------+
| expires    | 2016-06-15T16:15:15.389159Z                                                |
| id         | gAAAAABXYXEDwdmX7VMLYkNas7r_aAz91zrfUvoJCwGLIE6qOWcdjVH9NjJwNl3bkeYaspbrm9 |
|            | _Ygm_Eba8kUNUnipTHM8D9ASOxOV4BQUmn-                                        |
|            | uSZO9vmrHy91B7vx3vfidKz2_83X5PhOMhZxrFkluYzsJtIuH9T0UTiuaVA_THJ4zNOXzKYEtA |
| project_id | 6c04f1d3ecd04aafb427f4f8d01be534                                           |
| user_id    | d5e5331d665540159f1bfabb7327eca5                                           |
+------------+----------------------------------------------------------------------------+

ERROR:Unable to establish connection to http://controller:35357/v3/auth/tokens

出现这个错误时候,检查认证Endpoint URL选项--os-auth-url的参数是否正确,openstack需要通过Endpoint URL来确定auth-Keystone服务。

Step4.As the demo user, request an authentication token

[[email protected] ~]# openstack --os-auth-url http://controller.jmilk.com:5000/v3 >   --os-project-domain-name default --os-user-domain-name default >   --os-project-name demo --os-username demo token issue
Password:
+------------+----------------------------------------------------------------------------+
| Field      | Value                                                                      |
+------------+----------------------------------------------------------------------------+
| expires    | 2016-06-15T16:26:46.556759Z                                                |
| id         | gAAAAABXYXO2Tn4c9mO5TAY5gBeGxgSRmbAkDRfB8gyuELVtAB6BVARzY8d6OL9diCtAy-     |
|            | mNyY3uA7DFBrnKoTtyu5jX5oEf9ax61q8StnYjNDtRdiOKLN2Q23f-                     |
|            | jNYALrWUkr91Z98oLD7LVrjRLcSaC-XCpK5tB-kU-Piyu7Y0rzbEXM06AIo                |
| project_id | 4e069f1af37c4a37910e838365213530                                           |
| user_id    | 27549a09628a453ea4fea34feb201855                                           |
+------------+----------------------------------------------------------------------------+

Note:This command uses the password for the demo user and API port 5000 which only allows regular (non-admin) access to the Identity service API.

注意:非管理员账户使用Port:5000来定位Keystone service。

Step5.使用admin账户身份来查看project、user、role的列表

[[email protected] ~]# openstack --os-auth-url http://controller.jmilk.com:35357/v3   --os-project-domain-name default --os-user-domain-name default   --os-project-name admin --os-username admin project list
Password:
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 358f241ed9ad4a2faf1e9796d761e4bf | service |
| 4e069f1af37c4a37910e838365213530 | demo    |
| 6c04f1d3ecd04aafb427f4f8d01be534 | admin   |
+----------------------------------+---------+

[[email protected] ~]# openstack --os-auth-url http://controller.jmilk.com:35357/v3   --os-project-domain-name default --os-user-domain-name default   --os-project-name admin --os-username admin user list
Password:
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 27549a09628a453ea4fea34feb201855 | demo  |
| d5e5331d665540159f1bfabb7327eca5 | admin |
+----------------------------------+-------+

[[email protected] ~]# openstack --os-auth-url http://controller.jmilk.com:35357/v3   --os-project-domain-name default --os-user-domain-name default   --os-project-name admin --os-username admin role list
Password:
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 192f3667f323410b83497d8898d2ec80 | admin |
| ed533bf15c0b4487a7023c3d489c9411 | user  |
+----------------------------------+-------+

Create OpenStack client environment scripts

The previous section used a combination of environment variables and command options to interact with the Identity service via the openstack client. To increase efficiency of client operations, OpenStack supports simple client environment scripts also known as OpenRC files. These scripts typically contain common options for all clients, but also support unique options。

在上面的操作中,我们通过openstack client使用了环境变量和指令选项的组合来进行操作。为了增加openstack client的操作效率(每一次都需要使用--os-auth-url这类的选项实在是非常繁复),Openstack支持简易的环境脚本,也称之为OpenRC文件。这些脚本可以包含有常用的openstack client选项,但是每一个脚本只支持唯一的选项值。简而言之,使用这些脚本能够让我们不需要为每一条openstack client指令都添加这么多的认证选项。

Edit the admin-openrc file and add the following content

为admin user创建OpenRC文件

vim ~/admin-openrc

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=fanguiju            #给出admin的password
export OS_AUTH_URL=http://controller.jmilk.com:35357/v3            #给出admin的Endpoint
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Edit the demo-openrc file and add the following content

为demo user创建OpenRC文件

vim ~/demo-openrc

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=fanguiju
export OS_AUTH_URL=http://controller.jmilk.com:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

Using the scripts

[[email protected] ~]# . admin-openrc
[[email protected] ~]# openstack token issue
+------------+----------------------------------------------------------------------------+
| Field      | Value                                                                      |
+------------+----------------------------------------------------------------------------+
| expires    | 2016-06-15T16:59:48.937673Z                                                |
| id         | gAAAAABXYXt0PviJjz-fzA89XNr7w2KxM5jOOzg868rTDLXE-                          |
|            | 2l__BMNLBYDX0nWKlrjlLRvqwFXMpAL2WhAlZVEZis6Ud-dqcSA4JV-                    |
|            | 4Ehr9aRCwSK3cm4L_eHnoLeAoDU-                                               |
|            | 40RYHViL0GB3kav8ML5DbTGNRPq3aHVNsvQHgkfAWiHKm9YM5xo                        |
| project_id | 6c04f1d3ecd04aafb427f4f8d01be534                                           |
| user_id    | d5e5331d665540159f1bfabb7327eca5                                           |
+------------+----------------------------------------------------------------------------+

再次获取admin的token变得非常的简单

最后

到这里Keystone组件的安装就全部结束了。 : )

时间: 2024-08-09 21:46:17

Openstack组件部署 — keystone(domain, projects, users, and roles)的相关文章

Openstack组件部署 — Keystone Install & Create service entity and API endpoints

目录 目录 前文列表 Install and configure Prerequisites 先决条件 Create the database for identity service 生成一个随机数 Install and configure components Configure the Apache HTTP server Create the service entity and API endpoints Prerequisites 先决条件 Create the service e

Openstack组件部署 — Networking service_Compute Node

目录 目录 前文列表 安装组件 配置通用组件 配置自服务网络选项 配置Linux 桥接代理 配置Nova使用网络 完成安装 验证操作Execute following commands on Controller Node 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment of Controller Node Openstack组件部署 - Keystone功能介绍与认证实现流程 Openstack组件部署 - Ke

Openstack组件部署 — Nova_Install and configure a compute node

目录 目录 前文列表 Prerequisites 先决条件 Install and configure a compute node Install the packages Edit the etcnovanovaconf file Finalize installation 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment of Controller Node Openstack组件部署 - Keystone功能

Openstack组件部署 — Networking service_安装并配置Controller Node

目录 目录 前文列表 前提条件 完成下面的步骤以创建数据库 创建service credentials服务凭证 创建Neutron的API Endpoints 配置自服务网络 安装网络组件 配置服务组件 配置 Modular Layer 2 ML2 插件 配置Linux 桥接代理 配置layer-3代理 配置DHCP代理 配置元数据代理 配置计算使用网络 完成安装 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment o

Openstack组件部署 — Nova_安装和配置Controller Node

目录 目录 前文列表 Prerequisites 先决条件 To create the databases To create the service credentials Create the Compute service API endpoints Install and configure components Install the packages Edit the etcnovanovaconf file Populate the Compute databases Finali

OpenStack组件系列?Keystone搭建

一:版本信息 官网:http://docs.openstack.org/newton/install-guide-rdo/keystone.html 二:部署keystone 官网文档:http://docs.openstack.org/newton/install-guide-rdo/ 查看系统信息: [[email protected] ~]# cat /etc/redhat-release CentOS Linux release 7.0.1406 (Core) [[email prote

OpenStack组件系列?Keystone

Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证.服务规则和服务令牌功能的模块.用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理.Keystone类似一个服务总线, 或者说是整个Openstack框架的注册表, 其他服务通过keystone来注册其服务的Endpoint(服务访问的URL),任何服务之间相互的调用, 需要经过Keystone的身份验证, 来获得目标服

Openstack组件部署 — 将一个 New Service 添加到 Keystone

目录 目录 Keystone 认证流程 让 Keystone 为一个新的项目 Service 提供验证功能 最后 Keystone 认证流程 User 使用凭证(username/password) 到 keystone 验证并获得一个临时的 Token 和 Generic catalog(全局目录),临时的 Token 会存储在 keystone-client(cache UUID locally) 和 keystone-backend 中. User 使用这个临时 Token 发送给 key

openstack组件之keystone

一 什么是keystone keystone是 OpenStack Identity Service 的项目名称.它在整个体系中充当一个授权者的角色. 二 keystone概念详解 User:指使用Openstack service的用户,可以是人.服务.系统,但凡使用了Openstack service的对象都可以称为User. Project(Tenant):可以理解为一个人.或服务所拥有的资源集合 .在一个Project(Tenant)中可以包含多个User,每一个User都会根据权限的划