OpenStack组件系列?Keystone搭建

一:版本信息

官网:http://docs.openstack.org/newton/install-guide-rdo/keystone.html

二:部署keystone

官网文档:http://docs.openstack.org/newton/install-guide-rdo/

查看系统信息:

[[email protected] ~]# cat /etc/redhat-release
CentOS Linux release 7.0.1406 (Core)
[[email protected] ~]# uname -a
Linux localhost.localdomain 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

准备阶段:

yum -y install centos-release-openstack-newton #安装官方yum源
yum -y upgrade                        #更新
yum -y install python-openstackclient #安装工具
yum -y install openstack-selinux      #安装openstack-selinux包自动管理openstack组件的安全策略

额外补充:

[[email protected] ~]# more /etc/yum.conf
[main]
cachedir=/newton 新建该目录
keepcache=1  把这个原本是0的改为1,是把yum缓存到本地
debuglevel=2
logfile=/var/log/yum.log
exactarch=1
obsoletes=1
gpgcheck=1
plugins=1
installonly_limit=5
bugtracker_url=http://bugs.centos.org/set_project.php?project_id=23&ref=http://bugs.centos.org/bug_report_page.php?category=yum
distroverpkg=centos-release

mkdir /newton

部署数据库

keystone支持ldap和mysql作为后端Driver,用来存放用户相关信息,catalog等,这里我们选用mariadb
yum -y install mariadb mariadb-server python2-PyMySQL

配置

配置文件:/etc/my.cnf.d/openstack.cnf

[mysqld]
bind-address = 192.168.1.120 #本机管理网络ip

default-storage-engine = innodb  #mysql的存储引擎
innodb_file_per_table    #独立表空间
max_connections = 4096 #最大链接数
collation-server = utf8_general_ci  #默认排序规则
character-set-server = utf8 #字符集

启动服务并设置开机自启动且检查状态

[[email protected] ~]# systemctl start mariadb.service
[[email protected] ~]# systemctl enable mariadb.service
Created symlink from /etc/systemd/system/multi-user.target.wants/mariadb.service to /usr/lib/systemd/system/mariadb.service.
[[email protected] ~]# systemctl status mariadb.service
● mariadb.service - MariaDB 10.1 database server
   Loaded: loaded (/usr/lib/systemd/system/mariadb.service; enabled; vendor preset: disabled)
   Active: active (running) since Mon 2017-02-06 09:25:17 EST; 16s ago
 Main PID: 43433 (mysqld)
   Status: "Taking your SQL requests now..."
   CGroup: /system.slice/mariadb.service
           └─43433 /usr/libexec/mysqld --basedir=/usr

Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Please report any problems at http://mariadb.org/jira
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: The latest information about MariaDB is available at http://mariadb.org/.
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: You can find additional information about the MySQL part at:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://dev.mysql.com
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Support MariaDB development by buying support/new features from MariaDB
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Corporation Ab. You can contact us about this at [email protected]
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: Alternatively consider joining our community based development effort:
Feb 06 09:25:16 localhost.localdomain mysql-prepare-db-dir[43275]: http://mariadb.com/kb/en/contributing-to-the-mariadb-project/
Feb 06 09:25:16 localhost.localdomain mysqld[43433]: 2017-02-06  9:25:16 140101128218816 [Note] /usr/libexec/mysqld (mysqld 10.1.18-MariaD...433 ...
Feb 06 09:25:17 localhost.localdomain systemd[1]: Started MariaDB 10.1 database server.
Hint: Some lines were ellipsized, use -l to show in full.

MariaDB已经启动

初始化数据库

mysql_secure_installation

部署keystone

keystone关于数据库的操作

[[email protected] ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.1.18-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE keystone;#新建数据库
Query OK, 1 row affected (0.00 sec) 

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘     ->   IDENTIFIED BY ‘123‘;    #新建本地访问keystone账号
Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘     ->   IDENTIFIED BY ‘123‘;   #新建远程访问keystone账号
Query OK, 0 rows affected (0.00 sec)

安装包:

#keystone软件包名openstack-keystone
#安装httpd和mod_wsgi的原因是,社区主推apache+keystone
#openstack-keystone本质就是一款基于wsgi协议的web app,而httpd本质就是一个兼容wsgi协议的web server,所以我们需要为httpd安装mod_wsgi模块
yum -y install openstack-keystone httpd mod_wsgi

配置:/etc/keystone/keystone.conf

#让openstack-keystone能够知道如何连接到后端的数据库keystone
#mysql+pymysql:pymysql是一个python库,使用python可以操作mysql原生sql
[database]
connection = mysql+pymysql://keystone:[email protected]/keystone #注意123没有引号哈
[token]
provider = fernet #fernet为生成token的方式

初始化数据库keystone

#初始化是因为python的orm对象关系映射,需要初始化来生成数据库表结构
su -s /bin/sh -c "keystone-manage db_sync" keystone

初始化Fernet key仓库

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

结合apache整合keystone

首先修改主机名

hostnamectl set-hostname controller

设置/etc/hosts

192.168.1.120 controller

配置/etc/httpd/conf/httpd.conf

ServerName controller

为mod_wsgi模块添加配置文件

ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
注:直接复制也可以

启动apache,设置开机自启动

systemctl start httpd.service
systemctl enable httpd.service

三:keystone操作

①、创建keystone的catalog

配置/etc/keystone/keystone.conf 

[DEFAULT]
admin_token = 123

设置环境变量

#OS_TOKEN=配置文件中的admin_token
#会在filter过滤过程中被admin_token_auth中间间设置is_admin=True
#谁有这个admin_token谁就是管理员了。

export OS_TOKEN=123 #等于keystone.conf中admin_token的值
export OS_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3

为keystone创建catalog

#根据上一步给的权限,创建认证服务实体

[[email protected] ~]# openstack service create \
> --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 7ed3a973acd3460883efdc187225ef80 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
#根据上一步建立的服务实体,创建访问该实体的三个api端点
[[email protected] ~]# openstack endpoint create --region RegionOne \
> identity public http://192.168.1.120:5000/v3

+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 37d4397231f74a5b98c48fd1220d7cd0 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:5000/v3 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne \
> identity internal http://192.168.1.120:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 72b8b7a700124e3f8876c6e74fd7b0c5 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:5000/v3 |
+--------------+----------------------------------+
[[email protected] ~]# openstack endpoint create --region RegionOne \
> identity admin http://192.168.1.120:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | b63e63c081b74dc3829cb9ae045f02f7 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 7ed3a973acd3460883efdc187225ef80 |
| service_name | keystone |
| service_type | identity |
| url | http://192.168.1.120:35357/v3 |
+--------------+----------------------------------+

②、创建域,项目,用户,角色,把四个元素关联到一起

首先建立一个公共的域名:

[[email protected] ~]# openstack domain create --description "Default Domain" default 
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 9526862455314cefbf4ad7faa4580582 |
| name | default |
+-------------+----------------------------------+

创建管理员各项信息:

#创建admin项目

[[email protected] ~]# openstack project create --domain default \
> --description "Admin Project" admin 
ole add --project admin --user admin admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | d2cac6cd998a4463abc5e83ec06f8996 |
| is_domain | False |
| name | admin |
| parent_id | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+
#创建admin用户
[[email protected] ~]# openstack user create --domain default \
> --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 9526862455314cefbf4ad7faa4580582 |
| enabled | True |
| id | 97ecd026af9f46349b76c57af5f7f84c |
| name | admin |
| password_expires_at | None |
+---------------------+----------------------------------+

#创建admin角色

[[email protected] ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 81fcdb131f3d4a0d8b4fa3bc95cf7f46 |
| name | admin |
+-----------+----------------------------------+

三者关联(项目、用户、角色)
[[email protected] ~]# openstack role add --project admin --user admin admin

③、使用Bootstrap完成一和二的工作

#为keystone创建catalog
keystone-manage bootstrap --bootstrap-password 123   --bootstrap-admin-url http://192.168.1.120:35357/v3/   --bootstrap-internal-url http://192.168.1.120:35357/v3/   --bootstrap-public-url http://192.168.1.120:5000/v3/   --bootstrap-region-id RegionOne
设置环境变量(is_admin不会被设置成True,admin用户会获得一个Token)
export OS_USERNAME=admin
export OS_PASSWORD=123 #就是keystone-manage中设定的--bootstrap-password
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.1.120:35357/v3
export OS_IDENTITY_API_VERSION=3

④、创建的项目,普通用户,项目,角色,建立关联

#创建project名为demo[[email protected] ~]# openstack project create --domain default >   --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 9526862455314cefbf4ad7faa4580582 |
| enabled     | True                             |
| id          | 1d57f06fda06450298d5cf72777be63d |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+#创建普通用户demo[[email protected] ~]# openstack user create --domain default >   --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | 9526862455314cefbf4ad7faa4580582 |
| enabled             | True                             |
| id                  | 8e28f8c353db487eb17477953e34452c |
| name                | demo                             |
| password_expires_at | None                             |
+---------------------+----------------------------------+
#创建普通用户的角色即user[[email protected] ~]# openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | d0094c83800043529c37401a28815497 |
| name      | user                             |
+-----------+----------------------------------+#建立三者关联
[[email protected] ~]# openstack role add --project demo --user demo user

⑤、为后续的服务创建统一租户service

#后面所有的服务公用一个项目service,都是管理员角色admin
#所以实际上后续的服务安装关于keysotne的操作只剩2,4
[[email protected] ~]# openstack project create --domain default >   --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 9526862455314cefbf4ad7faa4580582 |
| enabled     | True                             |
| id          | 75026d89c408438086f2314c003fdc8f |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 9526862455314cefbf4ad7faa4580582 |
+-------------+----------------------------------+

小结:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建项目 2.建用户 3.建角色 4.做关联

查看信息

查看catalog信息,admin,internal,public

查看endpoint信息

查看服务列表

查看域列表

查看项目,角色,用户,以及他们的管理信息

四:验证

准备工作

出于安全考虑,需要关闭临时令牌认证机制(配置文件中的admin_token和keystone-manage的--bootstrap-password都是基于该机制)

该机制会将用户的请求设置is_admin=True,源码分析中会介绍,先暂且理解到这里
编辑/etc/keystone/keystone-paste.ini这三个
[pipeline:public_api]
[pipeline:admin_api]
[pipeline:api_v3]
中的admin_token_auth都去掉

取消一切设置的环境变量,如

unset OS_AUTH_URL OS_PASSWORD

开始验证:用admin用户

报错了,这个错误的中文意思是:只有认证的用户才可以申请token,我也申请过了,这是什么原因?

原因有两个:第一:主机名/etc/hosts,配置不正确

第二:主机名修改后没有进行重新登录

最好这个第一步就做了,

验证成功

提示:一定要加上--os-identity-api-version 3!!!

用demo用户验证:

验证方法二:

 1 [[email protected] ~]# curl -i \
 2 > -H "Content-Type: application/json"  3 > -d ‘
 4 > {
 5 >     "auth": {
 6 >         "identity": {
 7 >             "methods": [
 8 >                 "password"
 9 >             ],
10 >             "password": {
11 >                 "user": {
12 >                     "domain":{
13 >                         "name": "default"
14 >                      },
15 >                     "name": "admin",
16 >                     "password": "123"
17 >                 }
18 >             }
19 >          },
20 >          "scope": {
21 >             "project": {
22 >                 "domain": {
23 >                         "name":"default"
24 >                 },
25 >                "name": "admin"
26 >             }
27 >          }
28 >      }
29 > }‘ 30 > http://127.0.0.1:5000/v3/auth/tokens
31 HTTP/1.1 201 Created
32 Date: Mon, 06 Feb 2017 15:32:25 GMT
33 Server: Apache/2.4.6 (CentOS) mod_wsgi/3.4 Python/2.7.5
34 X-Subject-Token: gAAAAABYmJcyCNVmoREAng1Q_KKedkdp3SVMnJdZeH1edN-lQk5OLM0_Nfqar-YeObaVn2Go90jFVCMbRk5UE-rRhDPqW33mlccjD2aTrf0U3cHNAj_dqSJJaXNfCPjpwSH2bopieKeOMaY87NtiUhZunTvvPRORsGUrrSR2KGBxRmM0dNpIX-A
35 Vary: X-Auth-Token
36 x-openstack-request-id: req-5ec4e24e-dc11-4d89-99f9-e9dabbe3a948
37 Content-Length: 1124
38 Content-Type: application/json
39
40 {"token": {"is_domain": false, "methods": ["password"], "roles": [{"id": "81fcdb131f3d4a0d8b4fa3bc95cf7f46", "name": "admin"}], "expires_at": "2017-02-06T16:33:00.000000Z", "project": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "d2cac6cd998a4463abc5e83ec06f8996", "name": "admin"}, "catalog": [{"endpoints": [{"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "public", "id": "37d4397231f74a5b98c48fd1220d7cd0"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:5000/v3", "region": "RegionOne", "interface": "internal", "id": "72b8b7a700124e3f8876c6e74fd7b0c5"}, {"region_id": "RegionOne", "url": "http://192.168.1.120:35357/v3", "region": "RegionOne", "interface": "admin", "id": "b63e63c081b74dc3829cb9ae045f02f7"}], "type": "identity", "id": "7ed3a973acd3460883efdc187225ef80", "name": "keystone"}], "user": {"domain": {"id": "9526862455314cefbf4ad7faa4580582", "name": "default"}, "id": "97ecd026af9f46349b76c57af5f7f84c", "name": "admin"}, "audit_ids": ["Jw80h1bURZ6u6vYzcRA3xg"], "issued_at": "2017-02-06T15:33:06.000000Z"}}
时间: 2024-08-07 08:40:05

OpenStack组件系列?Keystone搭建的相关文章

OpenStack组件系列?Keystone

Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证.服务规则和服务令牌功能的模块.用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理.Keystone类似一个服务总线, 或者说是整个Openstack框架的注册表, 其他服务通过keystone来注册其服务的Endpoint(服务访问的URL),任何服务之间相互的调用, 需要经过Keystone的身份验证, 来获得目标服

OpenStack组件系列?glance搭建

第一步:glance关于数据库的操作 mysql -u root -p #登入数据库 CREATE DATABASE glance; #新建库keystone GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'localhost' IDENTIFIED BY '123'; #新建本地访问glance库的账号 GRANT ALL PRIVILEGES ON glance.* TO 'glance'@'%' IDENTIFIED BY '123'; #新建远

Openstack组件部署 — Keystone Install & Create service entity and API endpoints

目录 目录 前文列表 Install and configure Prerequisites 先决条件 Create the database for identity service 生成一个随机数 Install and configure components Configure the Apache HTTP server Create the service entity and API endpoints Prerequisites 先决条件 Create the service e

Openstack组件部署 — keystone(domain, projects, users, and roles)

目录 目录 前文列表 Create a domain projects users and roles domain projects users and roles的意义和作用 Create the default domain Create the service projecttenant 创建用于管理的用户租户和角色 Create the admin projecttenant Create the admin user Create the admin role Add the adm

openstack组件之keystone

一 什么是keystone keystone是 OpenStack Identity Service 的项目名称.它在整个体系中充当一个授权者的角色. 二 keystone概念详解 User:指使用Openstack service的用户,可以是人.服务.系统,但凡使用了Openstack service的对象都可以称为User. Project(Tenant):可以理解为一个人.或服务所拥有的资源集合 .在一个Project(Tenant)中可以包含多个User,每一个User都会根据权限的划

OpenStack组件系列?glance简介

Glance项目提供虚拟机镜像的发现,注册,取得服务. Glance提供restful API可以查询虚拟机镜像的metadata,并且可以获得镜像. 通过Glance,虚拟机镜像可以被存储到多种存储上,比如简单的文件存储或者对象存储(比如OpenStack中swiftx项目). Glance,像所有的OpenStack项目一样,遵循以下思想: 1.基于组件的架构      便于快速增加新特性 2.高可用性                  支持大负荷 3.容错性                

Openstack组件部署 — Nova_Install and configure a compute node

目录 目录 前文列表 Prerequisites 先决条件 Install and configure a compute node Install the packages Edit the etcnovanovaconf file Finalize installation 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment of Controller Node Openstack组件部署 - Keystone功能

Openstack组件部署 — Networking service_Compute Node

目录 目录 前文列表 安装组件 配置通用组件 配置自服务网络选项 配置Linux 桥接代理 配置Nova使用网络 完成安装 验证操作Execute following commands on Controller Node 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment of Controller Node Openstack组件部署 - Keystone功能介绍与认证实现流程 Openstack组件部署 - Ke

Openstack组件部署 — Networking service_安装并配置Controller Node

目录 目录 前文列表 前提条件 完成下面的步骤以创建数据库 创建service credentials服务凭证 创建Neutron的API Endpoints 配置自服务网络 安装网络组件 配置服务组件 配置 Modular Layer 2 ML2 插件 配置Linux 桥接代理 配置layer-3代理 配置DHCP代理 配置元数据代理 配置计算使用网络 完成安装 前文列表 Openstack组件部署 - Overview和前期环境准备 Openstack组建部署 - Environment o