openstack之keystone

keystone在openstack中充当认证作用

用户与认证:用户权限和用户行为跟踪

服务目录:提供一个服务目录,包括所有服务项和API端点

1、安装keystone

yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached -y

[[email protected] ~]# systemctl enable memcached.service

Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.

[[email protected] ~]# systemctl start memcached.service

2、配置keystone配置文件

[[email protected] keystone]#  grep -n  "^[a-Z]" /etc/keystone/keystone.conf

12:admin_token = ADMIN

107:verbose = true

495:connection = mysql://keystone:[email protected]/keystone

1313:servers = 172.16.80.130:11211

1718:driver = sql

1911:provider = uuid

1916:driver = memcache

3、导入数据库

[[email protected] keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone

4、检查导入结果

[[email protected] keystone]# mysql -e ‘use keystone;show tables;‘

+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| mapping                |
| migrate_version        |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+

5、配置keystone的http服务

[[email protected] ~]# vim /etc/httpd/conf/httpd.conf
ServerName controller

[[email protected] ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

[[email protected] ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[[email protected] ~]# systemctl start httpd.service

6、注册keystone api服务,创建project.user,role

[[email protected] ~]# export OS_TOKEN=ADMIN
[[email protected] ~]# export OS_URL=http://172.16.80.130:35357/v3
[[email protected] ~]# export OS_IDENTITY_API_VERSION=3

[[email protected] ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | a5c2ef28a5d5402195e761761f438b15 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用
[[email protected] ~]# openstack endpoint create --region RegionOne identity public http://172.16.80.130:5000/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 0c199cc25852452d8b4a428edd4af515 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://172.16.80.130:5000/v2.0   |
+--------------+----------------------------------+
[[email protected] ~]# 
[[email protected] ~]#  openstack endpoint create --region RegionOne identity internal http://172.16.80.130:5000/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 09a1cd321fd64049980096e7a940f6f8 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://172.16.80.130:5000/v2.0   |
+--------------+----------------------------------+
[[email protected] ~]# 
[[email protected] ~]# openstack endpoint create --region RegionOne identity admin http://172.16.80.130:35357/v2.0
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 1b875e33729a4ea4aa9f1e3f5d28bfd1 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a5c2ef28a5d5402195e761761f438b15 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://172.16.80.130:35357/v2.0  |
+--------------+----------------------------------+

7、创建admin项目

[[email protected] ~]# openstack project create --domain default   --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | None                             |
+-------------+----------------------------------+
[[email protected] ~]# 
[[email protected] ~]# openstack user create --domain default --password-prompt admin 
User Password:  密码设定为123456
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | default                          |
| enabled   | True                             |
| id        | d1ea9577f35247a794f92598fbb6cd00 |
| name      | admin                            |
+-----------+----------------------------------+

[[email protected] ~]# openstack role create admin
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 0e98eecac3e94b22a51404a79848bdb7 |
| name  | admin                            |
+-------+----------------------------------+
[[email protected] ~]# openstack role add --project admin --user admin admin

8、创建一个普通用户demo,demo项目,角色为普通用户(uesr)

[[email protected] ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 3653ec22551f472b94e9438bcd9097bf |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | None                             |
+-------------+----------------------------------+
[[email protected] ~]# openstack user create --domain default --password=demo demo
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | default                          |
| enabled   | True                             |
| id        | da1ed7fb5f494091a633afd6da29f900 |
| name      | demo                             |
+-----------+----------------------------------+
[[email protected] ~]# openstack role create user
+-------+----------------------------------+
| Field | Value                            |
+-------+----------------------------------+
| id    | 770c40490791437d97481465f8dd7251 |
| name  | user                             |
+-------+----------------------------------+
[[email protected] ~]# openstack role add --project demo --user demo user

创建项目service
[[email protected] ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 38e8f9eb1cb44d428f589703e663d995 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | None                             |
+-------------+----------------------------------+

9、验证相关

[[email protected] ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| d1ea9577f35247a794f92598fbb6cd00 | admin |
| da1ed7fb5f494091a633afd6da29f900 | demo  |
+----------------------------------+-------+
[[email protected] ~]# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 3653ec22551f472b94e9438bcd9097bf | demo    |
| 38e8f9eb1cb44d428f589703e663d995 | service |
| 8a3b7f9f1b2c4f7eaf7780d268e672d1 | admin   |
+----------------------------------+---------+
[[email protected] ~]# openstack role list   
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 0e98eecac3e94b22a51404a79848bdb7 | admin |
| 770c40490791437d97481465f8dd7251 | user  |
+----------------------------------+-------+
[[email protected] ~]# 
[[email protected] ~]# 
[[email protected] ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                             |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| 09a1cd321fd64049980096e7a940f6f8 | RegionOne | keystone     | identity     | True    | internal  | http://172.16.80.130:5000/v2.0  |
| 0c199cc25852452d8b4a428edd4af515 | RegionOne | keystone     | identity     | True    | public    | http://172.16.80.130:5000/v2.0  |
| 1b875e33729a4ea4aa9f1e3f5d28bfd1 | RegionOne | keystone     | identity     | True    | admin     | http://172.16.80.130:35357/v2.0 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
[[email protected] ~]# 
[[email protected] ~]# 
[[email protected] ~]# unset OS_TOKEN
[[email protected] ~]#  unset OS_URL

[[email protected] ~]#  openstack --os-auth-url http://172.16.80.130:35357/v3 >   --os-project-domain-id default --os-user-domain-id default >   --os-project-name admin --os-username admin --os-auth-type password >   token issue
Password: 
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-10-29T17:53:21.237891Z      |
| id         | 1d3fc859a41848a7a4af688e3f9efcd0 |
| project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| user_id    | d1ea9577f35247a794f92598fbb6cd00 |
+------------+----------------------------------+

10、创建环境变量

[[email protected] ~]# cat admin-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://172.16.80.130:35357/v3
export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# 
[[email protected] ~]# cat demo-openrc.sh 
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://172.16.80.130:5000/v3
export OS_IDENTITY_API_VERSION=3
[[email protected] ~]# 
[[email protected] ~]# source admin-openrc.sh 
[[email protected] ~]# 
[[email protected] ~]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-10-29T18:00:54.127266Z      |
| id         | 2e9bfe2f30b941e391a987784ad31daf |
| project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 |
| user_id    | d1ea9577f35247a794f92598fbb6cd00 |
+------------+----------------------------------+
[[email protected] ~]# 
[[email protected] ~]# 
[[email protected] ~]# source demo-openrc.sh 
[[email protected] ~]# 
[[email protected] ~]# openstack token issue
+------------+----------------------------------+
| Field      | Value                            |
+------------+----------------------------------+
| expires    | 2016-10-29T18:01:05.293502Z      |
| id         | f2b7f727e4d74aa88a315012f6f7d1f0 |
| project_id | 3653ec22551f472b94e9438bcd9097bf |
| user_id    | da1ed7fb5f494091a633afd6da29f900 |
+------------+----------------------------------+
时间: 2024-10-01 04:25:48

openstack之keystone的相关文章

58 Openstack基础、openstack之glance、openstack之keystone

03 openstack之keystone 配置环境 Controller CentOS release 6.7 controller eth0:仅主机 192.168.28.121 eth1:桥接 192.168.1.121 node2 192.168.1.122 CentOS release 6.7 compute1 eth0:仅主机,eth1:VMnet2 不会直接与外部网络通信 node3 192.168.1.123 CentOS release 6.7 networking eth0:

【N版】openstack——认证服务keystone(三)

[N版]openstack--认证服务keystone 一.keystone介绍 1.1keystone Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证.服务规则和服务令牌功能的模块.用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理. 用户认证:用户权限与用户行为跟踪 服务目录:提供一个服务目录,包括所有服务项与相关API的端点 主要涉及如下概念: User:  

OpenStack 认证服务 KeyStone [二]

 openstack认证服务Keystone 介绍 Keystone作用: 1.用户与认证:用户权限与用户行为跟踪: 2.服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 3.SOA相关知识 Keystone主要两大功能用户认证 服务目录(相当于一个注册中心) 用户认证几大名词介绍 User:用户  它是用一个数字代表使用openstack云服务的一个人.系统.或服务.身份验证服务将会验证传入的由用户声明将调用的请求  一个租户可以有多个用户  一个用户可以属于一个或多个租户  用户

OpenStack之Keystone模块

一.Keystone介绍 OpenStack Identity(Keystone)服务为运行OpenStack Compute上的OpenStack云提供了认证和管理用户.帐号和角色信息服务,并为OpenStack Object Storage提供授权服务. OpenStack的身份服务提供了集成的管理身份验证,授权和服务目录服务的单点,其他的OpenStack服务使用的身份服务作为一个通用统一的API,此外,提供有关用户的信息,但该服务不包括开栈(如LDAP服务)可以被集成到一个预先存在的基础

在安装Openstack的keystone认证服务时,出现The request you have made requires authentication. (HTTP 401) (Request-ID: req-f94bebba-f0c5-4a92-85问题的处理

创建openstack的keystone认证服务器报错: The request you have made requires authentication. (HTTP 401) (Request-ID: req-f94bebba-f0c5-4a92-85 处理方法: #openssl rand -hex 10                 //随机获取一个值 c833dac455762a01542a #vi /etc/keystore/keystore.conf [admin_token]

OpenStack 认证服务 KeyStone 服务注册(五)

创建服务实体和API端点 创建服务 openstack service create --name keystone --description "OpenStack Identity" identity 创建endpoint OpenStack使用三个API端点变种代表每种服务:admin,internal和public.默认情况下,管理API端点允许修改用户和租户而公共和内部APIs不允许这些操作.在生产环境中,处于安全原因,变种为了服务不同类型的用户可能驻留在单独的网络上.对实例

OpenStack 认证服务 KeyStone使用(四)

连接keystone两种方式: 一种使用命令 一种使用环境变量 1.通过环境变量方式连接keystone 配置认证令牌环境变量 export OS_TOKEN=07081849f55281652dac 备注:07081849f55281652dac这个值与/etc/keystone/keystone.conf配置文件中的admin_token一致 配置连接到keystone的地址 export OS_URL=http://192.168.137.11:35357/v3 设置keystone的ad

OpenStack 认证服务 KeyStone(三)

Keystone 介绍 Keystone作用: 用户与认证:用户权限与用户行为跟踪: 服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 SOA相关知识 Keystone主要两大功能用户认证和服务目录(相当于一个注册中心) 用户认证名词介绍 User:用户 它是用一个数字代表使用openstack云服务的一个人.系统.或服务.身份验证服务将会验证传入的由用户声明将调用的请求 一个租户可以有多个用户 一个用户可以属于一个或多个租户 用户对租户和操作权限由用户在租户中承担的角色来决定. P

OpenStack之Keystone学习

OpenStack 管理了众多的软硬件资源,并且利用这些资源提供云服务.而任何资源的管理,都会涉及到安全的管理,具体分为: 用户认证 服务认证 口令认证 无论是私有云还是共有云,都会开放许多的接口给众多的用户,而Keystone是OpneStone的安全组件,Keystone在对于用户进行认证的同时,也对用户的权限进行了限制.Keystone还保证OpenStack的服务可以正常注册.此外,各个服务组件之间的消息传递还需要用口令,当口令过期,则不再使用此口令. Domain相当于Keystone