keystone在openstack中充当认证作用
用户与认证:用户权限和用户行为跟踪
服务目录:提供一个服务目录,包括所有服务项和API端点
1、安装keystone
yum install openstack-keystone httpd mod_wsgi python-openstackclient memcached python-memcached -y
[root@controller ~]# systemctl enable memcached.service
Created symlink from /etc/systemd/system/multi-user.target.wants/memcached.service to /usr/lib/systemd/system/memcached.service.
[root@controller ~]# systemctl start memcached.service
2、配置keystone配置文件
[root@controller keystone]# grep -n "^[a-Z]" /etc/keystone/keystone.conf
12:admin_token = ADMIN
107:verbose = true
495:connection = mysql://keystone:[email protected]/keystone
1313:servers = 172.16.80.130:11211
1718:driver = sql
1911:provider = uuid
1916:driver = memcache
3、导入数据库
[root@controller keystone]# su -s /bin/sh -c "keystone-manage db_sync" keystone
4、检查导入结果
[root@controller keystone]# mysql -e 'use keystone;show tables;'
+------------------------+ | Tables_in_keystone | +------------------------+ | access_token | | assignment | | config_register | | consumer | | credential | | domain | | endpoint | | endpoint_group | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | mapping | | migrate_version | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | region | | request_token | | revocation_event | | role | | sensitive_config | | service | | service_provider | | token | | trust | | trust_role | | user | | user_group_membership | | whitelisted_config | +------------------------+
5、配置keystone的http服务
[root@controller ~]# vim /etc/httpd/conf/httpd.conf ServerName controller [root@controller ~]# vim /etc/httpd/conf.d/wsgi-keystone.conf Listen 5000 Listen 35357WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined= 2.4> Require all granted Order allow,deny Allow from all WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On [root@controller ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. [root@controller ~]# systemctl start httpd.service= 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone-error.log CustomLog /var/log/httpd/keystone-access.log combined= 2.4> Require all granted Order allow,deny Allow from all
6、注册keystone api服务,创建project.user,role
[root@controller ~]# export OS_TOKEN=ADMIN [root@controller ~]# export OS_URL=http://172.16.80.130:35357/v3 [root@controller ~]# export OS_IDENTITY_API_VERSION=3 [root@controller ~]# openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | a5c2ef28a5d5402195e761761f438b15 | | name | keystone | | type | identity | +-------------+----------------------------------+ 分别创建三种类型的endpoint,分别为public:对外可见,internal内部使用,admin管理使用 [root@controller ~]# openstack endpoint create --region RegionOne identity public http://172.16.80.130:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 0c199cc25852452d8b4a428edd4af515 | | interface | public | | region | RegionOne | | region_id | RegionOne | | service_id | a5c2ef28a5d5402195e761761f438b15 | | service_name | keystone | | service_type | identity | | url | http://172.16.80.130:5000/v2.0 | +--------------+----------------------------------+ [root@controller ~]# [root@controller ~]# openstack endpoint create --region RegionOne identity internal http://172.16.80.130:5000/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 09a1cd321fd64049980096e7a940f6f8 | | interface | internal | | region | RegionOne | | region_id | RegionOne | | service_id | a5c2ef28a5d5402195e761761f438b15 | | service_name | keystone | | service_type | identity | | url | http://172.16.80.130:5000/v2.0 | +--------------+----------------------------------+ [root@controller ~]# [root@controller ~]# openstack endpoint create --region RegionOne identity admin http://172.16.80.130:35357/v2.0 +--------------+----------------------------------+ | Field | Value | +--------------+----------------------------------+ | enabled | True | | id | 1b875e33729a4ea4aa9f1e3f5d28bfd1 | | interface | admin | | region | RegionOne | | region_id | RegionOne | | service_id | a5c2ef28a5d5402195e761761f438b15 | | service_name | keystone | | service_type | identity | | url | http://172.16.80.130:35357/v2.0 | +--------------+----------------------------------+
7、创建admin项目
[root@controller ~]# openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | default | | enabled | True | | id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 | | is_domain | False | | name | admin | | parent_id | None | +-------------+----------------------------------+ [root@controller ~]# [root@controller ~]# openstack user create --domain default --password-prompt admin User Password: 密码设定为123456 Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | d1ea9577f35247a794f92598fbb6cd00 | | name | admin | +-----------+----------------------------------+ [root@controller ~]# openstack role create admin +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 0e98eecac3e94b22a51404a79848bdb7 | | name | admin | +-------+----------------------------------+ [root@controller ~]# openstack role add --project admin --user admin admin
8、创建一个普通用户demo,demo项目,角色为普通用户(uesr)
[root@controller ~]# openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | default | | enabled | True | | id | 3653ec22551f472b94e9438bcd9097bf | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+ [root@controller ~]# openstack user create --domain default --password=demo demo +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | default | | enabled | True | | id | da1ed7fb5f494091a633afd6da29f900 | | name | demo | +-----------+----------------------------------+ [root@controller ~]# openstack role create user +-------+----------------------------------+ | Field | Value | +-------+----------------------------------+ | id | 770c40490791437d97481465f8dd7251 | | name | user | +-------+----------------------------------+ [root@controller ~]# openstack role add --project demo --user demo user 创建项目service [root@controller ~]# openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Service Project | | domain_id | default | | enabled | True | | id | 38e8f9eb1cb44d428f589703e663d995 | | is_domain | False | | name | service | | parent_id | None | +-------------+----------------------------------+
9、验证相关
[root@controller ~]# openstack user list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | d1ea9577f35247a794f92598fbb6cd00 | admin | | da1ed7fb5f494091a633afd6da29f900 | demo | +----------------------------------+-------+ [root@controller ~]# openstack project list +----------------------------------+---------+ | ID | Name | +----------------------------------+---------+ | 3653ec22551f472b94e9438bcd9097bf | demo | | 38e8f9eb1cb44d428f589703e663d995 | service | | 8a3b7f9f1b2c4f7eaf7780d268e672d1 | admin | +----------------------------------+---------+ [root@controller ~]# openstack role list +----------------------------------+-------+ | ID | Name | +----------------------------------+-------+ | 0e98eecac3e94b22a51404a79848bdb7 | admin | | 770c40490791437d97481465f8dd7251 | user | +----------------------------------+-------+ [root@controller ~]# [root@controller ~]# [root@controller ~]# openstack endpoint list +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+ | ID | Region | Service Name | Service Type | Enabled | Interface | URL | +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+ | 09a1cd321fd64049980096e7a940f6f8 | RegionOne | keystone | identity | True | internal | http://172.16.80.130:5000/v2.0 | | 0c199cc25852452d8b4a428edd4af515 | RegionOne | keystone | identity | True | public | http://172.16.80.130:5000/v2.0 | | 1b875e33729a4ea4aa9f1e3f5d28bfd1 | RegionOne | keystone | identity | True | admin | http://172.16.80.130:35357/v2.0 | +----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+ [root@controller ~]# [root@controller ~]# [root@controller ~]# unset OS_TOKEN [root@controller ~]# unset OS_URL [root@controller ~]# openstack --os-auth-url http://172.16.80.130:35357/v3 \ > --os-project-domain-id default --os-user-domain-id default \ > --os-project-name admin --os-username admin --os-auth-type password \ > token issue Password: +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2016-10-29T17:53:21.237891Z | | id | 1d3fc859a41848a7a4af688e3f9efcd0 | | project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 | | user_id | d1ea9577f35247a794f92598fbb6cd00 | +------------+----------------------------------+
10、创建环境变量
[root@controller ~]# cat admin-openrc.sh export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=admin export OS_TENANT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://172.16.80.130:35357/v3 export OS_IDENTITY_API_VERSION=3 [root@controller ~]# [root@controller ~]# cat demo-openrc.sh export OS_PROJECT_DOMAIN_ID=default export OS_USER_DOMAIN_ID=default export OS_PROJECT_NAME=demo export OS_TENANT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=demo export OS_AUTH_URL=http://172.16.80.130:5000/v3 export OS_IDENTITY_API_VERSION=3 [root@controller ~]# [root@controller ~]# source admin-openrc.sh [root@controller ~]# [root@controller ~]# openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2016-10-29T18:00:54.127266Z | | id | 2e9bfe2f30b941e391a987784ad31daf | | project_id | 8a3b7f9f1b2c4f7eaf7780d268e672d1 | | user_id | d1ea9577f35247a794f92598fbb6cd00 | +------------+----------------------------------+ [root@controller ~]# [root@controller ~]# [root@controller ~]# source demo-openrc.sh [root@controller ~]# [root@controller ~]# openstack token issue +------------+----------------------------------+ | Field | Value | +------------+----------------------------------+ | expires | 2016-10-29T18:01:05.293502Z | | id | f2b7f727e4d74aa88a315012f6f7d1f0 | | project_id | 3653ec22551f472b94e9438bcd9097bf | | user_id | da1ed7fb5f494091a633afd6da29f900 | +------------+----------------------------------+