三、Openstack身份认证服务(keystone)
keystone安装在控制节点
进入SQL创建keystone数据库并授予权限
mysql -uroot -p
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY '123456';
grant all privileges on 库名.表名 to '用户名'@'IP地址' identified by '密码'
使用grant all privileges on来更改用户对应某些库的远程权限
库名:要远程访问的数据库名称,所有的数据库使用“*”
表名:要远程访问的数据库下的表的名称,所有的表使用“*”
用户名:要赋给远程访问权限的用户名称
IP地址:可以远程访问的电脑的IP地址,所有的地址使用“%”
密码:要赋给远程访问权限的用户对应使用的密码
生成一个随机数作为管理员密码
[root@compute ~]# openssl rand -hex 10
41d33a2b1ca810fe25f2
安装httpd,mod_wsgi,keystoen
yum install openstack-keystone httpd mod_wsgi
vi /etc/keystone/keystone.conf
[DEFAULT]
admin_token = 41d33a2b1ca810fe25f2
[database]
connection = mysql+pymysql://keystone:123456@controller/keystone
[token]
provider = fernet
su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 184
Server version: 10.1.12-MariaDB MariaDB Server
Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone |
+------------------------+
| access_token |
| assignment |
| config_register |
| consumer |
| credential |
| domain |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| local_user |
| mapping |
| migrate_version |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| region |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| whitelisted_config |
+------------------------+
37 rows in set (0.00 sec)
MariaDB [keystone]>
初始化Fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
配置http服务器
编辑
vi /etc/httpd/conf/httpd.conf
修改
ServerName controller
vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
systemctl enable httpd.service
systemctl start httpd.service
[root@controller ~]# ss -ntl | grep -E "5000|35357"
LISTEN 0 128 :::5000 :::*
LISTEN 0 128 :::35357 :::*
如果httpd启动失败
把wsgi-keystone.conf文件删除启动试试能不能启动,如果能启动说明wsgi-keystone.conf配置文件有误或者mod_wsgi模块没有成功安装
如果不能说明http配置文件有误
配置认证令牌
export OS_TOKEN=41d33a2b1ca810fe25f2
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
创建实体服务和API端点
如果不能正常创建查看数据库是否ok,检查配置的认证令牌是否是一样
创建keystone服务
openstack service create --name keystone --description "OpenStack Identity" identity
创建keystone端点
openstack endpoint create --region RegionOne identity public http://controller:5000/v3
openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
openstack domain create --description "Default Domain" default
openstack project create --domain default --description "Admin Project" admin
openstack user create --domain default --password-prompt admin
openstack role create admin
openstack role add --project admin --user admin admin
此操作无返回是正确的
创建demo项目
openstack project create --domain default --description "Demo Project" demo
openstack user create --domain default --password-prompt demo
openstack role create user
openstack role add --project demo --user demo user
此操作无返回是正确的创建service项目
openstack project create --domain default --description "Service Project" service
验证:
清除环境
unset OS_TOKEN OS_URL
创建脚本
vi admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
vi demo-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
. admin-openrc
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue
+------------+---------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-11-16T19:50:34.017639Z |
| id | gAAAAABaDd36Wnp2Eh0EcWxacw7on8IHaxogU4Ybb7bMJSIDfBwnVFharYBNBIJ5_HXci9CUp4OPAPg8OhVu0BfaDNVRDYcHsmAEf- |
| | 8cy_4DDbGYm8C7g0g6q2hmlj14Zv5kJrdwkA60GnoUjHn3Zpa9X_C7XTrEv9wftHtOhIXRMFE0oM7OO-o |
| project_id | af24a3c94886470183c864ef0f161b4c |
| user_id | daf189d8436f4568abf06b741e948f31 |
+------------+---------------------------------------------------------------------------------------------------------------------------+
demo 用户,请求认证令牌:
. demo-openrc
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
+------------+---------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-11-16T19:51:25.696343Z |
| id | gAAAAABaDd4tN8sS7WsC3pgAO88nVVNH2-hf7FNgBNQRMxdxywt6leOEY1gc048EWJlU1NsJ7eNkVVY0JQDzD66zmnkLid4Le9Jl- |
| | gETayiOcSgDtBMcx1W8-2ztj6HjJGfCcnQLipkAZndMPkmG_cN8tFDLaT3PJOIqXrpNeMgKfX2wT9q5ma4 |
| project_id | 8cc1c04a21ae4165a1667e0bd5029831 |
| user_id | f16e48a0a33748f68d99c7e6cdd932a5 |
+------------+---------------------------------------------------------------------------------------------------------------------------+
最后验证
. admin-openrc
[root@controller ~]# openstack token issue
+------------+---------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------------------------------------------------------------+
| expires | 2017-11-16T19:56:43.997186Z |
| id | gAAAAABaDd9st5Qxb14yzoIzsEq8ml9bYSeB5NUpeTszd6KdbMtZ_zVXhmqzm5jxisBfqMKiwAbbY8h1T-wSB9kf9Swa-XOAL8uFGniW8-wc- |
| | MJRjHAQF8Qg_F8af_x7cstnTg8Qm3C4s_WlzcDP2o5UQR9mkoloI0Z-0Kx7NJO0T2rGWcXuUuQ |
| project_id | af24a3c94886470183c864ef0f161b4c |
| user_id | daf189d8436f4568abf06b741e948f31 |
+------------+---------------------------------------------------------------------------------------------------------------------------+
注意:
An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-97aadec8-34a0-4076-a613-c4e23dee0752)
http500 数据库错误没有数据表
http401 可能是token错误