OpenStack-M版(Mitaka)搭建基于(Centos7.2)+++三、Openstack身份认证服务(keystone)

三、Openstack身份认证服务(keystone)


keystone安装在控制节点


进入SQL创建keystone数据库并授予权限

mysql -uroot -p

CREATE DATABASE keystone;

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
  IDENTIFIED BY '123456';

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
  IDENTIFIED BY '123456';

解释:

grant all privileges on 库名.表名 to '用户名'@'IP地址' identified by '密码'
使用grant all privileges on来更改用户对应某些库的远程权限
库名:要远程访问的数据库名称,所有的数据库使用“*” 
表名:要远程访问的数据库下的表的名称,所有的表使用“*” 
用户名:要赋给远程访问权限的用户名称 
IP地址:可以远程访问的电脑的IP地址,所有的地址使用“%” 
密码:要赋给远程访问权限的用户对应使用的密码


生成一个随机数作为管理员密码

[root@compute ~]# openssl rand -hex 10
41d33a2b1ca810fe25f2


安装httpd,mod_wsgi,keystoen

yum install openstack-keystone httpd mod_wsgi

修改keystone配置文件

vi /etc/keystone/keystone.conf

[DEFAULT]
admin_token = 41d33a2b1ca810fe25f2

[database]
connection = mysql+pymysql://keystone:123456@controller/keystone

[token]
provider = fernet

同步数据库

su -s /bin/sh -c "keystone-manage db_sync" keystone

查看数据库是否同步成功

[root@controller ~]# mysql -uroot -p
Enter password: 
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 184
Server version: 10.1.12-MariaDB MariaDB Server

Copyright (c) 2000, 2016, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MariaDB [keystone]> show tables;
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+
37 rows in set (0.00 sec)

MariaDB [keystone]> 

有表则ok



初始化Fernet keys

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone


配置http服务器


编辑

vi /etc/httpd/conf/httpd.conf

修改
ServerName controller

创建 /etc/httpd/conf.d/wsgi-keystone.conf

vi /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5000
Listen 35357


    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    
        Require all granted
    



    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    
        Require all granted
    



启动httpd并设置开机自启

systemctl enable httpd.service
systemctl start httpd.service

验证是否正常开启端口

[root@controller ~]# ss -ntl | grep -E "5000|35357"
LISTEN     0      128         :::5000                    :::*                  
LISTEN     0      128         :::35357                   :::*       


如果httpd启动失败

把wsgi-keystone.conf文件删除启动试试能不能启动,如果能启动说明wsgi-keystone.conf配置文件有误或者mod_wsgi模块没有成功安装

如果不能说明http配置文件有误


配置认证令牌

export OS_TOKEN=41d33a2b1ca810fe25f2

export OS_URL=http://controller:35357/v3

export OS_IDENTITY_API_VERSION=3


创建实体服务和API端点

如果不能正常创建查看数据库是否ok,检查配置的认证令牌是否是一样


创建keystone服务

openstack service create --name keystone --description "OpenStack Identity" identity

创建keystone端点

openstack endpoint create --region RegionOne identity public http://controller:5000/v3

openstack endpoint create --region RegionOne identity internal http://controller:5000/v3

openstack endpoint create --region RegionOne identity admin http://controller:35357/v3

创建域

openstack domain create --description "Default Domain" default

创建admin项目

openstack project create --domain default --description "Admin Project" admin


创建admin用户

openstack user create --domain default --password-prompt admin

创建admin角色
openstack role create admin

将``admin`` 角色到 admin 项目和用户上

openstack role add --project admin --user admin admin

此操作无返回是正确的


创建demo项目

openstack project create --domain default --description "Demo Project" demo


创建demo用户

openstack user create --domain default --password-prompt demo

创建demo角色
openstack role create user

将``user`` 角色到 demo 项目和用户上

openstack role add --project demo --user demo user

此操作无返回是正确的


创建service项目

openstack project create --domain default  --description "Service Project" service


验证:

清除环境

unset OS_TOKEN OS_URL


创建脚本

vi admin-openrc

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

vi demo-openrc

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2


admin 用户,请求认证令牌:

. admin-openrc

[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
>   --os-project-domain-name default --os-user-domain-name default \
>   --os-project-name admin --os-username admin token issue
+------------+---------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                     |
+------------+---------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-11-16T19:50:34.017639Z                                                                                               |
| id         | gAAAAABaDd36Wnp2Eh0EcWxacw7on8IHaxogU4Ybb7bMJSIDfBwnVFharYBNBIJ5_HXci9CUp4OPAPg8OhVu0BfaDNVRDYcHsmAEf-                    |
|            | 8cy_4DDbGYm8C7g0g6q2hmlj14Zv5kJrdwkA60GnoUjHn3Zpa9X_C7XTrEv9wftHtOhIXRMFE0oM7OO-o                                         |
| project_id | af24a3c94886470183c864ef0f161b4c                                                                                          |
| user_id    | daf189d8436f4568abf06b741e948f31                                                                                          |
+------------+---------------------------------------------------------------------------------------------------------------------------+


demo 用户,请求认证令牌:

. demo-openrc


[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
>   --os-project-domain-name default --os-user-domain-name default \
>   --os-project-name demo --os-username demo token issue
+------------+---------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                     |
+------------+---------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-11-16T19:51:25.696343Z                                                                                               |
| id         | gAAAAABaDd4tN8sS7WsC3pgAO88nVVNH2-hf7FNgBNQRMxdxywt6leOEY1gc048EWJlU1NsJ7eNkVVY0JQDzD66zmnkLid4Le9Jl-                     |
|            | gETayiOcSgDtBMcx1W8-2ztj6HjJGfCcnQLipkAZndMPkmG_cN8tFDLaT3PJOIqXrpNeMgKfX2wT9q5ma4                                        |
| project_id | 8cc1c04a21ae4165a1667e0bd5029831                                                                                          |
| user_id    | f16e48a0a33748f68d99c7e6cdd932a5                                                                                          |
+------------+---------------------------------------------------------------------------------------------------------------------------+



最后验证
. admin-openrc

[root@controller ~]# openstack token issue
+------------+---------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                     |
+------------+---------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-11-16T19:56:43.997186Z                                                                                               |
| id         | gAAAAABaDd9st5Qxb14yzoIzsEq8ml9bYSeB5NUpeTszd6KdbMtZ_zVXhmqzm5jxisBfqMKiwAbbY8h1T-wSB9kf9Swa-XOAL8uFGniW8-wc-             |
|            | MJRjHAQF8Qg_F8af_x7cstnTg8Qm3C4s_WlzcDP2o5UQR9mkoloI0Z-0Kx7NJO0T2rGWcXuUuQ                                                |
| project_id | af24a3c94886470183c864ef0f161b4c                                                                                          |
| user_id    | daf189d8436f4568abf06b741e948f31                                                                                          |
+------------+---------------------------------------------------------------------------------------------------------------------------+


注意:

An unexpected error prevented the server from fulfilling your request. (HTTP 500) (Request-ID: req-97aadec8-34a0-4076-a613-c4e23dee0752)
http500 数据库错误没有数据表
http401 可能是token错误






你可能感兴趣的:(Openstack,Mitaka版双节点部署)