Openstack-Keystone-身份验证
教程大纲
1. keystone的服务组件介绍
2. keystone的安装部署
3. keystone V3的新特性
1.创建keystone的数据库并授权访问连接
mysql -u root -p -e "create database keystone;"
mysql -u root -p -e "grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'keystone';"
mysql -u root -p -e "grant all privileges on keystone.* to 'keystone'@'%' identified by 'keystone';"
2. 安装keystone支持安装包
yum install openstack-keystone httpd mod_wsgi memcached python-memcached
3.修改keystone的配置文件
创建一个随机token的值 命令为
$ openssl rand -hex 10
13: admin_token = 7b016f6702c9ac4cbd6e
124: verbose = true
549: connection = mysql://keystone:[email protected]/keystone
1252: servers = 192.168.100.40:11211
1773: driver = sql
2005: provider = fernet
2010: driver = memcache
4.同步keystone的数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
5.初始化fernet
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6.开启memcahed 的服务
systemctl enable memcached.service
systemctl start memcached.service
7.创建配置apache服务wsgi-keyston.config
/etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000 #5000的端口是给正常的API来访问的。
Listen 35357 #35357端口是给admin的管理来用的。
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
Require all granted
8.修改http的服务的http.conf 的ServerName 地址
ServerName 192.168.100.40:80
9.启动httpd服务
# systemctl enable httpd.service # systemctl start httpd.service
10.设置keyston的环境变量
export OS_TOKEN=ef33d18ffbd5a54dac62
export OS_URL=http://192.168.100.40:35357/v3
export OS_IDENTITY_API_VERSION=3
11.创建admin的demo用户组和用户角色并授权
keyston创建用户(默认用户时domian)
openstack domain create --description "Default Domain" default
创建一个admin的项目
openstack project create --domain default --description "Admin Project" admin
创建admin的用户
openstack user create --domain default --password-prompt admin
创建admin的角色
openstack role create admin
将admin用户添加admin组赋予admin角色
openstack role add --project admin --user admin admin
创建普通用户demo
openstack project create --domain default --description "Demo Project" demo
为demo 创建用户名和密码
openstack user create --domain default --password=demo demo
创建一个普通用户的角色
openstack role create user
将demo角色加入demo 组赋予user普通用户
openstack role add --project demo --user demo user
创建service项目服务加入进去
openstack project create --domain default --description "Service Project" service
添加keystone的服务
openstack service create --name keystone --description "Openstack Identity" identity
12.创建api节点和endpoint(断点) public 、admin、internal
public 5000端口
openstack endpoint create --region RegionOne \
identity public http://192.168.100.40:5000/v3
internal 5000端口
openstack endpoint create --region RegionOne \
identity internal http://192.168.100.40:5000/v3
Admin 35357 端口
openstack endpoint create --region RegionOne \
identity admin http://192.168.100.40:35357/v3
13.测试查看
查看所有的用户组
openstack user list
查看所有的用户
openstack role list
查看所有的工程
openstack project list
查看所有的endpoint 服务
openstack endpoint list
14.去OS_TOKEN 和OS_URL 环境变量
unset OS_TOKEN
unset OS_URL
15.demo和admin验证token的返回值
openstack --os-auth-url http://192.168.100.40:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue
输入demo的密码:
openstack --os-auth-url http://192.168.100.40:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
数据admin的密码:
16.配置keyston的环境变量,方便执行操作
Admin的环境变量的配置
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.100.40:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2 这个是在验证glance命令是l 版后面加上
Demo 的环境的配置
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.100.40:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
执行时 添加执行权限 用时 source admin-openrc.sh
请观看视屏
视屏会在腾讯课堂和优酷、56视屏网站中上传。请大家搜索中祥课堂即可观看