Openstack-Keystone-身份验证_第1张图片


Openstack-Keystone-身份验证




教程大纲

      

1. keystone的服务组件介绍
2. keystone的安装部署

3. keystone V3的新特性





1.创建keystone的数据库并授权访问连


mysql -u root -p -e "create database keystone;"

mysql -u root -p -e "grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'keystone';"

mysql -u root -p -e "grant all privileges on keystone.* to 'keystone'@'%' identified by 'keystone';"



2. 安装keystone支持安装包


 

 yum install openstack-keystone httpd mod_wsgi memcached python-memcached




3.修改keystone的配置文件


创建一个随机token的值 命令为

$ openssl rand -hex 10

13:   admin_token = 7b016f6702c9ac4cbd6e

124:  verbose = true

549:  connection = mysql://keystone:[email protected]/keystone

1252: servers = 192.168.100.40:11211

1773:  driver = sql

2005:  provider = fernet

2010:  driver = memcache  




4.同步keystone的数据库


 su -s /bin/sh -c "keystone-manage db_sync" keystone




5.初始化fernet


keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone




6.开启memcahed 的服务 


  systemctl enable memcached.service

   systemctl  start  memcached.service




7.创建配置apache服务wsgi-keyston.config


/etc/httpd/conf.d/wsgi-keystone.conf 

Listen 5000  #5000的端口是给正常的API来访问的。

Listen 35357 #35357端口是给admin的管理来用的。


    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-public

    WSGIScriptAlias / /usr/bin/keystone-wsgi-public

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined


   

        Require all granted

   


 

    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-admin

    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined


   

        Require all granted

   




8.修改http的服务的http.conf 的ServerName 地址   


   ServerName 192.168.100.40:80




9.启动httpd服务


# systemctl enable httpd.service
# systemctl start httpd.service




10.设置keyston的环境变量


export OS_TOKEN=ef33d18ffbd5a54dac62  

export OS_URL=http://192.168.100.40:35357/v3

export OS_IDENTITY_API_VERSION=3




11.创建admin的demo用户组和用户角色并授权


keyston创建用户(默认用户时domian)

   openstack domain create --description "Default Domain" default

  

  创建一个admin的项目

   openstack project create --domain default --description "Admin Project" admin


  创建admin的用户

   openstack user create --domain default --password-prompt admin


  创建admin的角色

   openstack role create admin


  将admin用户添加admin组赋予admin角色

   openstack role add --project admin --user admin admin


  创建普通用户demo

   openstack project create --domain default --description "Demo Project" demo


  为demo 创建用户名和密码

   openstack user create --domain default --password=demo demo

  

  创建一个普通用户的角色

    openstack role create user


  将demo角色加入demo 组赋予user普通用户

    openstack role add --project demo --user demo user


  创建service项目服务加入进去

    openstack project create --domain default --description "Service Project" service


添加keystone的服务

    openstack service create --name keystone --description "Openstack Identity" identity




12.创建api节点和endpoint(断点) public 、admin、internal


public 5000端口

openstack endpoint create --region RegionOne \

  identity public http://192.168.100.40:5000/v3


internal 5000端口

openstack endpoint create --region RegionOne \

  identity internal http://192.168.100.40:5000/v3


Admin  35357 端口

openstack endpoint create --region RegionOne \

  identity admin http://192.168.100.40:35357/v3




13.测试查看


查看所有的用户组

    openstack user list

查看所有的用户

    openstack role list

查看所有的工程

    openstack project list

查看所有的endpoint 服务

   openstack endpoint list




14.去OS_TOKEN 和OS_URL 环境变量


    unset OS_TOKEN

    unset OS_URL




15.demo和admin验证token的返回值


 openstack --os-auth-url http://192.168.100.40:5000/v3 \

  --os-project-domain-name default --os-user-domain-name default \

  --os-project-name demo --os-username demo token issue

输入demo的密码:


openstack --os-auth-url http://192.168.100.40:35357/v3 \

--os-project-domain-name default --os-user-domain-name default \

--os-project-name admin --os-username admin token issue

数据admin的密码:




16.配置keyston的环境变量,方便执行操作


Admin的环境变量的配置

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=admin

export OS_AUTH_URL=http://192.168.100.40:35357/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2   这个是在验证glance命令是l 版后面加上


Demo 的环境的配置

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=demo

export OS_AUTH_URL=http://192.168.100.40:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2


执行时     添加执行权限 用时 source admin-openrc.sh


Openstack-Keystone-身份验证_第2张图片

请观看视屏



视屏会在腾讯课堂和优酷、56视屏网站中上传。请大家搜索中祥课堂即可观看



Openstack-Keystone-身份验证_第3张图片

Openstack-Keystone-身份验证_第4张图片