centos7.4+openstack queens版多节点分布式快速部署(三)安装keystone认证服务
(1)在mariadb上为keystone创建管理数据库:
去到管理数据库上,以 root 用户连接到数据库服务器:$ mysql -u root -p
创建 keystone 数据库: CREATE DATABASE keystone;
对`keystone`数据库授予恰当的权限:
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
用合适的密码替换 KEYSTONE_DBPASS 。
(2)在控制节点上安装keystone
1)yum -y install openstack-keystone httpd mod_wsgi
2)编辑文件 /etc/keystone/keystone.conf
在`[DEFAULT]`部分,定义初始管理令牌的值:
[DEFAULT]
...
admin_token = ADMIN_TOKEN
使用 openssl rand -hex 10 生成的随机数替换`ADMIN_TOKEN` 值。
3)在 [database] 部分,配置数据库访问:
[database]
...
connection = mysql+pymysql://keystone:[email protected]/keystone
将`KEYSTONE_DBPASS`替换为你为数据库选择的密码。
4)在`[token]`部分,配置Fernet UUID令牌的提供者。
[token]
...
provider = fernet
(3)为keystone配置memcache服务
在keystone.conf 文件中找到以下相关选项memcache_servers ,和driver并按下面的值修改
[root@controller1 ~]# vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token =e1c8d67ee15082f22685
[cache]
memcache_servers = 172.16.70.204:11211
[database]
connection = mysql+pymysql://keystone:[email protected]/keystone
[token]
provider = fernet
driver = memcache
(4)在keystone上同步认证服务的数据库:
# su -s /bin/sh -c "keystone-manage db_sync" keystone
并在# ll /var/log/keystone/ 创建一个log文件
- rw-rw---- 1 root keystone 24812 May 10 15:25 keystone.log检查数据库连接:mysql -h 172.16.70.203 -ukeystone -pKEYSTONE_DBPASS -e "use keystone;show tables;"
(5)初始化keystone Fernet keys密匙:
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
drwx------ 2 keystone keystone 24 May 14 16:25 credential-keys
-rw-r----- 1 root keystone 2303 Feb 28 19:28 default_catalog.templates
drwx------ 2 keystone keystone 24 May 14 16:25 fernet-keys
-rw-r----- 1 root keystone 122660 May 14 16:24 keystone.conf
-rw-r----- 1 root keystone 122684 May 14 14:23 keystone.conf.rpmsave
-rw-r----- 1 root keystone 2493 Feb 28 19:28 keystone-paste.ini
-rw-r----- 1 root keystone 1046 Feb 28 19:28 logging.conf
-rw-r----- 1 root keystone 3 Feb 28 21:02 policy.json
-rw-r----- 1 keystone keystone 665 Feb 28 19:28 sso_callback_template.html
[root@controller1 keystone]# tree
.
├── credential-keys
│ ├── 0
│ └── 1
├── default_catalog.templates
├── fernet-keys
│ ├── 0
│ └── 1
├── keystone.conf
├── keystone.conf.rpmsave
├── keystone-paste.ini
├── logging.conf
├── policy.json
└── sso_callback_template.html
(6)配置keystone引导身份服务
keystone-manage bootstrap \
--bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://172.16.70.201:35357/v3/ \
--bootstrap-internal-url http://172.16.70.201:5000/v3/ \
--bootstrap-public-url http://172.16.70.201:5000/v3/ \
--bootstrap-region-id RegionOne
管理员密码为ADMIN_PASS,可以更改。
(7)在keystone上配置 Apache HTTP 服务器:
1)编辑/etc/httpd/conf/httpd.conf 文件,配置`ServerName` 选项为控制节点:
#keystone配置apache的ServerName,不然起不来
ServerName controller1
2)在apache目录下创建keystone配置文件,将keystone在apache中的配置文件软链接到apache目录下
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3)重启httpd服务
systemctl enable httpd
systemctl restart httpd
4)查看5000和35357端口服务是否正常启来
[root@controller1 conf.d]# netstat -ntlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 928/sshd
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN 1130/master
tcp6 0 0 :::5000 :::* LISTEN 1886/httpd
tcp6 0 0 :::80 :::* LISTEN 1886/httpd
tcp6 0 0 :::22 :::* LISTEN 928/sshd
tcp6 0 0 ::1:25 :::* LISTEN 1130/master
tcp6 0 0 :::35357 :::* LISTEN 1886/httpd
5)浏览器访问5000和35357端口
(8)连接到keystone
1)配置keystone连接的环境变量export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://172.16.70.201:35357/v3
export OS_IDENTITY_API_VERSION=3
下面的操作都将按这些环境变量中的参数进行设定,记住admin用户和密码
2)创建service、项目、用户users和角色roles
1.创建名为service的服务
[root@controller1 conf.d]# openstack project create --domain default --description "Service Project" service
2.创建平台demo项目
openstack project create --domain default --description "Demo Project" demo
3.创建demo用户
openstack user create --domain default --password-prompt demo #password:123456
4.创建用户角色
[root@controller1 conf.d]# openstack role create user
5.添加用户角色,给demo用户增加user权限
[root@controller1 conf.d]# openstack role add --project demo --user demo user
说明:此条命令执行成功后不返回参数
3)验证操作
1.先取消环境变量
unset OS_AUTH_URL OS_PASSWORD
使用export|grep OS_ 查看环境变量是否取消
2.admin用户返回的认证token
[root@controller1 conf.d]# openstack --os-auth-url http://172.16.70.201:35357/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
Password: ADMIN_PASS
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-05-14T10:21:27+0000 |
| id | gAAAAABa-VUXMODNl2Liay9sM_V5m2TnfYzw4bWSctBBcLzVuLQrleuiG3NyH9abU0Ruj6e5SJEXyl9MTrBoZRazZJ92XXMLmTcpUNhaLwKcvE4owb2ygQ1jJo053m4umDkV3nvVXqJoGTh6iz7C_dl2WBueNN23kHEr9prSJmW6HU56edd-fNE |
| project_id | d364e5087c374be3830267ca72aa2020 |
| user_id | 92a68993073043f0be188f8219ee1e8f |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
3.demo用户返回的认证token
openstack --os-auth-url http://172.16.70.201:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name demo --os-username demo token issue
Password: 123456
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-05-14T10:29:25+0000 |
| id | gAAAAABa-Vb1tkN3LKLFgRLvCCPfI4pUZKSfgttC8DK0fkdaKOFVEKQAVnWIjR4_NPgAzIfsXgxOC6PkGeXPoJQCF6xhwNoSfq1o0zRMHRK-1ANeHzG_jL-sSSmyevyP-gicyIExH8rg-boaGaChlJu51b7M7dC9wEXnUzkfRMSvfJ4FMcnRtgA |
| project_id | eb3d2523c1ae4427bfc22fccdae18b04 |
| user_id | 28392eb6e019446fa6b7ac0488063033 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
4)创建openstack 客户端环境脚本
每次都设环境变量,很不方便。创建下面的脚本,开机就执行
1.创建admin-openrc脚本,vim /root/admin-openrc
export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://172.16.70.201:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
2.创建demo-openrc脚本,vim /root/demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://172.16.70.201:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
chmod 600 /root/admin-openrc #只有root用户才有读写权限
source admin-openrc #执行source命令用法: source FileName 作用是在当前bash环境下读取并执行FileName中的命令。 注:该命令通常用命令“.”来替代。
执行完后,检查一下当前的环境脚本:[root@controller1 ~]# export|grep OS_
3.在环境脚本中加上开机就能执行
vim ~/.bash_profile
source ~/admin-openrc #在后面加上这一条
4.执行脚本测试keystone
[root@controller1 keystone]# openstack role list
[root@controller1 keystone]# openstack token issue
