keystone认证服务(控制节点)
创建数据库
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
FLUSH PRIVILEGES;
安装包
yum install openstack-keystone httpd mod_wsgi
- 编辑/etc/keystone/keystone.conf修改如下配置
[database]
connection = mysql+pymysql://keystone:keystone@controller-01/keystone
[token]
provider = fernet
初始化同步keystone数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化fernet
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
验证
[root@controller-01 ~]# mysql -ukeystone -pkeystone keystone -e 'show tables'
Enter password:
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
引导认证服务管理员密码设置为admin
keystone-manage bootstrap --bootstrap-password admin --bootstrap-admin-url http://controller-01:5000/v3/ --bootstrap-internal-url http://controller-01:5000/v3/ --bootstrap-public-url http://controller-01:5000/v3/ --bootstrap-region-id RegionOne
配置Apache HTTP服务
- 编辑/etc/httpd/conf/httpd.conf修改ServerName配置
ServerName controller-01
- 创建链接文件
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
- 启动并自启动http服务
systemctl enable httpd.service
systemctl start httpd.service
- 设置管理员临时环境变量,管理员密码为引导认证服务设置的密码admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller-01:5000/v3
export OS_IDENTITY_API_VERSION=3
- 验证环境变量
env | grep OS_
创建域、项目、用户、角色
- 创建域example
[root@controller-01 ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 38cec6291000415da330b80754cf58fd |
| name | example |
| tags | [] |
+-------------+----------------------------------+
- 创建项目service
[root@controller-01 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | f5ebcafa4cac4e91a91547f3e3db0ec0 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
- 创建项目demo
[root@controller-01 ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 98039ac936f54fa68df7f145905d37ab |
| is_domain | False |
| name | demo |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
- 创建用户demo,–password-prompt为交互式输入密码,自定义设置密码为demo
[root@controller-01 ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 4e5b25702fe942b68780e8b7026cd614 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
- 创建角色user
[root@controller-01 ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 2d5cf3646dc44086aa8e7f98bec79c07 |
| name | user |
+-----------+----------------------------------+
- 添加user角色到demo项目跟用户,执行没有输出显示
[root@controller-01 ~]# openstack role add --project demo --user demo user
验证
- 关闭临时环境变量认证令牌
unset OS_AUTH_URL OS_PASSWORD
- 作为admin用户,请求认证token
[root@controller-01 ~]# openstack --os-auth-url http://controller-01:35357/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-11-27T14:50:35+0000 |
| id | gAAAAABjg2srfbl942WyMj-t7eqbVlqkXK9BtzybiO71DmHHTmiSP1eofRjDx91Hp-n0KLMn95UZt9KI1BxjtkXTMxEzkJ151cMb8Cz-PzvkCuAuELlIlJAvJTqKW8wpWrOn-Q7IUYO-1e0GXdDybxgsKLt4p-lYcWyMeEjchUMlNse-foFy7b4 |
| project_id | e39d64ee5972400db4a89b9ea3038de7 |
| user_id | 1c39b6f8f9ec4da4ae436293100d0023 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- 作为demo用户,请求认证token
[root@controller-01 ~]# openstack --os-auth-url http://controller-01:35357/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-11-27T14:51:39+0000 |
| id | gAAAAABjg2trYbm0NyP0Ua8KLfqQpw83hlo8i28AjYPLi4G0jPkZBgxkxECkVkMAKhILNZuupLtrKK1Xxifpx1yhgZ-nSUevFMfwmyNHtF_jvukCyFlT0kGfstbpGXdm8yhIjodfDQNNpilfV5NjmldEKXV-GicFxAAA8Q-j6KsEXEnUFKJ2glk |
| project_id | 98039ac936f54fa68df7f145905d37ab |
| user_id | 4e5b25702fe942b68780e8b7026cd614 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
创建OpenStack客户端环境脚本
- 创建并编辑keystonerc_admin文件(文件名可自定义),添加如下内容,密码为创建admin用户时输入的密码admin
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://controller-01:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
- 创建并编辑keystonerc_demo文件(文件名可自定义),添加如下内容,密码为创建demo用户时输入的密码demo
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://controller-01:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
- 执行环境脚本生效
source keystonerc_admin
source keystonerc_demo
或
. keystonerc_admin # 点后面有个空格
. keystonerc_demo # 点后面有个空格
- 请求认证token
openstack token issue
可以看出执行不同环境脚本请求认证token输出不一样
keystone认证服务部分安装完成。
