功能
归档
199
2017 年 01 月 14 日
openstack搭建之认证服务KeyStone(二)

一、实验平台:CentOS Linux release 7.3.1611 (Core)

二、openstack版本:Mitake

三、本机所有IP:

内网:192.168.1.2 192.168.1.3

外网:192.168.2.4 192.168.2.5

四、openstack1:192.168.1.2 #控制节点 1 处理器, 4 GB 内存, 及20 GB 存储

五、openstack2:192.168.1.3 #计算节点 1 处理器, 2 GB 内存, 及20 GB 存储



一、配置身份认证服务环境


在配置OpenStack身份认证服务前,你必须创建一个数据库和管理员令牌。

创建keystone数据库

$ mysql -u root -predhat

CREATE DATABASE keystone;       #创建库
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';      #授权
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';              #授权

生成一个随机值在初始的配置中作为管理员的令牌。

$ openssl rand -hex 10
212066c6242457e19bfb

安装包:

$ yum -y install openstack-keystone httpd mod_wsgi

编辑文件/etc/keystone/keystone.conf

$ vim /etc/keystone/keystone.conf

[DEFAULT]
admin_token = 212066c6242457e19bfb              #填写前面步骤生成的随机数
[database]
connection = mysql+pymysql://keystone:keystone@192.168.1.2/keystone       #配置数据库访问
[token]
provider = fernet           #配置Fernet UUID令牌的提供者

初始化身份认证服务的数据库:

$ su -s /bin/sh -c "keystone-manage db_sync" keystone
#自动找到keystone配置文件里的mysql连接,来帮我们创建数据库中的表

检查表是否创建成功

$ mysql -h 192.168.1.2 -ukeystone -pkeystone -e "use keystone;show tables;"

+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+

#如果此命令输出为空,那么我们就应该排查/var/log/keystone.log
开启debug日志如下:
vim /etc/keystone/keystone.conf
#debug = true
将false修改为true将开启,修改后要重启服务才生效

初始化Fernet keys

$ keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
$ keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

二、配置 Apache HTTP 服务器


编辑/etc/httpd/conf/httpd.conf 文件,配置ServerName选项为控制节点

$ vim /etc/httpd/conf/httpd.conf

ServerName 192.168.1.2:80

创建文件 /etc/httpd/conf.d/wsgi-keystone.conf

$ vim /etc/httpd/conf.d/wsgi-keystone.conf

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

递归更改/etc/keystone目录的所有权

$ chown -R keystone:keystone /etc/keystone/

启动 Apache HTTP 服务并配置其随系统启动:

$ systemctl enable httpd.service
$ systemctl start httpd.service

三、创建服务实体和API端点


如果想连接到keystone上,需要有3个环境变量

1.设置admin_token环境变量
export OS_TOKEN=212066c6242457e19bfb
admin_token后面的值是我们在keystone.conf里面写的
2.设置连接到keystone的地址(配置端点URL)
export OS_URL=http://192.168.1.2:35357/v3
设置keystone的admin(35357)端口 v3是用第三个版本
3.配置认证API版本
export OS_IDENTITY_API_VERSION=3

我们可以将他写入文件中:

$ vim keystone-openstack.sh

export OS_TOKEN=212066c6242457e19bfb
export OS_URL=http://192.168.1.2:35357/v3
export OS_IDENTITY_API_VERSION=3

在你的Openstack环境中,认证服务管理服务目录。服务使用这个目录来决定您的环境中可用的服务.

创建服务实体和身份认证服务:

$ . keystone-openstack.sh     #设置环境变量
$ openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 83b23919566646c3bc1007abe911904a |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

创建认证服务的 API 端点:

$ openstack endpoint create --region RegionOne identity public http://192.168.1.2:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | ba8144029a4c42b1a102fad01e21d9a8 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 83b23919566646c3bc1007abe911904a |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.2:5000/v3       |
+--------------+----------------------------------+

$ openstack endpoint create --region RegionOne identity internal http://192.168.1.2:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 1809ad0a2f794b18bc60ee8d117a9f95 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 83b23919566646c3bc1007abe911904a |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.2:5000/v3       |
+--------------+----------------------------------+

$ openstack endpoint create --region RegionOne identity admin http://192.168.1.2:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 809285bcb12a4470a038c5b3e284854d |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 83b23919566646c3bc1007abe911904a |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://192.168.1.2:35357/v3      |
+--------------+----------------------------------+

身份认证服务为每个OpenStack服务提供认证服务。认证服务使用 domainsprojects (tenants)users<user>roles<role>的组合。 创建域、项目、用户和角色 创建域default

$ openstack domain create --description "Default Domain" Default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 563963f57f154b628814c4e1bc9d2169 |
| name        | Default                          |
+-------------+----------------------------------+

在环境中,为进行管理操作,创建管理的项目、用户和角色: 创建 admin 项目

$ openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 563963f57f154b628814c4e1bc9d2169 |
| enabled     | True                             |
| id          | db84902f7b1a4553a97684f210395abe |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 563963f57f154b628814c4e1bc9d2169 |
+-------------+----------------------------------+
#命令格式为openstack project --domain 域 --description "描述" 项目名

创建 admin 用户:

$ openstack user create --domain default --password-prompt admin
User Password:              #这里我设置为admin密码
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled   | True                             |
| id        | 9683b183b9da4e2b95e1d307c8a6a9df |
| name      | admin                            |
+-----------+----------------------------------+

创建 admin 角色:

$ openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | fa72404914694d90b0b671b568f3b5cd |
| name      | admin                            |
+-----------+----------------------------------+

添加admin 角色到 admin 项目和用户上:

$ openstack role add --project admin --user admin admin

创建service项目:

$ openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 563963f57f154b628814c4e1bc9d2169 |
| enabled     | True                             |
| id          | 55266bc56f3c43168bd48b8421d0ea96 |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 563963f57f154b628814c4e1bc9d2169 |
+-------------+----------------------------------+

常规(非管理)任务应该使用无特权的项目和用户。作为例子,本指南创建 demo 项目和用户。

$ openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | 563963f57f154b628814c4e1bc9d2169 |
| enabled     | True                             |
| id          | 67e8d71973f74c73bce88de7f88626cd |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | 563963f57f154b628814c4e1bc9d2169 |
+-------------+----------------------------------+

创建demo 用户:

$ openstack user create --domain default --password-prompt demo
User Password:              #我这里设置了密码为demo
Repeat User Password:
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 563963f57f154b628814c4e1bc9d2169 |
| enabled   | True                             |
| id        | 3ac154bc2e654b74a39e366f4bee4318 |
| name      | demo                             |
+-----------+----------------------------------+

创建 user 角色:

$ openstack role create user
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 425a578954b542be9ec2c53be6362126 |
| name      | user                             |
+-----------+----------------------------------+

添加 user角色到 demo 项目和用户:

$ openstack role add --project demo --user demo user

四、验证


重置OS_TOKENOS_URL 环境变量

unset OS_TOKEN OS_URL作为 admin 用户,请求认证令牌:

$ openstack --os-auth-url http://192.168.1.2:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue
Password:               #这里输入admin的密码。admin
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-07-17T02:44:04.000000Z                                                                                                                                                             |
| id         | gAAAAABZbBZkqjhCCzoTtYRQLuMl5CymS0sFXXBj-GPyv2mOtYtMuXUmm5J6SHaFaxdlxvwKqVC1OBc4xK_kpdnDPfYjdFPMR0IQLXSAcEDurxLiTKMK2Rx5O6tK1iBpHpQn8jEIaRe_n4ynIIIUd2GhOKEL1TZpFW_YwdYr0ty8sf08fLrvcMY |
| project_id | db84902f7b1a4553a97684f210395abe                                                                                                                                                        |
| user_id    | 9683b183b9da4e2b95e1d307c8a6a9df                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

作为demo 用户,请求认证令牌:

$openstack --os-auth-url http://192.168.1.2:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password:               #这里输入demo的密码。demo
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-07-17T02:52:20.000000Z                                                                                                                                                             |
| id         | gAAAAABZbBhUEgQJQHIutediRQmGY4yjKrCoZXcIYNUhQG5T5ttpXGSl6jsUAMSRfIRPxq9-XFU7BXhptnzvW5aytnWc5eqlQYWCO26XZPkvOHpm-xf-7MAzhGIo6nnCaCT3sLDfeCurcFie9Qx5NLhyNYdb1-b1zZ-6Irh4Xb5T4UCGTqHZrc8 |
| project_id | 67e8d71973f74c73bce88de7f88626cd                                                                                                                                                        |
| user_id    | 3ac154bc2e654b74a39e366f4bee4318                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
这个使用`demo` 用户的API端口5000,这样只会允许对身份认证服务API的常规(非管理)访问。

创建 OpenStack 客户端环境脚本 为admin创建脚本

$ vim admin-openstack.sh

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin        #输入上面步骤设置的admin的密码
export OS_AUTH_URL=http://192.168.1.2:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

demo创建脚本

$ vim demo-openstack.sh

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.1.2:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

使用脚本 使用特定租户和用户运行客户端,你可以在运行之前简单地加载相关客户端脚本。例如: 加载admin-openstack.sh文件来身份认证服务的环境变量位置和admin项目和用户证书:

$ . admin-openstack.sh
$ openstack token issue

+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2017-07-17T03:06:33.000000Z                                                                                                                                                             |
| id         | gAAAAABZbBuprhW1jTlge3m6YqKt5OIg8tUeAIie9nwoFvWIX3gFozfOC_oTjpK_cbELuhgJeMet-zsghc5_5IoRm9k4Ol3OevrOnv9jn0hPhDnCEBuV8E_THpz2sR35fN0ULLy5alrNmHCLVZBB0Gd16veaefjKke-odVqndXGFUFar_eb5CMA |
| project_id | db84902f7b1a4553a97684f210395abe                                                                                                                                                        |
| user_id    | 9683b183b9da4e2b95e1d307c8a6a9df                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Over ~

留言
Loading...

发表评论

电子邮件地址不会被公开。 必填项已用*标注