简介
keystone作为openstack的认证服务,有很多组件都需要于keystone交互,所以我们首先来部署keystone组件。
创建数据库
下边需要创建一个keystone数据库,并进行授权
$ mysql -u root -pMariaDB [(none)]> CREATE DATABASE keystone;MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; #指定本机MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
安装配置
# yum install openstack-keystone httpd mod_wsgi
修改/etc/keystone/keystone.conf,此为keystone的配置文件,在其中指定连接的mysql
[database]connection = mysql+pymysql://keystone:keystone@192.168.46.130/keystone[token]# ...provider = fernet
初始化
- 初始化keystone数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
执行完初始化后,会在keystone中创建一些数据表
- 初始化密钥库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
初始化完成后会在/etc/keystone/下生成两个密钥的目录
- 启动服务
keystone-manage bootstrap --bootstrap-password admin \ --bootstrap-admin-url http://192.168.46.130:35357/v3/ \ --bootstrap-internal-url http://192.168.46.130:5000/v3/ \ --bootstrap-public-url http://192.168.46.130:5000/v3/ \ --bootstrap-region-id RegionOne
此处指定了keystone的35357和5000端口,这是keystone的默认的两个端口,为后续其他组件与keystone交互使用。
安装HTTP server
keystone需要用到Apache HTTP server,之前我们已经安装过了,在此进行配置,编辑 /etc/httpd/conf/httpd.conf
ServerName 192.168.46.130:80
创建/usr/share/keystone/wsgi-keystone.conf的软连接
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
/usr/share/keystone/wsgi-keystone.conf是keystone生效的配置(内容如下),涉及到两个端口,下边启动httpd服务以后,会开始监听5000和35357两个端口
Listen 5000Listen 35357WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-public WSGIScriptAlias / /usr/bin/keystone-wsgi-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 = 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined= 2.4> Require all granted < 2.4> Order allow,deny Allow from all WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP} WSGIProcessGroup keystone-admin WSGIScriptAlias / /usr/bin/keystone-wsgi-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On LimitRequestBody 114688 Alias /identity /usr/bin/keystone-wsgi-public= 2.4> ErrorLogFormat "%{cu}t %M" ErrorLog /var/log/httpd/keystone.log CustomLog /var/log/httpd/keystone_access.log combined= 2.4> Require all granted < 2.4> Order allow,deny Allow from all SetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-public WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On Alias /identity_admin /usr/bin/keystone-wsgi-adminSetHandler wsgi-script Options +ExecCGI WSGIProcessGroup keystone-admin WSGIApplicationGroup %{GLOBAL} WSGIPassAuthorization On
- 启动httpd服务
# systemctl enable httpd.service# systemctl start httpd.service
- 设置环境变量
export OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_PROJECT_NAME=adminexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_DOMAIN_NAME=Defaultexport OS_AUTH_URL=http://192.168.46.130:35357/v3export OS_IDENTITY_API_VERSION=3
通过以上的配置,keystone组件就安装完成了,下边我们在keystone中创建project、user和role
创建domain、projects、users 和roles
- 创建project:service
$ openstack project create --domain default \ --description "Service Project" service+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Service Project || domain_id | default || enabled | True || id | 24ac7f19cd944f4cba1d77469b2a73ed || is_domain | False || name | service || parent_id | default |+-------------+----------------------------------+
- 创建project:demo
$ openstack project create --domain default \ --description "Demo Project" demo+-------------+----------------------------------+| Field | Value |+-------------+----------------------------------+| description | Demo Project || domain_id | default || enabled | True || id | 231ad6e7ebba47d6a1e57e1cc07ae446 || is_domain | False || name | demo || parent_id | default |+-------------+----------------------------------+
- 创建user:demo
$ openstack user create --domain default \ --password-prompt demoUser Password:Repeat User Password:+---------------------+----------------------------------+| Field | Value |+---------------------+----------------------------------+| domain_id | default || enabled | True || id | aeda23aa78f44e859900e22c24817832 || name | demo || options | {} || password_expires_at | None |+---------------------+----------------------------------+ - 创建role:user
$ openstack role create user+-----------+----------------------------------+| Field | Value |+-----------+----------------------------------+| domain_id | None || id | 997ce8d05fc143ac97d83fdfb5998552 || name | user |+-----------+----------------------------------+
- 设置demo用户为user角色并添加到demo项目中
$ openstack role add --project demo --user demo user
经过上边的操作可能有点懵,现在解释以下,在keystone中有三个名词,分别为project(可以称为项目,之前叫tenument租户),user(用户),role(角色)。以上三个名词可以做如下理解,user就是用户,用来登录openstack的,可以在openstack上做一些操作,但是不同的用户应该有不同的操作权限,所以就有了role,角色的称呼,每个用户可以分配到一个角色里,每个角色的权限是不一样的。为了对用户进行管理,就把每个用户放到了project中,每个project中可能有多个用户。所以project相当于我们公司的部门,role相当于员工的角色,不同角色权限不一样,user就相当于公司员工了。
验证操作
经过以上的部署,下边验证下keystone的部署是否成功。之前我们设置了一堆环境变量,如下:
export OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_PROJECT_NAME=adminexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_DOMAIN_NAME=Defaultexport OS_AUTH_URL=http://192.168.46.130:35357/v3export OS_IDENTITY_API_VERSION=3
这些环境变量我们可以不用设置,但是在执行openstack的时候需要指定,像如下的操作
$ openstack --os-auth-url http://192.168.46.130:35357/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name admin --os-username admin token issuePassword:+------------+-----------------------------------------------------------------+| Field | Value |+------------+-----------------------------------------------------------------+| expires | 2016-02-12T20:14:07.056119Z || id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv || | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 || | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws || project_id | 343d245e850143a096806dfaefa9afdc || user_id | ac3377633149401296f6c0d92d79dc16 |+------------+-----------------------------------------------------------------+
以上操作是admin用户向keystone发起请求,keystone返回一个token
如下验证刚才创建的demo用户
$ openstack --os-auth-url http://192.168.46.130:5000/v3 \ --os-project-domain-name Default --os-user-domain-name Default \ --os-project-name demo --os-username demo token issuePassword:+------------+-----------------------------------------------------------------+| Field | Value |+------------+-----------------------------------------------------------------+| expires | 2016-02-12T20:15:39.014479Z || id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW || | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ || | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U || project_id | ed0b60bf607743088218b0a533d5943f || user_id | 58126687cbcc4888bfa9ab73a2256f27 |+------------+-----------------------------------------------------------------+
如果以上的操作都正常执行,则说明keystone我们已经成功部署完成了
设置环境变量脚本
上边向keystone发起请求每次都需要设置很多参数,其实在openstack的其他组件与keystone交互时,要求我们首先应该设置一系列的环境变量,不需要再指定众多参数
export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://192.168.46.130:35357/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2
我们把以上内容保存到admin-openstack.sh,以后每次开始使用keystone认证时执行下source admin-openstack.sh
export OS_PROJECT_DOMAIN_NAME=Defaultexport OS_USER_DOMAIN_NAME=Defaultexport OS_PROJECT_NAME=demoexport OS_USERNAME=demoexport OS_PASSWORD=demoexport OS_AUTH_URL=http://192.168.46.130:5000/v3export OS_IDENTITY_API_VERSION=3export OS_IMAGE_API_VERSION=2
以上内容保存到demo-openstack.sh,我想大家应该也发现了,上边的admin用户使用的OS_AUTH_URL=http://192.168.46.130:35357/v3。demo用户使用的是OS_AUTH_URL=http://192.168.46.130:5000/v3,这就是keystone提供两个端口的用处,不同的用户可以使用两个端口中的任何一个,至于使用那个端口,应该看用户的使用权限。
至此keystone组件就部署完成了。