keystone 認證服務
功能:認證管理 授權管理 服務目錄
認證:賬號密碼
授權管理:爲其他組件授權 qq授權其他應用的web頁面登錄
服務目錄: 電話本功能
安裝keystone
創庫授權
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
安裝keystone相關軟件包
yum install openstack-keystone httpd mod_wsgi -y
軟件包解釋:
openstack-keystone OpenStack服務
httpd Apache網站服務
mod_wsgi Apache的擴展模塊wsgi,用於python(OpenStack使用python編寫)連接Apache
修改配置文件
配置文件路徑:/etc/keystone/keystone.conf
yum install openstack-utils.noarch -y
\cp /etc/keystone/keystone.conf{,.bak}
grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
openstack-utils.noarch 用於OpenStack命令行方式修改配置文件
校驗
[root@controller ~]# md5sum /etc/keystone/keystone.conf
d5acb3db852fe3f247f4f872b051b7a9 /etc/keystone/keystone.conf
配置文件解釋
[DEFAULT]
admin_token = ADMIN_TOKEN
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
provider = fernet
[DEFAULT]
admin_token = ADMIN_TOKEN 在沒有管理員時 使用admin的token進行 創建 註冊 等操作
[database] 部分
mysql+pymysql:// 連接協議
keystone:KEYSTONE_DBPASS 連接數據庫的賬號密碼
@
controller 連接數據庫的主機 (controller 會使用本地解析爲10.0.0.11)
/keystone 使用名爲keystone的庫
[token]部分
provider = fernet 定義令牌提供者 fernet生成的令牌方式
擴展部分
keystone 認證方式:UUID 、 PKI 、Fernet
都是生成一段隨機字符串的方法 保證唯一
token 就是一段隨機字符串 用於標識服務,類似於linux用戶的UUID 進程號碼等
同步數據庫
在同步數據庫之前查看keystone的表
[root@controller my.cnf.d]# mysql keystone -e "show tables;"
使用keystone身份同步數據庫
su -s /bin/sh -c "keystone-manage db_sync" keystone
命令解釋:
su 切換用戶
-s 指定bash
-c 指定 運行的命令
keystone 用戶
有些情況下 必須切換到指定用戶身份下才可以執行命令
keystone-manage是用來同keystone服務進行交互的命令行工具,通常該命令只用於不能通過HTTP API完成的操作
db_sync 同步數據庫
檢查
mysql keystone -e 'show tables;'
初始化fernet
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
會在/etc/keystone/目錄下生成fernet-keys目錄
配置httpd
優化HTTP服務
echo "ServerName controller" >>/etc/httpd/conf/httpd.conf
echo 'Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>' >/etc/httpd/conf.d/wsgi-keystone.conf
校驗
[root@controller ~]# md5sum /etc/httpd/conf.d/wsgi-keystone.conf
8f051eb53577f67356ed03e4550315c2 /etc/httpd/conf.d/wsgi-keystone.conf
啓動httpd
systemctl enable httpd.service
systemctl start httpd.service
HTTP監聽5000端口(普通用戶訪問)和35357端口(管理員訪問)
創建服務和註冊api:
export OS_TOKEN=ADMIN_TOKEN
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
openstack service create \
--name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3
解釋:
1、定義環境變量
export OS_TOKEN=ADMIN_TOKEN 指定使用admin token管理操作
export OS_URL=http://controller:35357/v3 指定keystone本身的URL信息
export OS_IDENTITY_API_VERSION=3 指定API的版本信息
2、創建服務 創建端點
openstack service create \
--name keystone --description "OpenStack Identity" identity 創建 服務名稱爲keystone 描述信息 爲 OpenStack Identity
關聯到認證 identity
openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3 創建公共端點 走5000端口
openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3 創建內部端點 走5000端口
openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3 創建管理員端點 走35357端口
創建域 項目 用戶
openstack domain create --description "Default Domain" default
openstack project create --domain default \
--description "Admin Project" admin
openstack user create --domain default \
--password 123456 admin
openstack role create admin
關聯項目,用戶,角色
在admin項目上,給admin項目賦予admin角色
openstack role add --project admin --user admin admin
創建service的項目 給其他組件使用,存放其他組件的系統賬號
keystone服務本身和其他組件不存放同一個項目中
openstack project create --domain default \
--description "Service Project" service
創建環境變量腳本
vi admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2