keystone 认证服务
功能:认证管理 授权管理 服务目录
认证:账号密码
授权管理:为其他组件授权 qq授权其他应用的web页面登录
服务目录: 电话本功能
安装keystone
创库授权
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
安装keystone相关软件包
yum install openstack-keystone httpd mod_wsgi -y
软件包解释:
openstack-keystone OpenStack服务
httpd Apache网站服务
mod_wsgi Apache的扩展模块wsgi,用于python(OpenStack使用python编写)连接Apache
修改配置文件
配置文件路径:/etc/keystone/keystone.conf
yum install openstack-utils.noarch -y
\cp /etc/keystone/keystone.conf{,.bak}
grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider fernet
openstack-utils.noarch 用于OpenStack命令行方式修改配置文件
校验
[root@controller ~]# md5sum /etc/keystone/keystone.conf
d5acb3db852fe3f247f4f872b051b7a9 /etc/keystone/keystone.conf
配置文件解释
[DEFAULT]
admin_token = ADMIN_TOKEN
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
provider = fernet
[DEFAULT]
admin_token = ADMIN_TOKEN 在没有管理员时 使用admin的token进行 创建 注册 等操作
[database] 部分
mysql+pymysql:// 连接协议
keystone:KEYSTONE_DBPASS 连接数据库的账号密码
@
controller 连接数据库的主机 (controller 会使用本地解析为10.0.0.11)
/keystone 使用名为keystone的库
[token]部分
provider = fernet 定义令牌提供者 fernet生成的令牌方式
扩展部分
keystone 认证方式:UUID 、 PKI 、Fernet
都是生成一段随机字符串的方法 保证唯一
token 就是一段随机字符串 用于标识服务,类似于linux用户的UUID 进程号码等
同步数据库
在同步数据库之前查看keystone的表
[root@controller my.cnf.d]# mysql keystone -e "show tables;"
使用keystone身份同步数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
命令解释:
su 切换用户
-s 指定bash
-c 指定 运行的命令
keystone 用户
有些情况下 必须切换到指定用户身份下才可以执行命令
keystone-manage是用来同keystone服务进行交互的命令行工具,通常该命令只用于不能通过HTTP API完成的操作
db_sync 同步数据库
检查
mysql keystone -e 'show tables;'
初始化fernet
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
会在/etc/keystone/目录下生成fernet-keys目录
配置httpd
优化HTTP服务
echo "ServerName controller" >>/etc/httpd/conf/httpd.conf
echo 'Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>' >/etc/httpd/conf.d/wsgi-keystone.conf
校验
[root@controller ~]# md5sum /etc/httpd/conf.d/wsgi-keystone.conf
8f051eb53577f67356ed03e4550315c2 /etc/httpd/conf.d/wsgi-keystone.conf
启动httpd
systemctl enable httpd.service
systemctl start httpd.service
HTTP监听5000端口(普通用户访问)和35357端口(管理员访问)
创建服务和注册api:
export OS_TOKEN=ADMIN_TOKEN
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
openstack service create \
--name keystone --description "OpenStack Identity" identity
openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3
openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3
解释:
1、定义环境变量
export OS_TOKEN=ADMIN_TOKEN 指定使用admin token管理操作
export OS_URL=http://controller:35357/v3 指定keystone本身的URL信息
export OS_IDENTITY_API_VERSION=3 指定API的版本信息
2、创建服务 创建端点
openstack service create \
--name keystone --description "OpenStack Identity" identity 创建 服务名称为keystone 描述信息 为 OpenStack Identity
关联到认证 identity
openstack endpoint create --region RegionOne \
identity public http://controller:5000/v3 创建公共端点 走5000端口
openstack endpoint create --region RegionOne \
identity internal http://controller:5000/v3 创建内部端点 走5000端口
openstack endpoint create --region RegionOne \
identity admin http://controller:35357/v3 创建管理员端点 走35357端口
创建域 项目 用户
openstack domain create --description "Default Domain" default
openstack project create --domain default \
--description "Admin Project" admin
openstack user create --domain default \
--password 123456 admin
openstack role create admin
关联项目,用户,角色
在admin项目上,给admin项目赋予admin角色
openstack role add --project admin --user admin admin
创建service的项目 给其他组件使用,存放其他组件的系统账号
keystone服务本身和其他组件不存放同一个项目中
openstack project create --domain default \
--description "Service Project" service
创建环境变量脚本
vi admin-openrc
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2