keystone 是OpenStack的組件之一,用於爲OpenStack家族中的其它組件成員提供統一的認證服務,包括身份驗證、令牌的發放和校驗、服務列表、用戶權限的定義等等。雲環境中所有的服務之間的授權和認證都需要經過 keystone. 因此 keystone 是雲平臺中第一個即需要安裝的服務。
keystone 35357
作爲 OpenStack 的基礎支持服務,Keystone 做下面這幾件事情:
-管理用戶及其權限
-維護 OpenStack Services 的 Endpoint
-Authentication(認證)和 Authorization(鑑權)
配置
pikachu1:
(控制節點:openstack的組件和共享服務都是部署到這個節點上的)
#yum install python-openstackclient
#yum install openstack-selinux
部署數據庫
#yum install mariadb mariadb-server python2-PyMySQL
#vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.146.51
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
# systemctl enable mariadb.service
# systemctl start mariadb.service
# mysql_secure_installation
配置rabbitmq(消息隊列)
創建一個用戶
#rabbitmqctl add_user openstack admin
openstack-用戶
admin-密碼
設置用戶權限
#rabbitmqctl set_permissions openstack ".*" ".*" ".*"
設置用戶爲管理員
(爲了讓openstack用戶能登錄圖形化界面)
#rabbitmqctl set_user_tags openstack administrator
Memcached
#yum install memcached python-memcached
修改配置文件
#vim /etc/sysconfig/memcached
添加本地節點(要先添加域名解析)
# systemctl enable memcached.service
# systemctl start memcached.service
Identity service認證服務
設置數據庫
#mysql -uroot -p123
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
# yum install openstack-keystone httpd mod_wsgi
修改配置文件
#cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak(設置備份)
#vim /etc/keystone/keystone.conf(將下面內容複製到配置文件裏,注意配置文件裏的節點)
[DEFAULT]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[cors.subdomain]
[credential]
[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@pikachu1/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[kvs]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]
[token]
provider = fernet
[tokenless_auth]
[trust]
同步數據庫
#su -s /bin/sh -c "keystone-manage db_sync" keystone
創建用戶組密碼
#keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
#keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
設置keystone管理員服務端點
#keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://pikachu1:35357/v3/ \
--bootstrap-internal-url http://pikachu1:5000/v3/ \
--bootstrap-public-url http://pikachu1:5000/v3/ \
--bootstrap-region-id RegionOne
admin-url-管理網的服務端點
internal-url-內部網的服務端點
public-url公網的服務端點
設置http服務
#vim /etc/httpd/conf/httpd.conf
創建鏈接
#ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#systemctl restart httpd
#systemctl enable httpd
創建環境變量
#vim openrc
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://pikachu1:35357/v3
export OS_IDENTITY_API_VERSION=3
#source openrc
#openstack user list
#openstack endpoint list
創建項目
#openstack project create --domain default \
--description "Service Project" service
#openstack project create --domain default \
--description "Demo Project" demo
創建用戶
#openstack user create --domain default \
--password=demo demo
刪除用戶
#openstack user delete demo
創建角色
#openstack role create user
將demo設置爲user角色
#openstack role add --project demo --user demo user