Keystone配置
![]()
![]()
![]()
一、配置Keystone服务
#Identity service – keystone installation for Train
https://docs.openstack.org/keystone/train/install/index-rdo.html
#数据库服务上进行配置安装 OpenStack-mysql
mysql -u root -p
#Create the keystone database:
MariaDB [(none)]> CREATE DATABASE keystone;
#Grant proper access to the keystone database:
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone123';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone123';
#openstack-controller1上
[root@openstack-controller1 ~]# yum install -y mariadb
#使用ip地址
[root@openstack-controller1 ~]# mysql -ukeystone -h192.168.40.103 -pkeystone123
MariaDB [(none)]> show databases;
#使用VIP,先添加hosts解析
[root@openstack-controller1 ~]# cat /etc/hosts
192.168.40.101 openstack-controller1.xks.local openstack-controller1
192.168.40.103 openstack-mysql.xks.local openstack-mysql
192.168.40.105 openstack-haproxy1.xks.local openstack-haproxy1
192.168.40.248 openstack-vip.xks.local openstack-vip
[root@openstack-controller1 ~]# mysql -ukeystone -hopenstack-vip -pkeystone123
#Install and configure components openstack-controller1上
[root@openstack-controller1 ~]# yum install -y openstack-keystone httpd mod_wsgi
[root@openstack-controller1 conf.d]# systemctl enable httpd
#配置keystone文件 这里使用 vip 域名
vim /etc/keystone/keystone.conf
[database]
# ...
connection = mysql+pymysql://keystone:keystone123@openstack-vip.xks.local/keystone
[token]
# ...
provider = fernet
#Populate the Identity service database
#配置数据库初始化
[root@openstack-controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
#数据验证是否创建表
MariaDB [(none)]> use keystone;
Database changed
MariaDB [keystone]> show tables;
Empty set (0.000 sec)
MariaDB [keystone]> show tables;
+------------------------------------+
| Tables_in_keystone |
+------------------------------------+
| access_rule |
| access_token |
| application_credential |
| application_credential_access_rule |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_option |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| role_option |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+------------------------------------+
48 rows in set (0.000 sec)
#Initialize Fernet key repositories
#生成fernet-keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
#生成credential-keys
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@openstack-controller1 ~]# ll /etc/keystone/
total 124
drwx------ 2 keystone keystone 24 Jul 22 15:05 credential-keys
-rw-r----- 1 root keystone 2303 Jun 7 2021 default_catalog.templates
drwx------ 2 keystone keystone 24 Jul 22 15:05 fernet-keys
-rw-r----- 1 root keystone 106514 Jul 22 15:01 keystone.conf
-rw-r----- 1 root keystone 1046 Jun 7 2021 logging.conf
-rw-r----- 1 root keystone 3 Jun 8 2021 policy.json
-rw-r----- 1 keystone keystone 665 Jun 7 2021 sso_callback_template.html
#Haproxy 配置后台转发
#添加keystone
[root@openstack-haproxy1 ~]# cat /etc/haproxy/haproxy.cfg
listen openstack-keystone-5000
bind 192.168.40.248:5000
mode tcp
server 192.168.40.101 192.168.40.101:5000 check inter 3s fall 3 rise 5
[root@openstack-haproxy1 ~]# systemctl restart haproxy
#Bootstrap the Identity service
#官方示例:
keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
#实验配置域名VIP
keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://openstack-vip.xks.local:5000/v3/ \
--bootstrap-internal-url http://openstack-vip.xks.local:5000/v3/ \
--bootstrap-public-url http://openstack-vip.xks.local:5000/v3/ \
--bootstrap-region-id RegionOne
#验证bootstrap
#service表
MariaDB [keystone]> select * from service;
+----------------------------------+----------+---------+----------------------+
| id | type | enabled | extra |
+----------------------------------+----------+---------+----------------------+
| c615e0c6903344e69fb49a85859cdf64 | identity | 1 | {"name": "keystone"} |
+----------------------------------+----------+---------+----------------------+
1 row in set (0.000 sec)
#user表
MariaDB [keystone]> select * from user;
+----------------------------------+-------+---------+--------------------+---------------------+----------------+-----------+
| id | extra | enabled | default_project_id | created_at | last_active_at | domain_id |
+----------------------------------+-------+---------+--------------------+---------------------+----------------+-----------+
| 55d3da5d213940e28ab27fea4673c9a7 | {} | 1 | NULL | 2023-07-22 07:14:34 | NULL | default |
+----------------------------------+-------+---------+--------------------+---------------------+----------------+-----------+
1 row in set (0.000 sec)
#project表
MariaDB [keystone]> select * from project;
+----------------------------------+--------------------------+-------+-----------------------------------------------+---------+--------------------------+-----------+-----------+
| id | name | extra | description | enabled | domain_id | parent_id | is_domain |
+----------------------------------+--------------------------+-------+-----------------------------------------------+---------+--------------------------+-----------+-----------+
| 9f43f66e7d0b411a8219c163858c6f2a | admin | {} | Bootstrap project for initializing the cloud. | 1 | default | default | 0 |
| <<keystone.domain.root>> | <<keystone.domain.root>> | {} | | 0 | <<keystone.domain.root>> | NULL | 1 |
| default | Default | {} | The default domain | 1 | <<keystone.domain.root>> | NULL | 1 |
+----------------------------------+--------------------------+-------+-----------------------------------------------+---------+--------------------------+-----------+-----------+
3 rows in set (0.000 sec)
#endponit表
MariaDB [keystone]> select * from endpoint;
+----------------------------------+--------------------+-----------+----------------------------------+-----------------------------------------+-------+---------+-----------+
| id | legacy_endpoint_id | interface | service_id | url | extra | enabled | region_id |
+----------------------------------+--------------------+-----------+----------------------------------+-----------------------------------------+-------+---------+-----------+
| 1b27558f07784548a469ddda0c58131c | NULL | internal | c615e0c6903344e69fb49a85859cdf64 | http://openstack-vip.xks.local:5000/v3/ | {} | 1 | RegionOne |
| 87bc41b7caf146409e6ec0d87744fd13 | NULL | public | c615e0c6903344e69fb49a85859cdf64 | http://openstack-vip.xks.local:5000/v3/ | {} | 1 | RegionOne |
| a878161f65d449f6863f59cd6a1bc2a6 | NULL | admin | c615e0c6903344e69fb49a85859cdf64 | http://openstack-vip.xks.local:5000/v3/ | {} | 1 | RegionOne |
+----------------------------------+--------------------+-----------+----------------------------------+-----------------------------------------+-------+---------+-----------+
3 rows in set (0.000 sec)
#Configure the Apache HTTP server
vim /etc/httpd/conf/httpd.conf
#修改第95行
95 ServerName 192.168.40.101:80
#做一个软链接
[root@openstack-controller1 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#如果没有这个文件创建内容
[root@openstack-controller1 conf.d]# cat wsgi-keystone.conf
Listen 5000
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone.log
CustomLog /var/log/httpd/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
[root@openstack-controller1 ~]# ll /etc/httpd/conf.d/
total 16
-rw-r--r-- 1 root root 2926 May 30 22:01 autoindex.conf
-rw-r--r-- 1 root root 366 May 30 22:01 README
-rw-r--r-- 1 root root 1252 May 30 21:49 userdir.conf
-rw-r--r-- 1 root root 824 May 30 21:55 welcome.conf
lrwxrwxrwx 1 root root 38 Jul 22 15:25 wsgi-keystone.conf -> /usr/share/keystone/wsgi-keystone.conf
[root@openstack-controller1 conf.d]# systemctl restart httpd
[root@openstack-controller1 conf.d]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
[root@openstack-controller1 conf.d]# netstat -nltp| grep 5000
tcp6 0 0 :::5000 :::* LISTEN 5099/httpd
[root@openstack-controller1 conf.d]# curl 192.168.40.101:5000
{"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://192.168.40.101:5000/v3/", "rel": "self"}]}]}}You have new mail in /var/spool/mail/root
[root@openstack-controller1 conf.d]#
#测试VIP5000
[root@openstack-controller1 conf.d]# curl 192.168.40.248:5000
{"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://192.168.40.248:5000/v3/", "rel": "self"}]}]}}
#测试域名访问
[root@openstack-controller1 conf.d]# curl openstack-vip.xks.local:5000
{"versions": {"values": [{"status": "stable", "updated": "2019-07-19T00:00:00Z", "media-types": [{"base": "application/json", "type": "application/vnd.openstack.identity-v3+json"}], "id": "v3.13", "links": [{"href": "http://openstack-vip.xks.local:5000/v3/", "rel": "self"}]}]}}[
# systemctl enable httpd.service
# systemctl start httpd.service
#创建admin脚本用于登录
[root@openstack-controller1 ~]# cat admin-opensrc.sh
#!/bin/bash
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://openstack-vip.xks.local:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@openstack-controller1 ~]# source admin-opensrc.sh
[root@openstack-controller1 ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 55d3da5d213940e28ab27fea4673c9a7 | admin |
+----------------------------------+-------+
#Create a domain, projects, users, and roles
[root@openstack-controller1 ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 9afd7b514a6140ce9332b80dd13c13ad |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
[root@openstack-controller1 ~]# openstack domain list
+----------------------------------+---------+---------+--------------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+--------------------+
| 9afd7b514a6140ce9332b80dd13c13ad | example | True | An Example Domain |
| default | Default | True | The default domain |
+----------------------------------+---------+---------+--------------------+
#Create the service project
[root@openstack-controller1 ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | a2a6a13f8b2a4e828366eb5c208e3f87 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
#Create the myproject project
[root@openstack-controller1 ~]# openstack project create --domain default \
> --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 531738bf10f5448e8e0827460d035762 |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@openstack-controller1 ~]# openstack project list
+----------------------------------+-----------+
| ID | Name |
+----------------------------------+-----------+
| 531738bf10f5448e8e0827460d035762 | myproject |
| 9f43f66e7d0b411a8219c163858c6f2a | admin |
| a2a6a13f8b2a4e828366eb5c208e3f87 | service |
+----------------------------------+-----------+
#Create the myuser user
openstack user create --domain default \
--password-prompt myuser
密码:myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 4c949cb8204b4dffa32aa899891cd352 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#Create the myrole role
openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 469edf0390bc47f482d489613b8a8407 |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
#Add the myrole role to the myproject project and myuser user
[root@openstack-controller1 ~]# openstack role add --project myproject --user myuser myrole
#!Verify operation
#这里的expires需要增加8个小时
[root@openstack-controller1 ~]# unset OS_AUTH_URL OS_PASSWORD
[root@openstack-controller1 ~]# openstack --os-auth-url http://openstack-vip.xks.local:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name admin --os-username admin token issue
Password:admin
Password:admin
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2023-07-22T14:57:20+0000 |
| id | gAAAAABku-BAwsm08252EFfUl8ETRGw1iRBc8MSsmrit2lWT_JNLrbO_wocSMu328M-OEXorN9p5gKJSHG1Yc9B5ubRwSUObxJOBExmgdleOX2Cs2EKv_mj2pDMQMafeBPKw30PdadEJwLUv7rUvVny698cSk_CMgW_iOxl9efOG7O0yxtpD_2Y |
| project_id | 9f43f66e7d0b411a8219c163858c6f2a |
| user_id | 55d3da5d213940e28ab27fea4673c9a7 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#验证myuser
[root@openstack-controller1 ~]# openstack --os-auth-url http://openstack-vip.xks.local:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name myproject --os-username myuser token issue
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2023-07-22T14:59:04+0000 |
| id | gAAAAABku-CoeqE3BLlI9BG-hJRWs9uFrkCv8a974Ovdcw4UAPFzTq-8J5t-40TKTQHUuVVSD8OeaGtgmP8rLq5aRdXFEniz1wOsz7xBfvlhpmheLSC8bE5Bfqw8ySZEgLWHXoDOUfUTOxt_nqyoIWq1SJT4DCD4a1uHikIM93kvW-XXpLbs5FU |
| project_id | 531738bf10f5448e8e0827460d035762 |
| user_id | 4c949cb8204b4dffa32aa899891cd352 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@openstack-controller1 ~]# source admin-opensrc.sh
[root@openstack-controller1 ~]# openstack user list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 55d3da5d213940e28ab27fea4673c9a7 | admin |
| 4c949cb8204b4dffa32aa899891cd352 | myuser |
+----------------------------------+--------+
#Create OpenStack client environment scripts
#admin-openrc.sh
[root@openstack-controller1 ~]# cat admin-openrc.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://openstack-vip.xks.local:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#demo-openrc.sh
[root@openstack-controller1 ~]# cat demo-openrc.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=myuser
export OS_AUTH_URL=http://openstack-vip.xks.local:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@openstack-controller1 ~]# chmod +x admin-openrc.sh demo-openrc.sh
#验证是否可以拿到token信息
[root@openstack-controller1 ~]# ./admin-openrc.sh
[root@openstack-controller1 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2023-07-22T15:07:40+0000 |
| id | gAAAAABku-KsHPq3TbuDRLmZvmAlKWboX3MLCXSDee-HwSh86ZafT842dmjXy-fqEYvOv7CLB7-G9eCfNUo3ngUytF-46IaPGzTcsPR4ahUoSzMmdVUw7dw2fe1KE1JPI2FSwNB5YgWczf-RueJVpaqJl3bo4uPW20veWagMWTHRFkMsvBYU9U4 |
| project_id | 531738bf10f5448e8e0827460d035762 |
| user_id | 4c949cb8204b4dffa32aa899891cd352 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
浙公网安备 33010602011771号