(搭建多OpenStack多节点私有云平台(二)部署Keystone认证服务)
1、部署Keystone认证服务
1.进入mysql
mysql -u root -p
2.创建数据库
CREATE DATABASE keystone
3.修改权限, 密码就是“KEYSTONE_DBPASS”
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
4.退出mysql
quit
5.安装keystone软件包
yum install openstack-keystone httpd mod_wsgi -y
6.配置kestone
vim /etc/keystone/keystone.conf
:/DEFAULT] 可以搜索 按n翻页
记得把#注释去掉
-
在
[DEFAULT]部分,定义初始管理令牌的值:[DEFAULT] ... admin_token = ADMIN_TOKEN使用前面步骤生成的随机数替换
ADMIN_TOKEN值。 -
在
[database]部分,配置数据库访问:[database] ... connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone将
KEYSTONE_DBPASS替换为你为数据库选择的密码。 -
在
[token]部分,配置Fernet UUID令牌的提供者。[token] ... provider = fernet
7.查看有没有配置好
mysql -u keystone -p
输入密码:KEYSTONE_DBPASS
use keystone;
show tables;
没表就行
8.初始化认证服务数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
再次查看keystone数据库会有很多表
或者用命令查看
[root@controller ~]# mysql keystone -e 'show tables;'
9.初始化Fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
查看是否初始化成功,会多一个fernet-keys文件
ll /etc/keystone/
10.配置apache
编辑/etc/httpd/conf/httpd.conf 文件,配置ServerName 选项为控制节点:
vi /etc/httpd/conf/httpd.conf
ServerName controller
定义多端口的站点,复制配置文件
cp /usr/share/keystone//wsgi-keystone.conf /etc/httpd/conf.d/
重启服务
systemctl enable httpd.service
systemctl start httpd.service
查看端口,记得要重启虚拟机
netstat -lntup
11.创建服务实体和API端点
-
配置认证令牌:
$ export OS_TOKEN=ADMIN_TOKEN -
配置端点URL:
$ export OS_URL=http://controller:35357/v3 -
配置认证 API 版本:
$ export OS_IDENTITY_API_VERSION=34.查看环境变量
env|grep OS5.创建服务实体和身份认证服务:
$ openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | OpenStack Identity | | enabled | True | | id | 4ddaae90388b4ebc9d252ec2252d8d10 | | name | keystone | | type | identity | +-------------+----------------------------------+
6.创建认证服务的 API 端点:
$ openstack endpoint create --region RegionOne identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 30fff543e7dc4b7d9a0fb13791b78bf4 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 8c8c0927262a45ad9066cfe70d46892c |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 57cfa543e7dc4b712c0ab137911bc4fe |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 6f8de927262ac12f6066cfe70d99ac51 |
| service_name | keystone |
| service_type | identity |
| url | http://controller:5000/v3 |
+--------------+----------------------------------+
$ openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 78c3dfa3e7dc44c98ab1b1379122ecb1 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 34ab3d27262ac449cba6cfe704dbc11f |
| service_name | keystone |
| service_type | identity |
| url | http://controller:35357/v3 |
+--------------+----------------------------------+
12.创建域、项目、用户和角色
1.创建域default:
$ openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | e0353a670a9e496da891347c589539e9 |
| name | default |
+-------------+----------------------------------+
2在你的环境中,为进行管理操作,创建管理的项目、用户和角色:
-
创建
admin项目:$ openstack project create --domain default \ --description "Admin Project" admin +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Admin Project | | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | 343d245e850143a096806dfaefa9afdc | | is_domain | False | | name | admin | | parent_id | None | +-------------+----------------------------------+OpenStack 是动态生成 ID 的,因此您看到的输出会与示例中的命令行输出不相同。
-
创建
admin用户:$ openstack user create --domain default \ --password ADMIN_PASS admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | ac3377633149401296f6c0d92d79dc16 | | name | admin | +-----------+----------------------------------+ -
创建
admin角色:$ openstack role create admin +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | cd2cb9a39e874ea69e5d4b896eb16128 | | name | admin | +-----------+----------------------------------+ -
添加
admin角色到admin项目和用户上:$ openstack role add --project admin --user admin admin
3.本指南使用一个你添加到你的环境中每个服务包含独有用户的service 项目。创建service项目(存放系统账号):
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | e0353a670a9e496da891347c589539e9 |
| enabled | True |
| id | 894cdfa366d34e9d835d3de01e752262 |
| is_domain | False |
| name | service |
| parent_id | None |
+-------------+----------------------------------+
4.常规(非管理)任务应该使用无特权的项目和用户。作为例子,本指南创建 demo 项目和用户。
-
创建
demo项目:$ openstack project create --domain default \ --description "Demo Project" demo +-------------+----------------------------------+ | Field | Value | +-------------+----------------------------------+ | description | Demo Project | | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | ed0b60bf607743088218b0a533d5943f | | is_domain | False | | name | demo | | parent_id | None | +-------------+----------------------------------+注解:当为这个项目创建额外用户时,不要重复这一步。
-
创建
demo用户:$ openstack user create --domain default \ --password-prompt demo User Password: Repeat User Password: +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | e0353a670a9e496da891347c589539e9 | | enabled | True | | id | 58126687cbcc4888bfa9ab73a2256f27 | | name | demo | +-----------+----------------------------------+ -
创建
user角色:$ openstack role create user +-----------+----------------------------------+ | Field | Value | +-----------+----------------------------------+ | domain_id | None | | id | 997ce8d05fc143ac97d83fdfb5998552 | | name | user | +-----------+----------------------------------+ -
添加
user``角色到 ``demo项目和用户:$ openstack role add --project demo --user demo user
查看环境变量,有没有
[root@controller ~]# env |grep OS
vi admin-openrc
加入以下内容
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
vi .bashrc
加入以下内容
source admin-openrc
再次连接虚拟机测试,打以下代码(请求认证令牌:)
openstack token issue
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-10-26T02:41:06+0000 |
| id | gAAAAABflikyYxsCBO2R2sq7Zz-GeCg4YUahiFF0C5hoIHuU6elQuxGGxTOpfotf382c4iZhtlHlwQqoJWd4n0l2ysBAI-87aDaX_8w6g2QeyV3YOq4n4ShKxOLcBgum_wXqW2hFM9XS9Nr_PjK0_NIzT32opqmz3wLY3FL9yL4wgSJ-e8aecAM |
| project_id | 144d035e5f604e5383fc3cc4e1ce5b3c |
| user_id | d2f32ce32f764264afa783e11c5e6e92 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
浙公网安备 33010602011771号