OpenStack 之 KeyStone 认证服务安装
OpenStack 之 keystone 认证服务部署
配置数据库
以 root 用户登入数据库
[root@openstack etcd]# mysql -u root -p
创建 keystone 数据库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.00 sec)
授予 keystone 数据库权限
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
安装包
[root@openstack etcd]# yum install openstack-keystone httpd mod_wsgi
配置 keystone
编辑配置文件 /etc/keystone/keystone.conf,
[database]
# ...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
-
KEYSTONE_DBPASS:mysql中设置的keystone 用户密码
-
controller:修改为本机IP
[token]
# ...
provider = fernet
同步至数据库
[root@openstack ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
验证数据库是否同步成功
[root@openstack ~]# mysql -h 192.168.1.140 -u keystone -pkeystone -e "USE keystone; SHOW TABLES;"
+-----------------------------+
| Tables_in_keystone |
+-----------------------------+
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+-----------------------------+
初始化 Fernet key 仓库
[root@openstack ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@openstack ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
引导认证服务
# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne
- ADMIN_PASS:配置 keystone 管理员密码
- controller:配置为本机IP
配置 Apache HTTP 服务
编辑 /etc/httpd/conf/httpd.conf 文件,ServerName 配置如下:
ServerName controller
controller:改为本机IP:80
创建软链接配置文件 /usr/share/keystone/wsgi-keystone.conf:
[root@openstack ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
设置 Apache HTTP 服务开机自启,并启动服务
# systemctl enable httpd.service
# systemctl start httpd.service
在家目录下创建admin-openstack.bashrc文件,配置管理员账户的环境变量
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
- ADMIN_PASS:keystone中配置的密码
- controller:本机IP
执行环境变量配置文件 admin-openstack.bashrc
[root@openstack ~]# source /root/admin-openstack.bashrc
创建 domain、projects、users 和 roles
[root@openstack ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | 9c88ae9ec6bb4eb1b2eb4f28b0143c3d |
| name | example |
| tags | [] |
+-------------+----------------------------------+
[root@openstack ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | f4c2787c85374a8b9e39bcbf04604ef5 |
| is_domain | False |
| name | service |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@openstack ~]# openstack project create --domain default \
> --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 5672db92b1644d59a228095ff8883673 |
| is_domain | False |
| name | myproject |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
[root@openstack ~]# openstack user create --domain default \
> --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | a504670c5dd2462a8564ac56fecf922a |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@openstack ~]# openstack role create myrole
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 0275e8add4f343cabe35dd18f69c0ba5 |
| name | myrole |
+-----------+----------------------------------+
添加 myuser 用户至 myproject 中,并授予 myrole 权限
[root@openstack ~]# openstack role add --project myproject --user myuser myrole
以 admin 用户请求认证 token
[root@openstack ~]# openstack --os-auth-url http://controller:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name admin --os-username admin token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-01-12T03:04:51+0000 |
| id | gAAAAABcOUtD9ZUvRnHdXgG-feS0lSqj9-mezXb2XgNX3f7Yxkf7dmkMMB4Wsjiy71p4hhZSVzCJTcrGGbwd7AuBprgr1eWx1BnUCNkXQATHjEb7GhlbMjrS6bwWc4EOCkBOdQcP1CeSszcizzQEvVsecmdga2_taWHuY2y850V9ZVHloPUI-MU |
| project_id | 48d70011a03f4639944aaf7b69f97bc4 |
| user_id | 8d5d59cfa782442a8b0a2dc1509282db |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
- controller:修改为本机IP
创建 myuser 环境变量
export OS_USERNAME=myuser
export OS_PASSWORD=myuser
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.1.140:5000/v3
export OS_IDENTITY_API_VERSION=3
以 myuser 用户请求一个认证的token
[root@openstack ~]# openstack --os-auth-url http://192.168.1.140:5000/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name myproject --os-username myuser token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2019-01-12T03:15:59+0000 |
| id | gAAAAABcOU3fK5B9GrisdHpLmI83yyuecnFN80xZVFVKc4z-zKy6IxeYipfXga-CKQVz_xqErlwO9rEu6AaeENrkj3Zg9cLgOaCCQuV3k4ZDfnL0eN6AE0Goq6RUnfp-kEG3DWHs-ZSTSer7jHpPQFJs6lFti2iUqevXOrL_9tCJVs5puB5nPWc |
| project_id | 5672db92b1644d59a228095ff8883673 |
| user_id | a504670c5dd2462a8564ac56fecf922a |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
浙公网安备 33010602011771号