认证服务keystone部署


一:安装和配置服务


1.建库建用户


mysql -u root -p

CREATE DATABASE keystone;

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '密码';

GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '密码';

flush privileges;

2.安装httpdweb服务器


yum install openstack-keystone httpd mod_wsgi -y

3.编辑/etc/keystone/keystone.conf


创建秘钥

# openssl rand -hex 10

ada2c9751d94be18d74a

#vim /etc/keystone/keystone.conf

[DEFAULT]

admin_token = ada2c9751d94be18d74a #建议用命令制作token:openssl rand -hex 10

[database]

connection = mysql+pymysql://keystone:liuyao@controller/keystone

[token]

provider = fernet

#学习博客

#Token Provider:UUID, PKI, PKIZ, or Fernet #http://blog.csdn.net/miss_yang_cloud/article/details/49633719

4.同步修改到数据库


#su -s /bin/sh -c "keystone-manage db_sync" keystone

5.初始化fernet keys


#keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

6.配置apache服务


编辑:/etc/httpd/conf/httpd.conf

ServerName controller


编辑:/etc/httpd/conf.d/wsgi-keystone.conf

新增配置

Listen 5000

Listen 35357

<VirtualHost *:5000>

    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-public

    WSGIScriptAlias / /usr/bin/keystone-wsgi-public

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined    

    <Directory /usr/bin>

        Require all granted    

    </Directory>

</VirtualHost>


<VirtualHost *:35357>

    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}

    WSGIProcessGroup keystone-admin

    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin

    WSGIApplicationGroup %{GLOBAL}

    WSGIPassAuthorization On

    ErrorLogFormat "%{cu}t %M"

    ErrorLog /var/log/httpd/keystone-error.log

    CustomLog /var/log/httpd/keystone-access.log combined    

    <Directory /usr/bin>

        Require all granted    

     </Directory>

</VirtualHost>

7.启动服务:


systemctl enable httpd.service

systemctl start httpd.service

二:创建服务实体和访问端点


1.实现配置管理员环境变量,用于获取后面创建的权限


export OS_TOKEN=ada2c9751d94be18d74a #此token是上面生成的

export OS_URL=

export OS_IDENTITY_API_VERSION=3

2.基于上一步给的权限,创建认证服务实体(目录服务)


#openstack service create \

--name keystone --description "OpenStack Identity" identity

3.基于上一步建立的服务实体,创建访问该实体的三个api端点


openstack endpoint create --region RegionOne \

  identity public http://controller:5000/v3

  

openstack endpoint create --region RegionOne \

  identity internal http://controller:5000/v3

  

openstack endpoint create --region RegionOne \

  identity admin http://controller:35357/v3

三:创建域,租户,用户,角色,把四个元素关联到一起


建立一个公共的域名:

#openstack domain create --description "Default Domain" default


管理员:admin

openstack project create --domain default \

  --description "Admin Project" admin

  

openstack user create --domain default \

  --password-prompt admin

  

openstack role create admin

 

openstack role add --project admin --user admin admin

 

 普通用户:demo

openstack project create --domain default \

  --description "Demo Project" demo

openstack user create --domain default \

  --password-prompt demo

openstack role create useropenstack role add --project demo --user demo user



为后续的服务创建统一租户service

解释:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建租户 2.建用户 3.建角色 4.做关联

后面所有的服务公用一个租户service,都是管理员角色admin,所以实际上后续的服务安装关于keysotne

的操作只剩2,4


openstack project create --domain default \

  --description "Service Project" service

四:验证操作:


编辑:/etc/keystone/keystone-paste.ini

在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三个地方

移走:admin_token_auth 


unset OS_TOKEN OS_URL


openstack --os-auth-url http://controller:35357/v3 \

  --os-project-domain-name default --os-user-domain-name default \

  --os-project-name admin --os-username admin token issue

Password:

+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Field      | Value                                                                                                                                                                                   |

+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| expires    | 2016-08-17T08:29:18.528637Z                                                                                                                                                             |

| id         | gAAAAABXtBJO-mItMcPR15TSELJVB2iwelryjAGGpaCaWTW3YuEnPpUeg799klo0DaTfhFBq69AiFB2CbFF4CE6qgIKnTauOXhkUkoQBL6iwJkpmwneMo5csTBRLAieomo4z2vvvoXfuxg2FhPUTDEbw-DPgponQO-9FY1IAEJv_QV1qRaCRAY0 |

| project_id | 9783750c34914c04900b606ddaa62920                                                                                                                                                        |

| user_id    | 8bc9b323a3b948758697cb17da304035                                                                                                                                                        |

+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

五:新建客户端脚本文件


管理员:admin-openrc

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=liuyao

export OS_AUTH_URL=

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2普通用户demo:demo-openrc

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=liuyao

export OS_AUTH_URL=

 export OS_IDENTITY_API_VERSION=3

 export OS_IMAGE_API_VERSION=2效果:

source admin-openrc 

[root@controller01 ~]# openstack token issue