Keystone for Train

安装Keystone

在Controller节点

1、创建keystone数据库

这步要设置keystone数据库的密码,注意保存。把KEYSTONE_DBPASS替换为数据库keystone的密码

[root@controller ~]# mysql -u root -p

MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
MariaDB [(none)]> exit

2、安装配置组件

  1. 安装包
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
  1. 修改配置文件
  • 把KEYSTONE_DBPASS替换为keystone数据库的密码。
  • database下注释掉其他生效行。
  • controller可被解析。
[root@controller ~]# vim /etc/keystone/keystone.conf

[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
provider = fernet
  1. 初始化keystone数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
  1. 启用Fernet key
[root@controller ~]# keystone-manage fernet_setup \
--keystone-user keystone \
--keystone-group keystone
[root@controller ~]# keystone-manage credential_setup \
--keystone-user keystone \
--keystone-group keystone
  1. Bootstrap Identity服务

这步要创建admin用户密码,非常重要。

  • 把ADMIN_PASS替换为admin用户的密码。
  • Identity服务的V3 API,三种url都用同一个端口。
  • 自动创建default domain,admin project,admin user(password),admin role,member role,reader role以及keystone service和endpoint。
[root@controller ~]# keystone-manage bootstrap --bootstrap-password ADMIN_PASS \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne

3、配置Apache HTTP服务器

Keystone的Web Server依托于Apache HTTP server,是httpd的虚拟主机。wsgi-keystone.conf中是VH的配置,把文件link到/etc/httpd/conf.d/才生效,关闭该虚拟主机只需删除链接。

[root@controller ~]# vim /etc/httpd/conf/httpd.conf 
ServerName controller
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

4、启动服务并设置鉴权变量

[root@controller ~]# systemctl enable --now httpd
[root@controller ~]# systemctl status httpd

环境变量值实际为keystone-manage bootstrap命令行中创建的值:

[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=ADMIN_PASS
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3

5、创建域、项目、用户和角色

Identity服务为每个OpenStack服务提供身份认证,这就需要用到domain、project、user和role。

  1. 查询已创建的Default域

在keystone-manage bootstrap命令行中Default域已被创建。

  [root@controller ~]# openstack domain show default
+-------------+--------------------+
| Field | Value |
+-------------+--------------------+
| description | The default domain |
| enabled | True |
| id | default |
| name | Default |
| options | {} |
| tags | [] |
+-------------+--------------------+
  1. 示范创建一个新的domain
[root@controller ~]# openstack domain create \
--description "An Example Domain" example

+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | a6f28a6750164f73b10818dbf7cb8c99 |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
  1. 创建一个名叫service的project

后面每个OpenStack服务的unique用户会放到这个project里

[root@controller ~]# openstack project create --domain default \
--description "Service Project" service

+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | b876ed4d12434586af0656a67d3ef3e3 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
  1. 创建一个普通的project:myproject
[root@controller ~]# openstack project create --domain default \
--description "Demo Project" myproject

+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | ae262946519b4e59a21710e6beb592ae |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
  1. 创建一个普通的用户:myuser
[root@controller ~]# openstack user create --domain default \
--password-prompt myuser

User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | dbf6756315174cf29de25ac4bbdca22f |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
  1. 创建一个普通的角色:myrole
[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 004f843814304f63b46ae751b2bd60bc |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
  1. 绑定
[root@controller ~]# openstack role add --project myproject --user myuser myrole

验证Keystone

在Controller节点

1、使临时鉴权身份鉴权变量失效

[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD

2、以admin用户身份向Keystone申请认证token,输入admin用户密码验证通过

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue

Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-12-02T06:45:08+0000 |
| id | gAAAAABhqF1kw8osSKrsBNq1LAcHw9K8NbLmC88Dpq8GZBITtknyq5-7gBFDQSakjNZ4-otq7mKodoJz9dBnUanSwjfYQ5JzSTfsQKaQozthPAwDeS-8A3jXlgYKsnefYBTH9pDAPRSR8sPpeW65zxtYQrn3syG6AMlet1xhGNY_-gmZbgOogFE |
| project_id | 9d9ce9078e944c77854e084d9c474df0 |
| user_id | ce74c4d107f4401db258c13f4174420b |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

3、以myuser用户身份向Keystone申请认证token,输入myuser用户密码验证通过

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name myproject --os-username myuser token issue

Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-12-02T06:45:58+0000 |
| id | gAAAAABhqF2Wz5MAeeNfT_201TwfGl4ITxpTclFGKFDIi5BmGyrn0PVNWyYud-rmoO2mTf5VN94hX-Topowm5QOw9RUXuj9rTrrdfF2ArKaFCnQ0HxeEKatdTmiyfcLaCOXDFYieg3d8C-8rXEZESO0yGwAnIrdCOTHIzQBz5Ptg9khgEzPgepE |
| project_id | ae262946519b4e59a21710e6beb592ae |
| user_id | dbf6756315174cf29de25ac4bbdca22f |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

创建并使用OpenRC

在Controller节点

1、创建admin-openrc

  • 把ADMIN_PASS换成admin用户密码
  • controller要可解析
[root@controller ~]# vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

2、创建demo-openrc

  • 把DEMO_PASS换成myuser用户密码
  • controller要可解析
[root@controller ~]# vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

3、在使用project和user前,先source对应的环境脚本

[root@controller ~]# source demo-openrc 
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-12-02T07:11:28+0000 |
| id | gAAAAABhqGOQaC-vHL8i-CuaFgiUJDaSfbQdnlvO3pWAyE2Oi0NJUenE4KYmT0gAvAtxzrBra6F9QvCudSJyZPVXcgYczLlU4dWsYaKumnv9KFSSLMQc8c8NZ_3kVDG7dJ0-aiOcnxY8ZD2Acr1VjzsDB0oP4H94W87oBbwu69xR2JlYlC4rnFg |
| project_id | ae262946519b4e59a21710e6beb592ae |
| user_id | dbf6756315174cf29de25ac4bbdca22f |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@controller ~]# . admin-openrc 
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2021-12-02T07:12:16+0000 |
| id | gAAAAABhqGPApAvHp1ER3FEidICPaabPPjTwbcFOS3gLo6wlAdRJCOVdNFpJyT0PsmveTFWgrfNUERnVdHi4pU0aKWAwrN5K7HEFcQ1gwj75cV2EKNoSC0JlXiSKkq6fpIfb0032FekRFdAlSKotHBL7ENRymJmrWrr30qNtArLANHg2S77YgPo |
| project_id | 9d9ce9078e944c77854e084d9c474df0 |
| user_id | ce74c4d107f4401db258c13f4174420b |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+