1 、环境(创建数据库和管理令牌)
NOTICE:身份认证服务仅在控制节点上安装
1.1、连接到数据库服务器
$ mysql -u root -p
1.2、创建keystone数据库
mysql> CREATE DATABASE keystone;
1.3、授予对keystone
数据库的正确访问权限
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
mysql> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY 'KEYSTONE_DBPASS';
KEYSTONE_DBPASS替换为实际密码
2、使用Apache HTTP服务器mod_wsgi
在端口5000和35357上提供身份服务请求。默认情况下,keystone服务仍会监听这些端口。因此,需要手动禁用keystone服务。
2.1、安装keystone httpd mod_wsgi
软件包
# yum install openstack-keystone httpd mod_wsgi
2.2、配置keystone,/etc/keystone/keystone.conf
[database]
...
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[token]
...
provider = fernet
2.3、填充数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
2.4、初始化Fernet密钥存储库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
2.5、引导身份认证服务
ADMIN_PASS
3、配置Http服务器
3.1、编辑/etc/httpd/conf/httpd.conf配置文件下的ServerName
ServerName controller
3.2、创建/usr/share/keystone/wsgi-keystone.conf的链接
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3.3、启动并随机启动
# systemctl enable httpd.service
# systemctl start httpd.service
3.4、配置管理帐号
$ export OS_USERNAME=admin
$ export OS_PASSWORD=ADMIN_PASS
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://controller:35357/v3
$ export OS_IDENTITY_API_VERSION=3
ADMIN_PASS替换为keystone-manage bootstrap中的密码
4、创建域,项目,用户和角色
4.1、创建service
项目(管理,使用default域)
# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | a997f8fe00ae4391965658b4487007a5 |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
4.2、常规(非管理员)任务应使用非特权项目和用户,以下创建非特权项目、用户、角色
demo
创建demo用户
# openstack user create --domain default \
> --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 34cbdbe2fd0344309d777f6da77d2f51 |
| name | demo |
| password_expires_at | None |
+---------------------+----------------------------------+
创建user角色
# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 2081a514bdbe4a16ad0f2e00933f4d06 |
| name | user |
+-----------+----------------------------------+
4.3、将user
角色添加到demo
项目和用户,无任何输出表示执行成功
# openstack role add --project demo --user demo user
5、验证身份服务
5.1、出于安全考虑,禁用临时身份验证令牌机制
编辑/etc/keystone/keystone-paste.ini
文件并从 [pipeline:public_api]
,[pipeline:admin_api]
和[pipeline:api_v3]
段删除admin_token_auth
5.2、取消设置临时OS_AUTH_URL
和OS_PASSWORD
环境变量
# unset OS_AUTH_URL OS_PASSWORD
5.3、使用admin
用户(3.4节中配置的管理用户、项目、域),请求身份验证令牌
#管理用户使用35357端口进行身份验证
# openstack --os-auth-url http://controller:35357/v3 \
> --os-project-domain-name Default --os-user-domain-name Default \
> --os-project-name admin --os-username admin token issue
+------------+---------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------+
| expires | 2017-07-19 09:16:40+00:00 |
| id | gAAAAABZbxVo13JGxGfS0QZ2Q2iqUywKrhLSBuSp5BI-ZZt6PZ53OnmaJVA_mdftbIz |
| | aDEOotDppZiqBXeXIPPBVcW4LpDSR7FLGNjxqP1qaEIbnULZVr8e2e4EyC06ECrCqpL |
| | yutgoqfDEsRY08bLDzPWdSsVRB2Daj97m-LRS0Gtxsj_IWmVQ |
| project_id | 2ca49bfa14cb4229b8cc868ea0eede81 |
| user_id | 79527f3483c644508ff7827745ac45d7 |
+------------+---------------------------------------------------------------------+
5.4、作为demo
用户,请求身份验证令牌
#公共账户使用5000端口进行身份验证(Identity service API)
# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name demo --os-username demo token issue
+------------+---------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------+
| expires | 2017-07-19 09:14:43+00:00 |
| id | gAAAAABZbxTzCV-XWbzF6g0EXglacJFjdTHJzwcLVSKL4q_dR_4f5HzCKxXgMpCjzyS |
| | SS_7FnBWbVkzBy5IuyXD50eDSlDncm_9DXjtvP-rQthKdU4obR6g4_qkwu6OLtt4iip |
| | wcFjdUS0GJN1lsoARHp0GaOMOGjeNeDtN4Pk519r_EMmHMGaE |
| project_id | fad24fcce9944b42a7676b5cfbc1f84b |
| user_id | 34cbdbe2fd0344309d777f6da77d2f51 |
+------------+---------------------------------------------------------------------+
6、创建OpenStack客户端环境脚本
上一节(请求身份令牌中)使用环境变量和命令选项的组合来通过openstack
客户端与身份服务进行交互 。为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。这些脚本通常包含所有客户端的常用选项,但也支持唯一选项。
6.1、创建脚本
6.1.1、编辑admin-openrc
文件并添加以下内容
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
6.1.2、编辑demo-openrc
文件并添加以下内容
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
6.2、使用脚本
要以特定项目和用户身份运行客户端,您可以在运行它们之前简单加载关联的客户端环境脚本。
6.2.1、加载admin-openrc
文件以使用Identity Service和admin
项目和用户凭据的位置来填充环境变量
# source admin-openrc
6.2.2、请求身份验证令牌
# openstack token issue
+------------+---------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------+
| expires | 2017-07-19 09:12:06+00:00 |
| id | gAAAAABZbxRWtNC9-zJAWtL3Ws_2t5OQ4GBWdkQ16zMa7Srdt42dyFY9MoGkhL112MN |
| | Rszbaf3b_afP1piwQshtxsXXgik5vYOBvqsW-p_S9FE7bPSjvYAawo571RMokb4NTbH |
| | bTyf2h7GYlo6Kwv1PdS403_rp8Kxu5cPLcJ3pAw_a5Fqk9OK0 |
| project_id | 2ca49bfa14cb4229b8cc868ea0eede81 |
| user_id | 79527f3483c644508ff7827745ac45d7 |
+------------+---------------------------------------------------------------------+
6.2.3、加载demo-openrc
文件以使用Identity Service和admin
项目和用户凭据的位置来填充环境变量
# source demo-openrc
6.2.4、请求身份验证令牌
# openstack token issue
+------------+---------------------------------------------------------------------+
| Field | Value |
+------------+---------------------------------------------------------------------+
| expires | 2017-07-19 09:13:23+00:00 |
| id | gAAAAABZbxSjtPf7G_7wEH5U9f3jEQ_JpkFZA0Ym0WHTdzJuuXMi_- |
| | SJNUKF3m8ceFE7NE-05f35e-c220TdDOKdJot02q2SKeRO5RDzVmA5kZvPv1Erx4sfw |
| | r0TupKfQxP7ToP4reJu9Z2ZM3qxcsB9X0OUDJkU5Jx6EiXKWnxaL75WlwoAlCg |
| project_id | fad24fcce9944b42a7676b5cfbc1f84b |
| user_id | 34cbdbe2fd0344309d777f6da77d2f51 |
+------------+---------------------------------------------------------------------+