OpenStack部署之添加身份认证服务
这一章描述如何在控制节点上安装和配置OpenStack身份认证服务,代码名称keystone。出于性能原因,这个配置部署Apache HTTP服务处理查询并使用Memcached存储tokens而不用SQL数据库。
前提条件
在你配置 OpenStack 身份认证服务前,你必须创建一个数据库和管理员令牌。
登录MySQL,创建 keystone 数据库并对"keystone"数据库授予恰当的权限:
[root@Controller-Node ~]# mysql -uroot -p123456 -e "Create database keystone;"
[root@Controller-Node ~]# mysql -uroot -p123456 -e "grant all privileges on keystone.* to 'keystone'@'%' identified by 'keystone'"
[root@Controller-Node ~]# mysql -uroot -p123456 -e "grant all privileges on keystone.* to 'keystone'@'localhost' identified by 'keystone'"
[root@Controller-Node ~]#
一、安装并配置组件
1.运行命令安装相关包
[root@Controller-Node ~]# yum install openstack-keystone httpd mod_wsgi -y
2.编辑文件 /etc/keystone/keystone.conf 并完成如下操作.
[root@Controller-Node ~]# vim /etc/keystone/keystone.conf
[database]
connection = mysql://keystone:keystone@10.20.9.13/keystone
[token]
provider=fernet
3.同步认证服务数据库.
[root@Controller-Node ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@Controller-Node ~]# mysql -uroot -p
Enter password:
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.00 sec)
4.初始化Fernetkey仓库
[root@Controller-Node ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@Controller-Node ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5.引导认证服务(密码为123456,在这设置的)
keystone-manage bootstrap --bootstrap-password 123456 \
--bootstrap-admin-url http://10.20.9.13:35357/v3/ \
--bootstrap-internal-url http://10.20.9.13:5000/v3/ \
--bootstrap-public-url http://10.20.9.13:5000/v3/ \
--bootstrap-region-id RegionOne
执行如下:
[root@Controller-Node ~]# keystone-manage bootstrap --bootstrap-password 123456 \
> --bootstrap-admin-url http://10.20.9.13:35357/v3/ \
> --bootstrap-internal-url http://10.20.9.13:5000/v3/ \
> --bootstrap-public-url http://10.20.9.13:5000/v3/ \
> --bootstrap-region-id RegionOne
[root@Controller-Node ~]#
二、配置Apache服务器
1.编辑/etc/httpd/conf/httpd.conf并配置ServerName选项,使之参考控制节点
[root@Controller-Node ~]# vim /etc/httpd/conf/httpd.conf
ServerName 10.20.9.13:80
2.给/usr/share/keystone/wsgi-keystone.conf文件创建一个链接
[root@Controller-Node ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3.完成安装,启动Apache服务器并设置开机启动
[root@Controller-Node ~]# systemctlenable httpd.service
[root@Controller-Node ~]# systemctl start httpd.service
4.配置管理账户
$ export OS_USERNAME=admin
$ export OS_PASSWORD=123456
$ export OS_PROJECT_NAME=admin
$ export OS_USER_DOMAIN_NAME=Default
$ export OS_PROJECT_DOMAIN_NAME=Default
$ export OS_AUTH_URL=http://10.20.9.13:35357/v3
$ export OS_IDENTITY_API_VERSION=3
三、创建项目、用户和角色
1.创建服务
#openstack project create --domain default --description "Service Project" service
[root@Controller-Node ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 13a653102f284955b0851ad277c99691 |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
[root@Controller-Node ~]#
2.创建demo项目
普通的任务不应该使用具有特权的项目和用户。作为示例,本指南创建一个demo项目和用户
#openstack project create --domain default --description "Demo Project" demo
[root@Controller-Node ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 681e7fe667e74326b781c9d2107b04e6 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
[root@Controller-Node ~]#
3.设置demo密码为demo
#openstack user create --domain default --password-prompt demo
[root@Controller-Node ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | f32cf3d3347d4c0ea805311397bc44d0 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
[root@Controller-Node ~]#
4.创建user角色
#openstack role create user
[root@Controller-Node ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 579b5a803cde48b19c3e531d6a97fadb |
| name | user |
+-----------+----------------------------------+
[root@Controller-Node ~]#
5.将user角色添加到demo项目和用户中
#openstack role add --project demo --user demo user
[root@Controller-Node ~]# openstack role add --project demo --user demo user
四、验证操作
出于安全性的原因,禁用掉暂时的认证令牌机制
1.编辑/etc/keystone/keystone-paste.ini文件,并从[pipeline:public_api], [pipeline:admin_api], 和[pipeline:api_v3]选项中删除admin_token_auth
2.取消设置临时的OS_AUTH_URL和OS_PASSWORD环境变量:
[root@Controller-Node ~]# unset OS_AUTH_URL OS_PASSWORD
3.使用admin用户,请求一个认证令牌(密码123456);
openstack --os-auth-url http://10.20.9.13:35357/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name admin --os-username admin token issue
执行如下:
[root@Controller-Node ~]# openstack --os-auth-url http://10.20.9.13:35357/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name admin --os-username admin token issue
Password:
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-10-09T07:19:44+0000 |
| id | gAAAAABbvEiA4RjUdYMbpajULcMQLCGQ8ooP4hGEXkiTyxVXwOL3DFJzZTQKld8IAsgqB-SyFgZqPqedr2vTku8WvwKOl1dB1Tf6eViNmZsdgFQcwJS6ywVkXTDi5fA7Cg6oLAdF- |
| | AQiX25iaGdA1YUO2RWXPQjZu9F4c4HS9Oy2qogGDFQVt2M |
| project_id | 6effb77cf0ba48a7a65a2c2235bbb726 |
| user_id | 4483b19e82e94d9888962f09b05ef178 |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@Controller-Node ~]#
4.用demo用户、请求验证令牌(密码为上面设置的demo)
openstack --os-auth-url http://10.20.9.13:5000/v3 \
--os-project-domain-name default --os-user-domain-name default \
--os-project-name demo --os-username demo token issue
执行如下:
[root@Controller-Node ~]# openstack --os-auth-url http://10.20.9.13:5000/v3 \
> --os-project-domain-name default --os-user-domain-name default \
> --os-project-name demo --os-username demo token issue
Password:
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-10-09T07:21:40+0000 |
| id | gAAAAABbvEj0ymfdS3cGYifJj9SCQEsDWkK7gexsdfu9wPWq7ilBiT6UWPoDv3AIF65IVtQG5X8XQT3wJ1wNq6sNmGGf7_kWNmVq7YmdxlsjMxetq1IY-_lla9Pho- |
| | 3KlsYkRS1sTiSTwihlKVJKl_5_7c3INV-EbHCXlHGRLVUrr35R8ok71Vc |
| project_id | 681e7fe667e74326b781c9d2107b04e6 |
| user_id | f32cf3d3347d4c0ea805311397bc44d0 |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@Controller-Node ~]#
五、创建OpenStack客户端环境脚本
在前面章节中,我们使用环境变量和命令的组合来配置认证服务,为了更加高效和方便,我们创建一个脚本方便以后的操作。这些脚本包括一些公共的操作,但是也支持自定义的操作。
创建脚本
1.创建并编辑admin-openrc.sh文件,并添加以下内容:
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=admin
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://10.20.9.13:35357/v3
export OS_IDENTITY_API_VERSION=3
2.编辑文件 demo-openrc.sh 并添加如下内容:
export OS_PROJECT_DOMAIN_ID=default
export OS_USER_DOMAIN_ID=default
export OS_PROJECT_NAME=demo
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://10.20.9.13:5000/v3
export OS_IDENTITY_API_VERSION=3
3. 使用脚本
加载脚本文件更新环境变量:
[root@Controller-Node ~]# . admin-openrc.sh
4.请求一个认证令牌
[root@Controller-Node ~]# openstack token issue
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-10-09T07:30:46+0000 |
| id | gAAAAABbvEsWBtoHWT5Ww8OyZ-DriQuSL6GlWhkL4LqCk_LfYVWxChafe5dHjEu9ZsrY9jdym8UtidF9SlfZGDrDrC1E_nRBitxFWkKZRVoXYFgAtCMgt8rC_zoH3Yy_suAeIpgS4u_oJFSurRiHM- |
| | rWf9IVPPJD-F2lRUUBSf37ft87xp6jWxE |
| project_id | 6effb77cf0ba48a7a65a2c2235bbb726 |
| user_id | 4483b19e82e94d9888962f09b05ef178 |
+------------+--------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@Controller-Node ~]#
到此、OpenStack添加身份认证服务部署完成。
参考文档:https://docs.openstack.org/liberty/zh_CN/install-guide-rdo/keystone.html