简介
keystone作为openstack的认证服务,有很多组件都需要于keystone交互,所以我们首先来部署keystone组件。
创建数据库
下边需要创建一个keystone数据库,并进行授权
$ mysql -u root -p
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; #指定本机
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
安装配置
# yum install openstack-keystone httpd mod_wsgi
修改/etc/keystone/keystone.conf,此为keystone的配置文件,在其中指定连接的mysql
[database]
connection = mysql+pymysql://keystone:keystone@192.168.46.130/keystone
[token]
# ...
provider = fernet
初始化
- 初始化keystone数据库
# su -s /bin/sh -c "keystone-manage db_sync" keystone
执行完初始化后,会在keystone中创建一些数据表
- 初始化密钥库
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
初始化完成后会在/etc/keystone/下生成两个密钥的目录
- 启动服务
keystone-manage bootstrap --bootstrap-password admin \
--bootstrap-admin-url http://192.168.46.130:35357/v3/ \
--bootstrap-internal-url http://192.168.46.130:5000/v3/ \
--bootstrap-public-url http://192.168.46.130:5000/v3/ \
--bootstrap-region-id RegionOne
此处指定了keystone的35357和5000端口,这是keystone的默认的两个端口,为后续其他组件与keystone交互使用。
安装HTTP server
keystone需要用到Apache HTTP server,之前我们已经安装过了,在此进行配置,编辑 /etc/httpd/conf/httpd.conf
ServerName 192.168.46.130:80
创建/usr/share/keystone/wsgi-keystone.conf的软连接
# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
/usr/share/keystone/wsgi-keystone.conf是keystone生效的配置(内容如下),涉及到两个端口,下边启动httpd服务以后,会开始监听5000和35357两个端口
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone.log
CustomLog /var/log/httpd/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone.log
CustomLog /var/log/httpd/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
- 启动httpd服务
# systemctl enable httpd.service
# systemctl start httpd.service
- 设置环境变量
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3
通过以上的配置,keystone组件就安装完成了,下边我们在keystone中创建project、user和role
创建domain、projects、users 和roles
- 创建project:service
$ openstack project create --domain default \
--description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain | False |
| name | service |
| parent_id | default |
+-------------+----------------------------------+
- 创建project:demo
$ openstack project create --domain default \
--description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain | False |
| name | demo |
| parent_id | default |
+-------------+----------------------------------+
- 创建user:demo
$ openstack user create --domain default \
--password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | aeda23aa78f44e859900e22c24817832 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
- 创建role:user
$ openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 997ce8d05fc143ac97d83fdfb5998552 |
| name | user |
+-----------+----------------------------------+
- 设置demo用户为user角色并添加到demo项目中
$ openstack role add --project demo --user demo user
经过上边的操作可能有点懵,现在解释以下,在keystone中有三个名词,分别为project(可以称为项目,之前叫tenument租户),user(用户),role(角色)。以上三个名词可以做如下理解,user就是用户,用来登录openstack的,可以在openstack上做一些操作,但是不同的用户应该有不同的操作权限,所以就有了role,角色的称呼,每个用户可以分配到一个角色里,每个角色的权限是不一样的。为了对用户进行管理,就把每个用户放到了project中,每个project中可能有多个用户。所以project相当于我们公司的部门,role相当于员工的角色,不同角色权限不一样,user就相当于公司员工了。
验证操作
经过以上的部署,下边验证下keystone的部署是否成功。之前我们设置了一堆环境变量,如下:
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3
这些环境变量我们可以不用设置,但是在执行openstack的时候需要指定,像如下的操作
$ openstack --os-auth-url http://192.168.46.130:35357/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name admin --os-username admin token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:14:07.056119Z |
| id | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
| | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
| | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws |
| project_id | 343d245e850143a096806dfaefa9afdc |
| user_id | ac3377633149401296f6c0d92d79dc16 |
+------------+-----------------------------------------------------------------+
以上操作是admin用户向keystone发起请求,keystone返回一个token
如下验证刚才创建的demo用户
$ openstack --os-auth-url http://192.168.46.130:5000/v3 \
--os-project-domain-name Default --os-user-domain-name Default \
--os-project-name demo --os-username demo token issue
Password:
+------------+-----------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------+
| expires | 2016-02-12T20:15:39.014479Z |
| id | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
| | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
| | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U |
| project_id | ed0b60bf607743088218b0a533d5943f |
| user_id | 58126687cbcc4888bfa9ab73a2256f27 |
+------------+-----------------------------------------------------------------+
如果以上的操作都正常执行,则说明keystone我们已经成功部署完成了
设置环境变量脚本
上边向keystone发起请求每次都需要设置很多参数,其实在openstack的其他组件与keystone交互时,要求我们首先应该设置一系列的环境变量,不需要再指定众多参数
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
我们把以上内容保存到admin-openstack.sh,以后每次开始使用keystone认证时执行下source admin-openstack.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.46.130:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
以上内容保存到demo-openstack.sh,我想大家应该也发现了,上边的admin用户使用的OS_AUTH_URL=http://192.168.46.130:35357/v3。demo用户使用的是OS_AUTH_URL=http://192.168.46.130:5000/v3,这就是keystone提供两个端口的用处,不同的用户可以使用两个端口中的任何一个,至于使用那个端口,应该看用户的使用权限。
至此keystone组件就部署完成了。