关闭

Swift和keystone认证服务器结合实现多租户

标签: OpenStackSwiftKeystoneCentos
1731人阅读 评论(4) 收藏 举报
分类:

Swift和keystone认证服务器结合实现多租户

      

本例所有的操作都是以root权限进行。

一、       选择一台计算机认证服务器,设IP地址为:192.168.56.141,然后在此计算机上执行以下操作:

1.安装mysql

yum -y install mysql mysql-serverMySQL-python

修改 /etc/my.cnf 设置bind-address = 192.168.56.141

service mysqldstart

chkconfig mysqldon

执行mysql_secure_installation 设置root不允许远程连接,删除ananymous帐户等。

2.安装keysone,执行以下命令

yum -y installhttp://repos.fedorapeople.org/repos/openstack/openstack-havana/rdo-release-havana-6.noarch.rpm

yum -y  installhttp://dl.fedoraproject.org/pub/epel/6/x86_64/epel-release-6-8.noarch.rpm

yum -y installopenstack-utils

yum -y installopenstack-keystone python-keystoneclient


openstack-config--set /etc/keystone/keystone.conf \

   sql connection mysql://keystone:KEYSTONE_DBPASS@192.168.56.141/keystone

openstack-db--init --service keystone --password KEYSTONE_DBPASS

 

#生成ADMIN_TOKEN

ADMIN_TOKEN=$(opensslrand -hex 10)

openstack-config--set /etc/keystone/keystone.conf DEFAULT  admin_token $ADMIN_TOKEN

#设置PKI

keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

chown -R keystone:keystone /etc/keystone/* /var/log/keystone/keystone.log

 

export OS_SERVICE_TOKEN=${ADMIN_TOKEY}

export OS_SERVICE_ENDPOINT=http://192.168.56.141:35357/v2.0

echo "exportOS_SERVICE_TOKEN=${ADMIN_TOKEN}" >> ~/.bash_profile

echo "exportOS_SERVICE_ENDPOINT=http://192.168.56.141:35357/v2.0" >>~/.bash_profile

echo "exportADMIN_TOKEY=${ADMIN_TOKEN}" >> ~/.bash_profile

 

#以下是建立Swift管理帐户

keystone tenant-create --name=admin --description="Admin Tenant"

keystone tenant-create --name=service --description="Service Tenant"

keystone user-create --name=admin --pass=ADMIN_PASS --email=admin@example.com

keystone role-create --name=admin

keystone user-role-add --user=admin --tenant=admin --role=admin

 

keystone service-create --name=keystone --type=identity \

  --description="Keystone IdentityService"

 

#service-id = theabove id

keystoneendpoint-create \

  --service-id=514b72d52aaf41b8a33309dc070549e2  \

--publicurl=http:// 192.168.56.141:5000/v2.0   \

--internalurl=http:// 192.168.56.141:5000/v2.0 \

 --adminurl=http:// 192.168.56.141:35357/v2.0

 

#以下为swift所有

 

#首先建立可以连接swift的角色

keystone role-create --name swiftDevRole

#分别建立两个租户,每个租户建立一个用户。并分配swiftDevRole权限。

keystone tenant-create --name swiftUser1Tenant --description " swiftUser1Tenant " --enabled true

keystone user-create --name=swiftUser1 --pass=swiftUser1Password

keystone user-role-add--user=swiftUser1 --tenant=swiftUser1Tenant --role=swiftDevRole

keystone tenant-create  --name swiftUser2Tenant --description " swiftUser2Tenant " --enabled true

keystone user-create --name=swiftUser2 --pass=swiftUser2Password

keystone user-role-add --user=swiftUser2 --tenant=swiftUser2Tenant --role=swiftDevRole

#创建访问点192.168.56.110为proxy结点的IP地址,8080为proxy的监听地址。

keystone service-create --name=Swift --type=object-store --description="SwiftObject Store Service"

keystone endpoint-create --region RegionOne --service_id above_service_id   --publicurl 'http://192.168.56.110:8080/v1/AUTH_$(tenant_id)s'   --adminurl'http://192.168.56.110:8080/'   --internalurl 'http://192.168.56.110:8080/v1/AUTH_$(tenant_id)s'

二、在认证服务器上执行以下操作:

1.安装keystone客户端

2.修改 /etc/swift/proxy-server.conf

把pipeline = healthcheck proxy-logging cache tempauthproxy-logging proxy-server改成

pipeline =healthcheck proxy-logging cache authtoken keystoneauth proxy-loggingproxy-server,主要是把tempauth改成authtoken keystoneauth。

在最后增加以下内容(其中192.168.56.141为认证服务器地址, admin_token去认证服务器/etc/keystone/keystone.conf里的配置,用$(openssl rand -hex 10)生成的):

 

[filter:keystoneauth]

use =egg:swift#keystoneauth

operator_roles = swiftDevRole

#reseller_prefix =AUTH_

 

[filter:authtoken]

paste.filter_factory= keystoneclient.middleware.auth_token:filter_factory

# Delaying theauth decision is required to support token-less

# usage foranonymous referrers ('.r:*').

delay_auth_decision= true

# cache directoryfor signing certificate

#signing_dir =/home/swift/keystone-signing

# auth_* settingsrefer to the Keystone server

auth_protocol =http

auth_host =192.168.56.141

auth_port = 35357

# the sameadmin_token as provided in keystone.conf

admin_token =59735dd68a60227bf328

# the servicetenant and swift userid and password created in Keystone

#admin_tenant_name= service

#admin_user = admin

#admin_password =ADMIN_PASS

service_host =192.168.56.141

service_port =5000


#3.重新启动proxy server

service openstack-swift-proxy restart

 

三、执行验证操作,以下的命令—V 2 不可缺少,否则会出错,并且Swift命令都是小写。

 

#用第一个帐户登录

Swift –V 2 –A http://192.168.56.141:5000/v2.0 –U swiftUser1Tenant:swiftUser1 –K userUser1Password stat

#显示没有内容

Swift –V 2 –A http://192.168.56.141:5000/v2.0 –U swiftUser1Tenant:swiftUser1 –K swiftUser1Password post test

Swift –V 2 –A http://192.168.56.141:5000/v2.0 –U swiftUser1Tenant:swiftUser1 –K swiftUser1Password list

 

#用第二个帐户登录

Swift –V 2 –A http://192.168.56.141:5000/v2.0 –U swiftUser2Tenant:swiftUser2 –K swiftUser2Password stat

#显示没有内容,看不到第一个租户内的内容。

Swift –V 2 –A http://192.168.56.141:5000/v2.0 –U swiftUser1Tenant:swiftUser2 –K swiftUser2Password list

Swift –V 2 –A http://192.168.56.141:5000/v2.0 –U swiftUser1Tenant:swiftUser2 –K swiftUser2Password post test2


#然后在认证服务器上为租户1创建另一个用户。

keystone user-create --name=swiftUser11 --pass=swiftUser11Password

keystone user-role-add --user=swiftUser11 --tenant=swiftUser1Tenant --role=swiftDevRole

 

#在有swift客户端的结点执行

Swift –V 2 –A http://192.168.56.141:5000/v2.0 –U swiftUser1Tenant:swiftUser11 –K swiftUser11Password list

#可以看到,和swiftUser2看到的内容相同。

0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:46813次
    • 积分:750
    • 等级:
    • 排名:千里之外
    • 原创:25篇
    • 转载:27篇
    • 译文:1篇
    • 评论:4条
    文章分类
    最新评论