本文详细介绍了在CentOS系统上部署OpenStack Train版本的步骤,涵盖环境准备、配置NTP、安装数据库、消息队列、memcache、身份认证服务keystone、镜像服务glance、Placement服务、计算服务Nova、网络服务Neutron以及仪表盘Horizon的安装与配置。文章深入浅出,适合OpenStack初学者和运维人员参考。
1、环境准备
1.1、主机配置
| hostname | system | host resource | IP |
|---|---|---|---|
| controller | centos7 | 4G内存、4核 | 192.168.100.10 10.10.128.10 |
| compute | centos7 | 2G内存、2核 | 192.168.100.20 10.10.128.20 |
1.2、网络配置
本次实验管理网络192.168.100.0/24 能够连接互联网
provider网络10.10.128.0/24
controller节点
[root@localhost ~]# hostnamectl set-hostname controller
[root@controller ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.10 controller
192.168.100.20 compute
compute节点
[root@localhost ~]# hostnamectl set-hostname compute
[root@compute ~]# vi /etc/hosts
127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4
::1 localhost localhost.localdomain localhost6 localhost6.localdomain6
192.168.100.10 controller
192.168.100.20 compute
controller & compute测试连通性
controller节点访问互联网测试
[root@controller ~]# ping -c 4 g.cn
PING g.cn (203.208.40.79) 56(84) bytes of data.
64 bytes from 203.208.40.79: icmp_seq=1 ttl=128 time=40.1 ms
64 bytes from 203.208.40.79: icmp_seq=2 ttl=128 time=38.5 ms
64 bytes from 203.208.40.79: icmp_seq=3 ttl=128 time=37.7 ms
64 bytes from 203.208.40.79: icmp_seq=4 ttl=128 time=34.9 ms
--- g.cn ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 16259ms
rtt min/avg/max/mdev = 34.985/37.850/40.110/1.867 ms
controller节点与compute节点通信测试
[root@controller ~]# ping -c 4 compute
PING compute (192.168.100.20) 56(84) bytes of data.
64 bytes from compute (192.168.100.20): icmp_seq=1 ttl=64 time=0.601 ms
64 bytes from compute (192.168.100.20): icmp_seq=2 ttl=64 time=0.270 ms
64 bytes from compute (192.168.100.20): icmp_seq=3 ttl=64 time=0.330 ms
64 bytes from compute (192.168.100.20): icmp_seq=4 ttl=64 time=0.302 ms
--- compute ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.270/0.375/0.601/0.133 ms
compute节点访问互联网测试
[root@compute ~]# ping -c 4 g.cn
PING g.cn (203.208.40.79) 56(84) bytes of data.
64 bytes from 203.208.40.79: icmp_seq=1 ttl=128 time=35.6 ms
64 bytes from 203.208.40.79: icmp_seq=2 ttl=128 time=36.2 ms
64 bytes from 203.208.40.79: icmp_seq=3 ttl=128 time=38.7 ms
64 bytes from 203.208.40.79: icmp_seq=4 ttl=128 time=40.1 ms
--- g.cn ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3004ms
rtt min/avg/max/mdev = 35.671/37.697/40.113/1.832 ms
compute节点与controller节点通信测试
[root@compute ~]# ping -c 4 controller
PING controller (192.168.100.10) 56(84) bytes of data.
64 bytes from controller (192.168.100.10): icmp_seq=1 ttl=64 time=0.429 ms
64 bytes from controller (192.168.100.10): icmp_seq=2 ttl=64 time=0.293 ms
64 bytes from controller (192.168.100.10): icmp_seq=3 ttl=64 time=0.307 ms
64 bytes from controller (192.168.100.10): icmp_seq=4 ttl=64 time=0.223 ms
--- controller ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3002ms
rtt min/avg/max/mdev = 0.223/0.313/0.429/0.074 ms
1.3、配置NTP
controller节点
要在节点之间正确同步服务,可以安装Chrony,这是NTP的实现。2个节点都同步阿里ntp服务器time1.aliyun.com
[root@controller ~]# yum install chrony -y
编辑/etc/chrony.conf文件,删除:
server NTP_SERVER iburst
实际为
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
添加:
server time1.aliyun.com iburst
启动服务并添加开机自启:
[root@controller ~]# mkdir /var/run/chrony
[root@controller ~]# systemctl status chronyd
[root@controller ~]# systemctl enable chronyd
compute节点
[root@compute ~]# yum install chrony -y
删除或注释:
server 0.centos.pool.ntp.org iburst
server 1.centos.pool.ntp.org iburst
server 2.centos.pool.ntp.org iburst
server 3.centos.pool.ntp.org iburst
添加:
server time1.aliyun.com iburst
启动服务并添加开机自启:
[root@compute ~]# mkdir /var/run/chrony
[root@compute ~]# systemctl start chronyd.service
[root@compute ~]# systemctl enable chronyd.service
1.4、准备软件包
controller节点与compute
现在openstack最新版是ussuri,要求centos是8。我的是centos7做之前没注意,所以本次安装版本为train版
[root@controller ~]# yum install centos-release-openstack-train -y
[root@controller ~]# yum upgrade -y
安装一个适宜的openstack 客户端
[root@controller ~]# yum install python-openstackclient -y
由于centos默认开启了selinux,安装openstack-selinux包自动管理openstack 服务安全策略
[root@controller ~]# yum install openstack-selinux -y
[root@compute ~]# yum install openstack-selinux -y
1.5、SQL数据库准备
大多数OpenStack服务都使用SQL数据库来存储信息。数据库一般运行在controller节点上,本次使用mariadb。
[root@controller ~]# yum install mariadb mariadb-server python2-PyMySQL -y
创建/etc/my.cnf.d/openstack.cnf文件,并添加如下内容
[root@controller ~]# touch /etc/my.cnf.d/openstack.cnf
[root@controller ~]# vi /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 192.168.100.10 #此地址为controller节点ip
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
进行初始化
-
启动并设置开机自启
[root@controller ~]# systemctl start mariadb [root@controller ~]# systemctl enable mariadb -
执行
mysql_secure_installation安全脚本。[root@controller ~]# mysql_secure_installation NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY! In order to log into MariaDB to secure it, we'll need the current password for the root user. If you've just installed MariaDB, and you haven't set the root password yet, the password will be blank, so you should just press enter here. Enter current password for root (enter for none): #直接回车 OK, successfully used password, moving on... Setting the root password ensures that nobody can log into the MariaDB root user without the proper authorisation. Set root password? [Y/n] y #是否设置root密码 y New password: #输入密码 Re-enter new password: #再次确认 Password updated successfully! Reloading privilege tables.. ... Success! By default, a MariaDB installation has an anonymous user, allowing anyone to log into MariaDB without having to have a user account created for them. This is intended only for testing, and to make the installation go a bit smoother. You should remove them before moving into a production environment. Remove anonymous users? [Y/n] y #移除匿名用户 y ... Success! Normally, root should only be allowed to connect from 'localhost'. This ensures that someone cannot guess at the root password from the network. Disallow root login remotely? [Y/n] n #拒绝root远程登陆 n ... skipping. By default, MariaDB comes with a database named 'test' that anyone can access. This is also intended only for testing, and should be removed before moving into a production environment. Remove test database and access to it? [Y/n] y #移除测试数据库(数据库发行前开发测试用的没啥用) - Dropping test database... ... Success! - Removing privileges on test database... ... Success! Reloading the privilege tables will ensure that all changes made so far will take effect immediately. Reload privilege tables now? [Y/n] y #重新加载权限表 y ... Success! Cleaning up... All done! If you've completed all of the above steps, your MariaDB installation should now be secure. Thanks for using MariaDB!
1.6、消息队列
OpenStack使用消息队列来协调服务之间的操作和状态信息。 消息队列服务通常在controller点上运行。 本次使用RabbitMQ消息队列
安装配置
- 安装软件包
[root@controller ~]# yum install rabbitmq-server -y
- 启动并设置开机自启
[root@controller ~]# systemctl start rabbitmq-server
[root@controller ~]# systemctl enable rabbitmq-server
- 添加openstack用户,并设置密码
000000
[root@controller ~]# rabbitmqctl add_user openstack 000000
Creating user "openstack"
- 授予openstack用户读写权限
[root@controller ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
Setting permissions for user "openstack" in vhost "/"
1.7、memcache
服务的身份服务身份验证机制使用Memcached来缓存令牌。 memcached服务通常在controller节点上运行。
- 安装软件包
[root@controller ~]# yum install memcached python-memcached -y
- 编辑
/etc/sysconfig/memcached添加如下内容
OPTIONS="-l 127.0.0.1,::1,controller"
- 启动并设置开机自启
[root@controller ~]# systemctl start memcached
[root@controller ~]# systemctl enable memcached
2、部署一个最小化的Train版本openstack
2.1、身份认证——keystone
OpenStack Identity Service提供了一个集成点,用于管理身份验证,授权和服务目录。
身份服务通常是用户与之交互的第一项服务。身份验证后,最终用户可以使用其身份访问其他OpenStack服务。同样,其他OpenStack服务也利用身份服务来确保用户是他们所说的人,并发现其他服务在部署中的位置。身份服务还可以与某些外部用户管理系统(例如LDAP)集成。
用户和服务可以使用由身份服务管理的服务目录来查找其他服务。服务目录是OpenStack部署中可用服务的集合。每个服务可以具有一个或多个端点(endpoints),并且每个端点可以是以下三种类型之一:admin,internal或public。在生产环境中,出于安全原因,不同的endpoints类型可能驻留在暴露给不同类型用户的单独网络上。
例如:公共API网络可能在Internet上可见,因此客户可以管理它们自己的cloud。 admin API网络可能仅限于管理云基础架构的组织内的运营商。内部API网络可能仅限于包含OpenStack服务的主机。此外,OpenStack支持多个区域以实现可伸缩性。为简单起见,本次将管理网络用于所有端点类型和默认的RegionOne区域。身份服务中创建的区域,服务和端点共同构成了部署的服务目录。部署中的每个OpenStack服务都需要一个服务条目,并在Identity服务中存储相应的端点。
keystone服务包含以下组件:
-
Server:
使用RESTful服务接口提供集中式的身份验证和授权服务。
-
Drivers:
Drivers或服务后端集成到集中式Server。用于访问OpenStack外部存储库中的身份信息,并且可能已经存在于部署OpenStack的基础架构中。
-
Modules:
中间件Modules在使用身份服务的OpenStack组件的地址空间中运行。 这些模块拦截服务请求,提取用户凭证,并将其发送到集中式服务器进行授权。 中间件模块和OpenStack组件之间的集成使用Python Web服务器网关接口。
使用keystone前的条件—controller节点
- 创建keystone数据库
[root@controller ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 17
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.001 sec)
- 授予keystone用户对keystone数据库本地和远程的所有操作权限。
GRANT ALL PRIVILEGES ON [数据库名].[表名] to '[用户名]@localhost/%' IDENTIFIED BY '[密码]';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.005 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
Query OK, 0 rows affected (0.000 sec)
安装配置keystone
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
编辑/etc/keystone/keystone.conf在[database]部分添加如下内容:
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[KEYSTON_DBPASS]修改为数据库中设置的密码
connection = mysql+pymysql://keystone:000000@controller/keystone
在[token]部分添加如下内容
provider = fernet
然后执行如下命令
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet密钥仓库:
–keystone-user和–keystone-group标志用于指定将用于运行keystone的操作系统的用户/组。这些参数是为了允许在另一个操作系统用户/组下运行keystone。
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
启动认证服务
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 \
> --bootstrap-admin-url http://controller:5000/v3/ \
> --bootstrap-internal-url http://controller:5000/v3/ \
> --bootstrap-public-url http://controller:5000/v3/ \
> --bootstrap-region-id RegionOne
配置HTTP服务
- 配置
/etc/httpd/conf/httpd.conf文件的ServerName 为controller
ServerName controller
- 创建链接文件
/usr/share/keystone/wsgi-keystone.conf
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
完成安装
- 启动并设置http开机自启
[root@controller ~]# systemctl start httpd
[root@controller ~]# systemctl enable httpd
- 设置适当的环境变量来配置管理帐户
[root@controller ~]# vi openstack-admin.sh
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
必要时通过source openstack-admin.sh 来生效配置
创建domain、projects、users和roles
- 创建一个新的example domain
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | e7a4ef4e82d54dd48d42c4e21373613f |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
- 创建service project
[root@controller ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 16ca1d55269d4f16a79662611bd70df3 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
- 常规(非管理员)任务应使用没有特权的project和user。 例如,创建myproject项目和myuser用户。
[root@controller ~]# openstack project create --domain default --description "Demo Project" myproject
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 51f50c3a2a68454a8f2122f90bdad89d |
| is_domain | False |
| name | myproject |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建myuser的用户
[root@controller ~]# openstack user create --domain default --password-prompt myuser
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | default |
| enabled | True |
| id | 15042e2377d24be2bd831a03842aa775 |
| name | myuser |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
创建myrole的角色
[root@controller ~]# openstack role create myrole
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 52fd6fcf572d4534a36ea4a640d6e6ea |
| name | myrole |
| options | {} |
+-------------+----------------------------------+
将myrole角色添加到myproject项目和myuser用户:
[root@controller ~]# openstack role add --project myproject --user myuser myrole
认证操作
myuser用户请求认证token
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue
Password:
Password:
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-06-28T09:54:31+0000 |
| id | gAAAAABe-FrHunkJlroXcSVjq1zrJ1JCu4oDAGzr7JutjmMgYg3CcUp2kyu-MCyebTu48i0E0ZRSHDLjAOhR7buPHfmlhXjsxgadRZoM_OBhFBUEw1dAaSYterixSDqYGOY2bGf8ovhHapJ4rc3QetifjhzUEd1fOW_pVBfS_qwOYS53f9BLgdE |
| project_id | 51f50c3a2a68454a8f2122f90bdad89d |
| user_id | 15042e2377d24be2bd831a03842aa775 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
创建脚本
前面的部分使用了环境变量和命令选项的组合,以通过openstack客户端与Identity Service进行交互。 为了提高客户端操作的效率,OpenStack支持简单的客户端环境脚本,也称为OpenRC文件。 这些脚本通常包含所有客户端的通用选项,也支持唯一选项。
创建admin-openrc
[root@controller ~]# vi admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
创建demo-openrc
[root@controller ~]# vi demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=myproject
export OS_USERNAME=myuser
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
脚本的使用
要将客户端作为特定项目和用户运行,可以在运行它们之前简单地加载关联的客户端环境脚本
加载admin-openrc文件以使用Identity服务的位置以及admin项目和用户凭据填充环境变量
[root@controller ~]# . admin-openrc
请求认证token
[root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-06-28T10:00:02+0000 |
| id | gAAAAABe-FwSX8Yi3y4NsHe0B5CujrMvR5L0Ff7oPolybfVouJsSJIvZGiJ1e4Qo2E4jYAVQ0RRoZGh_0yPtQrENnNv-FUwYJVTbDoRwEtp_i6MJ4J4ZDf9GMKkfy4TbB7Jv8FIswiFk0l0NvKPz0YMqp2yZWarQu58qtQ-QELUFl9c_IIl3qGU |
| project_id | 86fc1bb169a443f98fdaf8e2fb25f9cd |
| user_id | d0451d8b9a7245c09d47b85197ccc80c |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
keystone架构
Service
Keystone在一个或多个endpoints上公开的一组内部服务。前端将这些服务结合使用。例如,一个身份验证将使用Identity Service验证用户/项目凭据,并在成功后使用令牌服务创建并返回令牌。
Identity
Identity service提供身份验证凭证以及有关用户和组的数据。一般情况下,这些数据由Identity service管理,进行相关的CRUD(增删改查)操作。在复杂的情况下,这些数据也可以由后端进行管理。例如,Identity service作为LDAP的前端。LDAP服务器进行认证,Identity service的作用是准确地传递该信息。
Users
User代表单个API使用者。 User本身必须由特定domain拥有,因此所有用户名不是全局唯一的,而仅是其domain唯一的。
Groups
Groups使User的集合。Group本身必须由特定domain拥有,因此所有group名称不是全局唯一的,而仅是其domain唯一的。
Resource
Resource Service提供了有关project和domain的数据。
Projects
Project代表OpenStack所有权的基本单位,因为OpenStack中的所有Resource均应由特定Project拥有。 一个Project本身必须由一个特定的domain拥有,因此所有的Project名称都不是全局唯一的,而是对其domain唯一的。 如果未指定Project的domain,则将其添加到default domain。
Domains
domain包含Projects、Users和groups,每一个domain是唯一的。每个domain都定义一个存在API可见名称属性的名称空间。 Keystone提供了一个默认domain,名为“Default”。
在Identity v3 API中,属性的唯一性如下:
-
domain名。 在所有域中都是唯一的。
-
role名称。 在所属域中唯一。
-
user名。 在所属域中唯一。
-
Project名称。 在所属域中唯一。
-
group名字。 在所属域中唯一。
Assignment
Assignment service提供了有关user和role的分配
Roles
Role决定了最终user可以获得的授权级别。 可以在domain或Project级别授予Role。 可以在单个User或group级别分配Role。 Role名称在所属domain中是唯一的。
Roles Assignment
具有Role、 Resource 和Identity的三元组.
Token
一旦验证了用户的证书,Token服务便会验证和管理用于认证请求的token。
Catalog
Catalog service 用于提供通过endponit发现的endpoint注册表
应用操作
Keystone是一些服务的HTTP前端。 像其他OpenStack应用程序一样,使用python WSGI接口完成,并且使用Paste一起配置了应用程序。 该应用程序的HTTP端点由WSGI中间件的管道组成,例如:
[pipeline:api_v3]
pipeline = healthcheck cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context json_body ec2_extension_v3 s3_extension service_v3
这些依次使用keystone.common.wsgi.ComposedRouter的子类将URL链接到控制器(keystone.common.wsgi.Application的子类)。 在每个控制器中,将加载一个或多个管理器,这些管理器是精简包装类,它们根据keystone配置加载适当的服务驱动程序。
- Assignment
keystone.assignment.controllers.GrantAssignmentV3keystone.assignment.controllers.ImpliedRolesV3keystone.assignment.controllers.ProjectAssignmentV3keystone.assignment.controllers.TenantAssignmentkeystone.assignment.controllers.RoleAssignmentV3keystone.assignment.controllers.RoleV3
- Authentication
keystone.auth.controllers.Auth
- Catalog
keystone.catalog.controllers.EndpointFilterV3Controllerkeystone.catalog.controllers.EndpointGroupV3Controllerkeystone.catalog.controllers.EndpointV3keystone.catalog.controllers.ProjectEndpointGroupV3Controllerkeystone.catalog.controllers.RegionV3keystone.catalog.controllers.ServiceV3
- Credentials
keystone.contrib.ec2.controllers.Ec2ControllerV3keystone.credential.controllers.CredentialV3
- Federation
keystone.federation.controllers.IdentityProviderkeystone.federation.controllers.FederationProtocolkeystone.federation.controllers.MappingControllerkeystone.federation.controllers.Authkeystone.federation.controllers.DomainV3keystone.federation.controllers.ProjectAssignmentV3keystone.federation.controllers.ServiceProviderkeystone.federation.controllers.SAMLMetadataV3
- Identity
keystone.identity.controllers.GroupV3keystone.identity.controllers.UserV3
- Oauth1
keystone.oauth1.controllers.ConsumerCrudV3keystone.oauth1.controllers.AccessTokenCrudV3keystone.oauth1.controllers.AccessTokenRolesV3keystone.oauth1.controllers.OAuthControllerV3
- Policy
keystone.policy.controllers.PolicyV3
- Resource
keystone.resource.controllers.DomainV3keystone.resource.controllers.DomainConfigV3keystone.resource.controllers.ProjectV3keystone.resource.controllers.ProjectTagV3
- Revoke
keystone.revoke.controllers.RevokeController
- Trust
keystone.trust.controllers.TrustV3
服务后端
可以将每个服务配置为使用endpoint,以使keystone适应各种环境和需求。 每个服务的后端在keystone.conf文件中定义,并且密钥驱动程序位于与每个服务关联的组下。
每个endpoint下都有一个通用类,可为任何实现提供抽象基类,以标识预期的服务实现。 抽象基类以base.py的形式存储在服务的后端目录中。 服务的相应驱动程序是:
keystone.assignment.backends.base.AssignmentDriverBasekeystone.assignment.role_backends.base.RoleDriverBasekeystone.auth.plugins.base.AuthMethodHandlerkeystone.catalog.backends.base.CatalogDriverBasekeystone.credential.backends.base.CredentialDriverBasekeystone.endpoint_policy.backends.base.EndpointPolicyDriverBasekeystone.federation.backends.base.FederationDriverBasekeystone.identity.backends.base.IdentityDriverBasekeystone.identity.mapping_backends.base.MappingDriverBasekeystone.identity.shadow_backends.base.ShadowUsersDriverBasekeystone.oauth1.backends.base.Oauth1DriverBasekeystone.policy.backends.base.PolicyDriverBasekeystone.resource.backends.base.ResourceDriverBasekeystone.resource.config_backends.base.DomainConfigDriverBasekeystone.revoke.backends.base.RevokeDriverBase
最低0.47元/天 解锁文章
扫一扫
694
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
