这是本人的一些学习笔记,如果有错误的地方或者更好的解决方法,欢迎提出!!
openstack的认证服务keystone由四个模块组成,分别是令牌模块,目录模块,验证模块,策略模块。
openstack云计算平台的各个组件在加入云计算平台系统或者使用其他组件服务的时候都需要通过keystone的认证,其中,keystone的认证分为两种,一种是判断用户凭证是否合法,另一种是判断用户令牌是否合法。
1.keystone的安装
[root@openstack01 ~]# yum install -y openstack-keystone httpd mod_wsgi
2.验证keystone有没有正确安装
在正确安装keystone后,系统会自动生成对应的keystone用户和keystone组件
[root@openstack01 ~]# cat /etc/passwd | grep keystone
keystone:x:163:163:OpenStack Keystone Daemons:/var/lib/keystone:/sbin/nologin
[root@openstack01 ~]# cat /etc/group | grep keystone
keystone:x:163:
3.修改keystone的配置文件
[root@openstack01 ~]# cd /etc/keystone/
[root@openstack01 keystone]# vi keystone.conf
修改下列两行配置
[credential]
provider = fernet
[database]
connection = mysql+pymysql://keystone:000000@openstack01/keystone
4.创建keystone数据库并授权
下面命令将keystone的所有权限赋予本地主机和任意远程主机上的名为 keystone 的用户,密码为000000。
[root@openstack01 ~]# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 8
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> create database keystone;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'localhost' identified by '000000';
Query OK, 0 rows affected (0.005 sec)
MariaDB [(none)]> grant all privileges on keystone.* to 'keystone'@'%' identified by '000000';
Query OK, 0 rows affected (0.001 sec)
5.初始化keystone的数据库,使其数据同步
[root@openstack01 ~]# su keystone -s /bin/sh -c "keystone-manage db_sync"
登录数据库查看对应的数据库信息
6.初始化fernet密钥库
[root@openstack01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@openstack01 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
以上命令将自动创建 /etc/keystone/fernet-keys/ 目录和 /etc/keystone/credential-keys/目录,并在目录下创建两个秘钥和凭证,前者用于加密或者解密令牌,后者用于加密或者解密用户凭证
7.初始化用户身份认证信息
[root@openstack01 ~]# keystone-manage bootstrap --bootstrap-password 000000 --bootstrap-admin-url http://openstack01:5000/v3 --bootstrap-internal-url http://openstack01:5000/v3 --bootstrap-public-url http://openstack01:5000/v3 --bootstrap-region-id RegionOne
openstack中有一个admin的默认用户,但是没有密码等对应的登录信息,以上使用keystone-manage bootstrap给admin初始化登录凭证,以后登录都需要用此凭证进行比对。
8.配置web服务
[root@openstack01 ~]# cd /usr/share/keystone/
[root@openstack01 keystone]# ls
keystone-dist.conf keystone-schema.json keystone-schema.yaml sample_data.sh wsgi-keystone.conf
[root@openstack01 keystone]# cp wsgi-keystone.conf /etc/httpd/conf.d/
修改配置文件
[root@openstack01 ~]# vi /etc/httpd/conf/httpd.conf
将ServerName的值修改为主机名
ServerName openstack01
重启网络服务
[root@openstack01 ~]# systemctl restart httpd
[root@openstack01 ~]# systemctl enable httpd
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
9.模拟登录认证
在根目录下创建文件,文件内容如下
[root@openstack01 ~]# cat admin-login
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://openstack01:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
写入后导入环境变量
[root@openstack01 ~]# source admin-login
10.检测keystone服务,在openstack中创建项目,角色,以及查看
[root@openstack01 ~]# openstack project create project --domain default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | |
| domain_id | default |
| enabled | True |
| id | c0200c7e464a422f83cfbf98b89b447f |
| is_domain | False |
| name | project |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
创建角色
[root@openstack01 ~]# openstack role create user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 25b16174bb38433091d95df7e83f0f7b |
| name | user |
| options | {} |
+-------------+----------------------------------+
查看项目列表
[root@openstack01 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 11661eea17594c1bb2758f308e3bfa7d | admin |
| c0200c7e464a422f83cfbf98b89b447f | project |
+----------------------------------+---------+
查看角色列表
[root@openstack01 ~]# openstack role list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 2245ab1709834abf80139d3d6a6f94e8 | member |
| 25b16174bb38433091d95df7e83f0f7b | user |
| 613198afaff44bce9de6a0d5dbf43f65 | admin |
| 9153abb4273d46599bbe5f7ae9f0596b | reader |
+----------------------------------+--------+
至此,openstack中的keystone服务安装完成