前言
keystone是什么?
Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证、服务规则和服务令牌功能的模块。用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理。
功能
(1)用户管理:验证用户身份信息合法性
(2)服务目录管理:提供各个服务目录的(Service Catalog:包括service和endpoint)服务,无论任何服务或者客户访问openstack都要访问keystone获取服务列表,以及每个服务的endpoint
环境准备
上一篇已经搭建过基础环境了,现在我们直接来搭建keystone
部署keystone
[root@controller ~]# yum install -y openstack-keystone openstack-utils python-openstackclient python-keystoneclient mod_wsgi mod_ssl httpd
创建keystone数据库
[root@controller ~]# mysql -uroot -p000000
MariaDB [(none)]> CREATE DATABASE keystone;
赋予keystone数据库权限
[(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
更新数据库
MariaDB [(none)]> flush privileges;
修改keystone的配置文件
[root@controller ~]# vi /etc/keystone/keystone.conf
[root@controller ~]# grep -vE "^$|^#" /etc/keystone/keystone.conf
[DEFAULT]
transport_url=rabbit://openstack:000000@192.168.200.10:5672 //消息认证,创建的用户名和密码
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enable = true
memcache_servers = 192.168.200.10:11211
memcache_dead_retry = 60
memcache_socket_timeout = 1
memcache_pool_maxsize = 1000
memcache_pool_unused_timeout = 60
[catalog]
template_file = /etc/keystone/default_catalog.templates
driver = sql
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:000000@192.168.200.10:3306/keystone //连接keystone数据库,密码是创建keystone数据库时的密码
idle_timeout = 3600
max_pool_size = 30
max_retries = -1
retry_interval = 2
max_overflow = 60
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_receipts]
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
max_active_keys = 3
[healthcheck]
[identity]
driver = sql
caching = false
[identity_mapping]
[jwt_tokens]
[ldap]
[memcache]
servers = 192.168.200.10:11211
dead_retry = 60
socket_timeout = 1
pool_maxsize = 1000
pool_unused_timeout = 60
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[receipt]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[token]
expiration = 3600
caching = False
provider = fernet
[tokenless_auth]
[totp]
[trust]
[unified_limit]
[wsgi]
初始化数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
查看是否成功,进keystone数据库看是否有表
[root@controller ~]# mysql -uroot -p000000
MariaDB [(none)]> use keystone;
MariaDB [keystone]> show tables;
+------------------------------------+
| Tables_in_keystone |
+------------------------------------+
| access_rule |
| access_token |
| application_credential |
| application_credential_access_rule |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credenti
创建环境脚本
[root@controller ~]# vi keystone_admin
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://192.168.200.10:5000/v3
export OS_IDENTITY_API_VERSION=3
export PS1='[\u@\h \W(keystone_admin)]\$ '
初始化fernet秘钥
控制节点做fernet秘钥初始化,在/etc/keystone/生成相关秘钥及目录
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
配置httpd.conf
[root@controller ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.con
[root@controller ~]# sed -i "s/Listen\ 80/Listen\ 192.168.200.10:80/g" /etc/httpd/conf/httpd.conf
做一个备份
[root@controller ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller ~(keystone_admin)]# vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 192.168.200.10:5000
Listen 192.168.200.10:35357
<VirtualHost 192.168.200.10:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone.log
CustomLog /var/log/httpd/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
<VirtualHost 192.168.200.10:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
LimitRequestBody 114688
<IfVersion >= 2.4>
ErrorLogFormat "%{cu}t %M"
</IfVersion>
ErrorLog /var/log/httpd/keystone.log
CustomLog /var/log/httpd/keystone_access.log combined
<Directory /usr/bin>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
<IfVersion < 2.4>
Order allow,deny
Allow from all
</IfVersion>
</Directory>
</VirtualHost>
Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
SetHandler wsgi-script
Options +ExecCGI
WSGIProcessGroup keystone-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
</Location>
[root@controller ~]# systemctl enable httpd && systemctl restart httpd
初始化admin用户(管理用户)与密码,3种api端点,服务实体可用区等
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 \
--bootstrap-admin-url http://192.168.200.10:35357/v3/ \
--bootstrap-internal-url http://192.168.200.10:5000/v3/ \
--bootstrap-public-url http://192.168.200.10:5000/v3/ \
--bootstrap-region-id RegionOne
创建domain, projects, users, 与roles
运行写的脚本环境,不然执行不了命令
[root@controller ~]# source keystone_admin
查看端口环境
[root@controller ~(keystone_admin)]# openstack endpoint list
</Location>
[root@controller ~(keystone_admin)]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| 425fabee3ac04f14b012c45d1946a8e9 | RegionOne | keystone | identity | True | public | http://192.168.200.10:5000/v3/ |
| a4ec33971bea4b759e0312249f03554d | RegionOne | keystone | identity |
True | internal | http://192.168.200.10:5
[root@controller ~(keystone_admin)]# openstack project create --domain default --description "Service Project" service
[root@controller ~(keystone_admin)]# openstack project create --domain default --description "Demo Project" demo
[root@controller ~(keystone_admin)]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
[root@controller ~(keystone_admin)]# openstack role create user
[root@controller ~(keystone_admin)]# openstack role add --project demo --user demo user
查看创建的项目、role
[root@controller ~(keystone_admin)]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 05eee4b575174a01838ae249c4c6f07f | admin |
| b20ff9dff76e4c2ba564cbf96f494e47 | service |
| dff611c194c7469ebb9f61df2027d9e4 | demo |
+----------------------------------+---------+
[root@controller ~(keystone_admin)]# openstack role list
+----------------------------------+--------+
| ID | Name |
+----------------------------------+--------+
| 188756061fe641868406405f40ab5c70 | reader |
| c917268f931041e795b231fdf73e4256 | user |
| d48ece2adeda4b72a18da7814a3fbc5c | admin |
| e69f21c32432454d947587ae69b46936 | member |
+----------------------------------+--------+