手动搭建OpenStack之keystone

最新推荐文章于 2024-05-25 19:18:19 发布
最新推荐文章于 2024-05-25 19:18:19 发布
阅读量826 收藏 5
点赞数 5
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/thq1443765353/article/details/117671218
版权

 前言

keystone是什么?

Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证、服务规则和服务令牌功能的模块。用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理。

功能

(1)用户管理:验证用户身份信息合法性

(2)服务目录管理:提供各个服务目录的(Service Catalog:包括service和endpoint)服务,无论任何服务或者客户访问openstack都要访问keystone获取服务列表,以及每个服务的endpoint

 环境准备

上一篇已经搭建过基础环境了,现在我们直接来搭建keystone

部署keystone

[root@controller ~]# yum install -y openstack-keystone openstack-utils python-openstackclient python-keystoneclient  mod_wsgi mod_ssl httpd 
创建keystone数据库
[root@controller ~]# mysql -uroot -p000000
MariaDB [(none)]> CREATE DATABASE keystone; 
赋予keystone数据库权限
[(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '000000';
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '000000';
更新数据库
MariaDB [(none)]> flush privileges;

修改keystone的配置文件

[root@controller ~]# vi  /etc/keystone/keystone.conf
[root@controller ~]# grep -vE "^$|^#" /etc/keystone/keystone.conf
[DEFAULT]
transport_url=rabbit://openstack:000000@192.168.200.10:5672  //消息认证,创建的用户名和密码
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enable = true
memcache_servers = 192.168.200.10:11211
memcache_dead_retry = 60
memcache_socket_timeout = 1
memcache_pool_maxsize = 1000
memcache_pool_unused_timeout = 60
[catalog]
template_file = /etc/keystone/default_catalog.templates
driver = sql
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:000000@192.168.200.10:3306/keystone  //连接keystone数据库,密码是创建keystone数据库时的密码
idle_timeout = 3600
max_pool_size = 30
max_retries = -1
retry_interval = 2
max_overflow = 60
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_receipts]
[fernet_tokens]
key_repository = /etc/keystone/fernet-keys/
max_active_keys = 3
[healthcheck]
[identity]
driver = sql
caching = false
[identity_mapping]
[jwt_tokens]
[ldap]
[memcache]
servers = 192.168.200.10:11211
dead_retry = 60
socket_timeout = 1
pool_maxsize = 1000
pool_unused_timeout = 60
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[receipt]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[token]
expiration = 3600
caching = False
provider = fernet
[tokenless_auth]
[totp]
[trust]
[unified_limit]
[wsgi]

初始化数据库

[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
查看是否成功,进keystone数据库看是否有表
[root@controller ~]# mysql -uroot -p000000
MariaDB [(none)]> use keystone;
MariaDB [keystone]> show tables;
+------------------------------------+
| Tables_in_keystone                 |
+------------------------------------+
| access_rule                        |
| access_token                       |
| application_credential             |
| application_credential_access_rule |
| application_credential_role        |
| assignment                         |
| config_register                    |
| consumer                           |
| credenti

创建环境脚本

[root@controller ~]# vi keystone_admin 
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://192.168.200.10:5000/v3
export OS_IDENTITY_API_VERSION=3
export PS1='[\u@\h \W(keystone_admin)]\$ '

初始化fernet秘钥

控制节点做fernet秘钥初始化,在/etc/keystone/生成相关秘钥及目录
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

配置httpd.conf

[root@controller ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.con
[root@controller ~]# sed -i "s/Listen\ 80/Listen\ 192.168.200.10:80/g" /etc/httpd/conf/httpd.conf
做一个备份
[root@controller ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller ~(keystone_admin)]# vi /etc/httpd/conf.d/wsgi-keystone.conf
Listen 192.168.200.10:5000
Listen 192.168.200.10:35357
<VirtualHost 192.168.200.10:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined
    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>
<VirtualHost 192.168.200.10:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined
    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>
Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI
    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>
Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
    SetHandler wsgi-script
    Options +ExecCGI
    WSGIProcessGroup keystone-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

[root@controller ~]# systemctl enable httpd && systemctl restart httpd

初始化admin用户(管理用户)与密码,3种api端点,服务实体可用区等

[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 \
  --bootstrap-admin-url http://192.168.200.10:35357/v3/ \
  --bootstrap-internal-url http://192.168.200.10:5000/v3/ \
  --bootstrap-public-url http://192.168.200.10:5000/v3/ \
  --bootstrap-region-id RegionOne

创建domain, projects, users, 与roles

 运行写的脚本环境,不然执行不了命令

[root@controller ~]# source keystone_admin
查看端口环境 
[root@controller ~(keystone_admin)]# openstack endpoint list

</Location>
[root@controller ~(keystone_admin)]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                             |
+----------------------------------+-----------+--------------+--------------+---------+-----------+---------------------------------+
| 425fabee3ac04f14b012c45d1946a8e9 | RegionOne | keystone     | identity     | True    | public    | http://192.168.200.10:5000/v3/  |
| a4ec33971bea4b759e0312249f03554d | RegionOne | keystone     | identity     | 
True    | internal  | http://192.168.200.10:5

[root@controller ~(keystone_admin)]# openstack project create --domain default --description "Service Project" service

[root@controller ~(keystone_admin)]# openstack project create --domain default  --description "Demo Project" demo

[root@controller ~(keystone_admin)]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:

[root@controller ~(keystone_admin)]# openstack role create user

[root@controller ~(keystone_admin)]# openstack role add --project demo --user demo user

查看创建的项目、role

[root@controller ~(keystone_admin)]# openstack project list
+----------------------------------+---------+
| ID                               | Name    |
+----------------------------------+---------+
| 05eee4b575174a01838ae249c4c6f07f | admin   |
| b20ff9dff76e4c2ba564cbf96f494e47 | service |
| dff611c194c7469ebb9f61df2027d9e4 | demo    |
+----------------------------------+---------+
[root@controller ~(keystone_admin)]# openstack role list
+----------------------------------+--------+
| ID                               | Name   |
+----------------------------------+--------+
| 188756061fe641868406405f40ab5c70 | reader |
| c917268f931041e795b231fdf73e4256 | user   |
| d48ece2adeda4b72a18da7814a3fbc5c | admin  |
| e69f21c32432454d947587ae69b46936 | member |
+----------------------------------+--------+

 

运维到最后
关注
  • 5
    点赞
  • 5
    收藏
    觉得还不错? 一键收藏
  • 0
    评论
su user oracle does not exist,Oracle数据库中scott用户不存在的解决方法
weixin_33716865的博客
04-04 1606
Rem Copyright (c) 1990 by Oracle CorporationRem NAMEREM UTLSAMPL.SQLRem FUNCTIONRem NOTESRem MODIFIEDRem gdudey 06/28/95 - Modified for desktop seed databaseRem glumpkin 10/21/92 - Renamed...
OpenStackkeystone
weixin_45039547的博客
11-03 1520
keystone的功能及认证流程
OpenStack Rocky 版本部署之二——keystone部署
zhangkangren的博客
04-10 1000
三、配置认证服务Keystone 1、修改keystone配置文件 (1)修改 /etc/keystone/keystone.conf [database] connection = mysql+pymysql://keystone:keystone@192.168.158.10/keystone # fernet为加密方式,还有UUID,PKIZ,PKI三种方式 [token] provider = fernet driver = memcache # 添加memcache加速访问速度
Fernet Token in Keystone v3 (by quqi99)
技术并艺术着
08-30 6455
**作者:张华 发表于:2016-08-11 版权声明:可以任意转载,转载时请务必以超链接形式标明文章原始出处和作者信息及本版权声明 ( http://blog.csdn.net/quqi99 )**问题的由来 - UUID: nova client通过user/pass从keystone获取UUID Token(UUID为一段32位字符串),nova client还得再拿UUID去ke
OpenStack平台Keystone组件的使用
最新发布
m0_73299799的博客
05-25 1017
安装基础服务的服务器规划IP地址主机名节点controllerOpenstack控制节点使用机电云共享的单节点的openstack系统,自行修改虚拟网络编辑器、网络适配器,系统用户名:root,密码:000000。
role 'PLUSTRACE' does not exist
Watson的专栏
06-26 3313
I have created a new user named watson and granted the related priviledges as following: SQL> create user watson identified by watson; SQL> grant resource ,connect,create session to watson;   Ther
手动部署OpenStackkeystone部署
weixin_50355475的博客
03-18 266
手动部署OpenStackkeystone部署一、keystone身份服务二、keystone主要功能三、keystone相关概念四、keystone认证流程五、OpenStack-Keystone组件部署注意事项:OpenStack组件安装的顺序(一)、创建数据库实例和数据库用户(二)、安装、配置keystone、数据库、Apache(三)、创建OpenStack 域、项目、用户和角色六、小结 一、keystone身份服务 keystoneopenstack identity service)是ope
RedHat-OpenStack搭建 从零开始,全程DIY
09-20
搭建过程中,我们需要准备一台或几台运行RHEL 7.1的服务器,并通过手动配置来建立OpenStack环境。本文将详细介绍从零开始搭建Red Hat OpenStack的步骤。 ### 环境准备 首先,确保所有参与搭建的服务器都具有以下...
openstack实训报告(超详细,附实训所需要的代码,文档在手,实训不愁)本文件可免费下载,给作者点个赞
04-27
第一章 openstack准备工作 - 4 - 第二章 环境预配置 - 16 - 第三章 yum源制作 - 21 - 第四章 keystone - 27 - 第五章 glance安装与配置 - 43 - 第六章 nova服务安装与配置 - 48 - 第七章 neutron安装与配置 - 52 - ...
osf-openstack-training-master.zip
05-16
###手动OpenStack安装配置 Openstack部署架构讲解(3个VM) Keystone搭建 Glance搭建 Neutron搭建 Nova搭建 Dashboard 搭建 Swift搭建 Cinder搭建 ##OpenStack 自动部署 Openstack 自动化部署方式比较 DevStack...
openstack离线网页
08-22
总的来说,OpenStack离线网页可能包含关于如何在无网络连接的情况下搭建、管理及维护OpenStack环境的详细教程和文档,这对于在受限网络环境中使用OpenStack的企业和开发者来说是非常有价值的资源。
OpenStack实战演练及开发入门完整全套培训
02-28
如何通过单独部署OpenStack核心组件逐渐搭建OpenStack环境; 定制研发:在学习openstack源码级深度解析培训后,你能了解openstack源码的体系结构,并能根据需要进行定制开发,满足您在实际生产环境中OpenStack的...
一起聊Openstack
10-14
6. **OpenStack部署**:OpenStack的部署可以通过不同的方法,如手动配置、Heat模板、Ansible剧本等。OpenStack的安装工具如Kolla、TripleO简化了部署过程,使企业能快速搭建云环境。 7. **OpenStack的扩展性**:...
OpenStack实战演练及开发入门完整全套培训__百度云视频链接
03-29
如何通过单独部署OpenStack核心组件逐渐搭建OpenStack环境; 定制研发:在学习openstack源码级深度解析培训后,你能了解openstack源码的体系结构,并能根据需要进行定制开发,满足您在实际生产环境中OpenStack的...
openstack部署笔记+脚本
03-19
在“openstack ubuntu双节点部署教程”中,我们将探讨如何在两个Ubuntu服务器上搭建OpenStack环境。这种部署模式常用于高可用性设置,以确保服务在单个节点故障时仍能正常运行。以下是关键步骤的详细说明: 1. **...
CentOS7进行OpenStack(queens)最小化部署实验出现的问题与解决过程
Dolphinsz的博客
07-25 3640
注:此文为《OpenStack(queens)最小化搭建记录——控制与计算共两个节点》的补充 1.chrony时间同步服务搭建的时候,出现计算节点无法与控制节点同步。(controller节点)   问题原因:控制节点防火墙开启,关闭防火墙即可解决。 2.启用OpenStack-queens储存库时,因为源节点在外网,访问速度过慢或常出错。(controller&amp;compute节点)...
Openstack云平台脚本部署之Keystone认证服务配置(六)
梅馨嫣栀
11-05 413
Openstack云平台脚本部署之Keystone认证服务配置
Ubuntu16.10安装Ocata之2:Keystone
weixin_33994429的博客
02-28 424
1、创建Keystone数据库root@controller:~# mysql -uroot -pzoomtech -e "CREATE DATABASE keystone"root@controller:~# mysql -uroot -pzoomtech -e "GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'local...
手动搭建openstack云平台
05-11
5. 安装 Identity 服务(Keystone):KeystoneOpenStack 的身份认证服务,用于管理用户、项目和角色等信息。 6. 安装 Image 服务(Glance):GlanceOpenStack 的镜像服务,用于管理虚拟机镜像。 7. 安装...

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值