openstack 中, 常见用户管理命令是 keystone
常见的管理是, 增加, 删除, 修改用户, 为用户设定角色
默认时候, 增加用户时都需要为用户指定一个租户, 我们同样介绍如何把用户加入到另外的一个租户中去
帮助
$ keystone | grep user
[--os-username <auth-user-name>]
Create EC2-compatible credentials for user per tenant.
List EC2-compatible credentials for a user
token-get Display the current user token.
user-create Create new user
user-delete Delete user
user-get Display user details.
user-list List users.
user-password-update
Update user password.
user-role-add Add role to user
user-role-list List roles granted to a user
user-role-remove Remove role from user
user-update Update user's name, email, and enabled status.
bootstrap Grants a new role to a new user on a new tenant, after
--os-username <auth-user-name>
one via authentication (e.g. with username &
添加用户方法
[root@station140 ~(keystone_admin)]# keystone user-create --name terry --tenant cloud --pass vipshop --email <a target=_blank target="_blank" href="mailto:signmem@hotmail.com">signmem@hotmail.com</a> --enabled true
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | <a target=_blank target="_blank" href="mailto:signmem@hotmail.com">signmem@hotmail.com</a> |
| enabled | True |
| id | 8f6478593aa845b3b44eded4aade0f6f |
| name | terry |
| tenantId | 9467f30b8bba4770a06a687e4584636b | <- 对应 cloud 的 id
+----------+----------------------------------+
更新用户信息
keystone user-update --name terry --email terry@111.com terry
keystone user-list 命令只能够列出所有用户 或使用参数指定属于某个 project 中的用户
[root@station140 ~(keystone_admin)]# keystone user-list --tenant cloud
+----------------------------------+-------+---------+---------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+---------------+
| 8f6478593aa845b3b44eded4aade0f6f | terry | True | terry@111.com |
+----------------------------------+-------+---------+---------------+
默认状态下, openstack 对租户具有两种常见格式, 管理员与用户(admin, _member_)
[root@hh-yun-puppet-129021 ~(keystone_admin)]# keystone role-list
+----------------------------------+---------------+
| id | name |
+----------------------------------+---------------+
| e46045f97c974133980771e64913d75b | ResellerAdmin |
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 301acc99e28c457f9b27087a1eb1ab0b | admin |
+----------------------------------+---------------+
上面 user-create 命令, 把用户添加到 tenant 中, 默认用户具有 member 角色, 可以通过命令令用户成为管理员
keystone user-role-add --user terry.zeng --role admin --tenant cloud
把用户添加到另外一个租户方法, (用户只能够使用自己所属租户中的资源)
keystone user-role-add --user terry.zeng --role _member_ --tenant DEV
假如要查询其他用户在某个 tenant 下的角色方法
你首先需要知道该用户密码, 才可以以该用户身份去执行角色查询, 因此这个方式是不推荐的
修改用户密码方法
[root@hh-yun-puppet-129021 ~(keystone_admin)]# keystone user-password-update terry.zeng
New Password:
Repeat New Password:
查询用户 terry.zeng 在 tenant QA 中的角色方法如下
[root@hh-yun-puppet-129021 ~(keystone_admin)]# keystone --os-username terry.zeng --os-password 123123 --os-tenant-name QA user-role-list
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 62b3813eb92e415b85816722e9479636 | 98e5fdd9e50f423881f49c845e1d26ad |
| 301acc99e28c457f9b27087a1eb1ab0b | admin | 62b3813eb92e415b85816722e9479636 | 98e5fdd9e50f423881f49c845e1d26ad |
+----------------------------------+----------+----------------------------------+----------------------------------+
另外一个方法, 可以通过直接查询数据库获得
mysql> select a.name username, b.name tenant, c.name role from keystone.user a, keystone.project b, keystone.role c, keystone.assignment d where a.id = d.actor_id and b.id = d.target_id and c.id = d.role_id and a.name='terry.zeng' order by tenant;
+------------+--------+----------+
| username | tenant | role |
+------------+--------+----------+
| terry.zeng | DEV | _member_ |
| terry.zeng | DEV | admin |
| terry.zeng | DMZ1 | _member_ |
| terry.zeng | DMZ1 | admin |
| terry.zeng | DMZ2 | admin |
| terry.zeng | DMZ2 | _member_ |
| terry.zeng | MGMT | _member_ |
| terry.zeng | MGMT | admin |
| terry.zeng | MOBILE | _member_ |
| terry.zeng | MOBILE | admin |
| terry.zeng | OPS | _member_ |
| terry.zeng | QA | admin |
| terry.zeng | QA | _member_ |
| terry.zeng | QATOOL | admin |
| terry.zeng | QATOOL | _member_ |
+------------+--------+----------+
15 rows in set (0.01 sec)
另外一个方法, 可以通过直接查询数据库获得
mysql> select a.name username, b.name tenant, c.name role from keystone.user a, keystone.project b, keystone.role c, keystone.assignment d where a.id = d.actor_id and b.id = d.target_id and c.id = d.role_id and a.name='terry.zeng' order by tenant;
+------------+--------+----------+
| username | tenant | role |
+------------+--------+----------+
| terry.zeng | DEV | _member_ |
| terry.zeng | DEV | admin |
| terry.zeng | DMZ1 | _member_ |
| terry.zeng | DMZ1 | admin |
| terry.zeng | DMZ2 | admin |
| terry.zeng | DMZ2 | _member_ |
| terry.zeng | MGMT | _member_ |
| terry.zeng | MGMT | admin |
| terry.zeng | MOBILE | _member_ |
| terry.zeng | MOBILE | admin |
| terry.zeng | OPS | _member_ |
| terry.zeng | QA | admin |
| terry.zeng | QA | _member_ |
| terry.zeng | QATOOL | admin |
| terry.zeng | QATOOL | _member_ |
+------------+--------+----------+
15 rows in set (0.01 sec)
角色帮助文档
(my_new_env) likailiang@pubbeta1-nova10:~$ keystone help | grep role
role-create Create new role.
role-delete Delete role.
role-get Display role details.
role-list List all roles.
user-role-add Add role to user
user-role-list List roles granted to a user
user-role-remove Remove role from user
bootstrap Grants a new role to a new user on a new tenant, after
创建方法
[root@station140 ~(keystone_admin)]# keystone role-create --name vgroup
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 9ea4fb60241c4a12b3c89630cf3f087a |
| name | vgroup |
+----------+----------------------------------+
把用户添加到某个角色中方法
[root@station140 ~(keystone_admin)]# keystone user-role-add --user terry --role vgroup --tenant cloud
显示角色中的用户方法
[root@station140 ~(keystone_admin)]# keystone user-role-list --user terry --tenant cloud <- 必须的参数
+----------------------------------+----------+----------------------------------+----------------------------------+
| id | name | user_id | tenant_id |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 8f6478593aa845b3b44eded4aade0f6f | 9467f30b8bba4770a06a687e4584636b |
| 9ea4fb60241c4a12b3c89630cf3f087a | vgroup | 8f6478593aa845b3b44eded4aade0f6f | 9467f30b8bba4770a06a687e4584636b |
+----------------------------------+----------+----------------------------------+----------------------------------+
移除角色中的某个用户
[root@station140 ~(keystone_admin)]# keystone user-role-remove --user terry --role vgroup --tenant cloud
服务帮助文档
(my_new_env) likailiang@pubbeta1-nova10:~$ keystone -h |grep service
[--os-token <service-token>]
[--os-endpoint <service-endpoint>]
catalog List service catalog, possibly filtered by service.
endpoint-create Create a new endpoint associated with a service.
endpoint-delete Delete a service endpoint.
service type.
endpoint-list List configured service endpoints.
service-create Add service to Service Catalog.
service-delete Delete service from Service Catalog.
service-get Display service from Service Catalog.
service-list List all services in Service Catalog.
Identity service. Defaults to env[OS_USERNAME]
Identity service. Defaults to env[OS_PASSWORD]
--os-token <service-token>
--os-endpoint <service-endpoint>
from the service catalog (via authentication).
(my_new_env) likailiang@pubbeta1-nova10:~$ nova help service-list
usage: nova service-list [--host <hostname>] [--binary <binary>]
Show a list of all running services. Filter by host & binary.
Optional arguments:
--host <hostname> Name of host.
--binary <binary> Service binary.
列出当前的服务方法
[root@station140 tmp(keystone_admin)]# keystone service-list
+----------------------------------+------------+--------------+--------------------------------+
| id | name | type | description |
+----------------------------------+------------+--------------+--------------------------------+
| 4db88c4e3efe4f188b6f08756d28c407 | ceilometer | metering | Openstack Metering Service |
| e4ce5457b38e4a50a929af9b2b02b81c | cinder | volume | Cinder Service |
| ab1e6db2a7b54a459f928075263a8b0f | cinder_v2 | volumev2 | Cinder Service v2 |
| f025dc6a95db40f586b6975b154465b9 | glance | image | Openstack Image Service |
| 04a34fae776c4573a4d26ccca9407ec9 | keystone | identity | OpenStack Identity Service |
| 39f89e436d4942a1b2349e02cfddbed2 | neutron | network | Neutron Networking Service |
| 60796518d55347f981ce319121c5e6bf | nova | compute | Openstack Compute Service |
| 7867dcf1ec1647efa2287344c2f00775 | nova_ec2 | ec2 | EC2 Service |
| 743203738a074f5bac198be5e52977d8 | swift | object-store | Openstack Object-Store Service |
| 8b7b18fc6b7c4f169b10282252c0571c | swift_s3 | s3 | Openstack S3 Service |
+----------------------------------+------------+--------------+--------------------------------+
---------------------
列出主机上的服务状态
(my_new_env) likailiang@pubbeta1-nova10:~$ nova service-list
+-----+--------------------+--------------------------------------+---------------------------------+----------+-------+----------------------------+--------------------------------------+
| Id | Binary | Host | Zone | Status | State | Updated_at | Disabled Reason |
+-----+--------------------+--------------------------------------+---------------------------------+----------+-------+----------------------------+--------------------------------------+
| 3 | nova-compute | pubbeta1-nova14.yq.163.org | yiqiao1.common2 | disabled | up | 2019-05-24T05:24:25.000000 | volume perf test file |
关闭某个服务:
nova service-disable localhost.localdomain nova-compute --reason 'trial log' <- just test
重新启动服务
nova service-enable localhost.localdomain nova-compute