【N版】openstack——認證服務keystone
一.keystone介紹
1.1keystone
Keystone(OpenStack Identity Service)是 OpenStack 框架中負責管理身份驗證、服務規則和服務令牌功能的模塊。用戶訪問資源需要驗證用戶的身份與權限,服務執行操作也需要進行權限檢測,這些都需要通過 Keystone 來處理。
用戶認證:用戶權限與用戶行爲跟蹤
服務目錄:提供一個服務目錄,包括所有服務項與相關API的端點
主要涉及如下概念:
User: 用戶
Project:項目(老版本中tenant:租戶)
Token: 令牌
Role: 角色
1.2keystone配置
1.2.1創建庫及用戶
注:在這裏爲了方便,提前把之後要創建的庫,以及用戶和授權,都做好
[root@linux-node1 ~]# mysql -uroot –p <- 登陸數據庫 ->
MariaDB [(none)]> create database keystone; <- 創建keystone庫 ->
MariaDB [(none)]> grant all privileges on keystone.*to keystone@'localhost' identified by 'keystone'; <- 創建keystone用戶 ->
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on keystone.*to keystone@'%' identified by 'keystone';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database glance; <- 創建glance庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on glance.* toglance@'localhost' identified by 'glance';
Query OK, 0 rows affected (0.00 sec) <- 創建glance用戶 ->
MariaDB [(none)]> grant all privileges on glance.* toglance@'%' identified by 'glance';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database nova; <- 創建nova庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova.* tonova@'%' identified by 'nova';
Query OK, 0 rows affected (0.00 sec) <- 創建nova用戶 ->
MariaDB [(none)]> grant all privileges on nova.* tonova@'localhost' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database nova_api; <- 創建nova_api庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'localhost' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'%' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database neutron; <- 創建neutron庫 ->
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'%' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec) <- 創建neutron用戶 ->
MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'localhost' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> create database cinder; <- 創建cinder庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'localhost' identified by 'cinder'; <- 創建cinder用戶 ->
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'%' identified by 'cinder';
Query OK, 0 rows affected (0.00 sec)
1.2.2keystone配置文件
[root@linux-node1 ~]# vim/etc/keystone/keystone.conf <- 編輯配置文件 ->
613 [database] <- 數據庫設置->
640 connection = mysql+pymysql://keystone:[email protected]/keystone
1458 [memcache] <- memcache設置 ->
1472 servers = 192.168.56.11:11211 <- memcache服務地址 ->
2655 provider = fernet <- 配置令牌 ->
2665 driver = memcache <- 選擇driver爲memcache默認是sql ->
[root@linux-node1 ~]# grep '^[a-z]'/etc/keystone/keystone.conf <- 檢查 ->
connection =mysql+pymysql://keystone:[email protected]/keystone
servers = 192.168.56.11:11211
provider = fernet
driver = memcache
1.2.3數據庫,memcache配置
[root@linux-node1 ~]# su -s /bin/sh -c"keystone-manage db_sync" keystone
<- 初始化數據庫 ->
[root@linux-node1 ~]# mysql -h 192.168.56.11-ukeystone -pkeystone -e "use keystone;show tables;" <- 檢查表是否導入成功 ->
[root@linux-node1 ~]# vim/etc/sysconfig/memcached <- 修改memcache配置文件 ->
OPTIONS="-l 192.168.56.11,::1"
[root@linux-node1 ~]# systemctl restartmemcached <- 重啓memcache ->
[root@linux-node1 ~]# cd /etc/keystone/
[root@linux-node1 keystone]# keystone-managefernet_setup --keystone-user keystone --keystone-group keystone <- 初始化fernet key ->
[root@linux-node1 keystone]# keystone-managecredential_setup --keystone-user keystone --keystone-group keystone <- 初始化fernet key ->
[root@linux-node1 keystone]# keystone-manage bootstrap--bootstrap-password admin \ <- 引導身份服務 ->
--bootstrap-admin-urlhttp://192.168.56.11:35357/v3/ \
--bootstrap-internal-urlhttp://192.168.56.11:35357/v3/ \
--bootstrap-public-urlhttp://192.168.56.11:5000/v3/ \
--bootstrap-region-id RegionOne
1.2.4配置apache服務
[root@linux-node1 keystone]# vim/etc/httpd/conf/httpd.conf <- 編輯配置文件 ->
95 ServerName 192.168.56.11:80
[root@linux-node1 ~]# ln -s/usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ <- 軟連接配置文件 ->
[root@linux-node1 ~]# systemctl enablehttpd.service <- 啓動apache ->
[root@linux-node1 ~]# systemctl start httpd.service
[root@linux-node1 ~]# exportOS_USERNAME=admin <- 配置環境變量 ->
[root@linux-node1 ~]# exportOS_PASSWORD=admin
[root@linux-node1 ~]# exportOS_PROJECT_NAME=admin
[root@linux-node1 ~]# exportOS_USER_DOMAIN_NAME=Default
[root@linux-node1 ~]# exportOS_PROJECT_DOMAIN_NAME=Default
[root@linux-node1 ~]# exportOS_AUTH_URL=http://192.168.56.11:35357/v3
[root@linux-node1 ~]# exportOS_IDENTITY_API_VERSION=3
[root@linux-node1 ~]# openstack user list <- 查看用戶列表 ->
[root@linux-node1 ~]# openstack role list <- 查看角色列表 ->
[root@linux-node1 ~]# openstack project list <- 查看項目列表 ->
[root@linux-node1 ~]# openstack endpointlist <- 查看端點列表 ->
1.2.5創建項目
[root@linux-node1 ~]# openstack project create --domaindefault --description "Service Project" service <- 創建服務項目 ->
[root@linux-node1 ~]# openstack project list <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack project create --domaindefault --description "Demo Project" demo <- 創建demo項目 ->
[root@linux-node1 ~]# openstack project list <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack user create --domaindefault --password-prompt demo
User Password:demo
Repeat User Password:demo <- 創建demo用戶,密碼:demo ->
[root@linux-node1 ~]# openstack user list <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack role create user <- 創建user角色 ->
[root@linux-node1 ~]# openstack role list <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack role add --project demo--user demo user
<- 將demo用戶加入到demo項目並且賦予user角色->
注:爲了方便,以下操作將之後要用到的所有用戶都創建好
[root@linux-node1 ~]# openstack user create --domaindefault --password-prompt glance <- 創建glance用戶,密碼:glance ->
User Password:glance
[root@linux-node1 ~]# openstack role add --projectservice --user glance admin
<- 將glance用戶加入到service項目並且賦予admin角色->
[root@linux-node1 ~]# openstack user create --domaindefault --password-prompt nova <- 創建nova用戶,密碼:nova ->
User Password:nova
[root@linux-node1 ~]# openstack role add --projectservice --user nova admin
<- 將glance用戶加入到service項目並且賦予admin角色->
[root@linux-node1 ~]# openstack user create --domaindefault --password-prompt neutron <- 創建neutron用戶,密碼:neutron ->
User Password: neutron
[root@linux-node1 ~]# openstack role add --projectservice --user neutron admin
<- 將glance用戶加入到service項目並且賦予admin角色->
[root@linux-node1 ~]# openstack user create --domaindefault --password-prompt cinder <- 創建cinder用戶,密碼:cinder ->
User Password:cinder
[root@linux-node1 ~]# openstack role add --projectservice --user cinder admin
<- 將glance用戶加入到service項目並且賦予admin角色->
1.3驗證keystone
1.3.1驗證用戶
[root@linux-node1 ~]# unset OS_AUTH_URL OS_PASSWORD <- 取消之前的環境變量 ->
[root@linux-node1~]# openstack \
--os-auth-urlhttp://192.168.56.11:35357/v3 \
--os-project-domain-namedefault \
--os-user-domain-namedefault \
--os-project-nameadmin \
--os-usernameadmin token issue
<-驗證admin用戶,提示密碼時輸入admin出來如下界面證明admin用戶沒問題 ->
[root@linux-node1keystone]# openstack \
--os-auth-urlhttp://192.168.56.11:35357/v3 \
--os-project-domain-namedefault \
--os-user-domain-namedefault \
--os-project-namedemo \
--os-usernamedemo token issue
<-驗證demo用戶,提示密碼時輸入demo出來如下界面證明demo用戶沒問題 ->
1.3.2創建環境變量腳本
[root@linux-node1 ~]# vim admin-openstack <- admin環境變量 ->
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@linux-node1 ~]# vim demo-openstack <- demo環境變量 ->
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@linux-node1 ~]# source admin-openstack <- source環境變量 ->
[root@linux-node1 ~]# source demo-openstack
1.4Keystone常見錯誤
401 #驗證失敗,keystone相關用戶賬戶密碼設置錯誤,時間不同步,或者輸入的項目名稱不對
403 #可能未初始化OS_token變量,需要使用source命令使其生效,也可能是配置的配置文件未生效,需要重啓相關服務
409 #keystone創建用戶,用戶已存在
500 #服務器內部錯誤,服務配置有問題,看日誌,檢查配置
503 #keystone相關賬戶密碼設置有問題,請將相關的glance賬戶刪除,重新創建即可
服務故障 #相關服務沒有起來