1. 前言
在生產環境中,使用openstack已經有1年多的時間了,苦於一直沒有時間,加上工作帶來的懶惰,一直遲遲沒有對openstack方面的知識做個總結,趁着年底,把過去一年多在生產環境中所遇到的一些常見運維操作做個總結。需要說明的是,相關的操作,基本都建立在openstack的官方文檔和幫助,所以最好的方式莫過於看官方文檔,此處只作爲拋磚引玉之用,望須知。
2. 關於keystone
keystone是openstack中負責認證授權的服務,主要負責兩方面的工作:1. 用戶認證授權,2.目錄catalog服務。總體而言,keystone承擔着openstack中的註冊表服務,即所有的用戶都需要到keystone中註冊其信息,所有openstack的服務,都需要將其catalog信息註冊到keystone,以方便組件之間相互調用。
3. keystone開放用戶
openstack中最小的資源單位集合是租戶,即tenant,tenant是一系列資源的集合,包括計算資源,網絡資源和存儲資源,tenant一般來說是指公司,部門,或者個人,比如某個公司去申請阿里雲,某個部門申請使用內部的openstack私有云資源等等,作爲openstack雲管理員,爲用戶開放訪問權限,是一項基本的工作。此外tenant會得到一個默認計算的quota,存儲的quota以及網絡的quota,關於quota的調整,參考後續的博客。如下爲創建user的過程,主要分爲三個階段:1.用戶創建,2. 租戶創建,3. 將用戶加入到租戶和角色
3.1 創建用戶
[root@controller ~]# keystone user-create --name user1 --pass password --email [email protected] --enabled true +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | [email protected] | | enabled | True | | id | ce398fc13d224c63b9d90b3cc2b6d464 | #用戶的id號 | name | user1 | | username | user1 | +----------+----------------------------------+ 查看用戶列表: [root@controller ~]# keystone user-list +----------------------------------+---------+---------+---------------------+ | id | name | enabled | email | +----------------------------------+---------+---------+---------------------+ | bc5e46fc4204497185ae3ca6f8b7affb | admin | True | [email protected] | | ac86694e3053492f921e19aca9c9d646 | cinder | True | [email protected] | | 0ed4f1c5af2a496a8d56e256d966ef9d | demo | True | [email protected] | | 0922aae9b7bf4f80a7811fd0c7db49c6 | glance | True | [email protected] | | 053262aa44ce430d91465417f045cead | neutron | True | [email protected] | | b709f56c61114ce78768b34d76d5af90 | nova | True | [email protected] | | ce398fc13d224c63b9d90b3cc2b6d464 | user1 | True | [email protected] | #剛創建的user,id號,後續需要使用 +----------------------------------+---------+---------+---------------------+ 查看用戶具體信息: [root@controller ~]# keystone user-get ce398fc13d224c63b9d90b3cc2b6d464 +----------+----------------------------------+ | Property | Value | +----------+----------------------------------+ | email | [email protected] | | enabled | True | | id | ce398fc13d224c63b9d90b3cc2b6d464 | | name | user1 | | username | user1 | +----------+----------------------------------+
小結: 用戶管理相關操作包括:user-create,user-delete,user-update,user-list,user-get即增刪改查,以及user-password-update修改用戶密碼等操作,其他的操作如tenant,role,service和endpoint相類似,舉一反三。
3.2 創建租戶
[root@controller ~]# keystone tenant-create --name companyA --description "Project For ComputeA" --enabled true +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Project For ComputeA | | enabled | True | | id | 7ff1dfb5a6f349958c3a949248e56236 | #tenant的id號,後續使用使用 | name | companyA | +-------------+----------------------------------+ 查看tenant列表: [root@controller ~]# keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | 842ab3268a2c47e6a4b0d8774de805ae | admin | True | | 7ff1dfb5a6f349958c3a949248e56236 | companyA | True | #剛所創建的tenant | 10d1465c00d049fab88dec1af0f56b1b | demo | True | | 3b57a14f7c354a979c9f62b60f31a331 | service | True | +----------------------------------+----------+---------+ 查看tenant的詳細信息: [root@controller ~]# keystone tenant-get 7ff1dfb5a6f349958c3a949248e56236 +-------------+----------------------------------+ | Property | Value | +-------------+----------------------------------+ | description | Project For ComputeA | | enabled | True | | id | 7ff1dfb5a6f349958c3a949248e56236 | | name | companyA | +-------------+----------------------------------+
3.3 用戶與租戶角色關聯
查看租戶的id號 [root@controller ~]# keystone tenant-list +----------------------------------+----------+---------+ | id | name | enabled | +----------------------------------+----------+---------+ | 842ab3268a2c47e6a4b0d8774de805ae | admin | True | | 7ff1dfb5a6f349958c3a949248e56236 | companyA | True | #tenant的id號 | 10d1465c00d049fab88dec1af0f56b1b | demo | True | | 3b57a14f7c354a979c9f62b60f31a331 | service | True | +----------------------------------+----------+---------+ 查看角色的id號: [root@controller ~]# keystone role-list +----------------------------------+----------+ | id | name | +----------------------------------+----------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | #_member_角色的id號 | 7b0ceee10fb64960acb2b6f0b9247b4f | admin | +----------------------------------+----------+ 查看用戶的id號: [root@controller ~]# keystone user-role-add --user ce398fc13d224c63b9d90b3cc2b6d464 --role 9fe2ff9ee4384b1894a90878d3e92bab --tenant 7ff1dfb5a6f349958c3a949248e56236 查看用戶的關聯信息: [root@controller ~]# keystone user-role-list --user user1 --tenant companyA +----------------------------------+----------+----------------------------------+----------------------------------+ | id | name | user_id | tenant_id | +----------------------------------+----------+----------------------------------+----------------------------------+ | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | ce398fc13d224c63b9d90b3cc2b6d464 | 7ff1dfb5a6f349958c3a949248e56236 | +----------------------------------+----------+----------------------------------+----------------------------------+
4. 總結
以上是keystone開放用戶的過程,keystone的操作涉及到:user,tenant,role,service和endpoint,每個對象都有相應的增刪改查的方法實現,查看keystone的命令即可,如keystone help user-create可以查看到user-create的具體用法。
5. keystone用法附錄
[root@controller ~]# keystone -h
usage: keystone [--version] [--timeout <seconds>]
[--os-username <auth-user-name>]
[--os-password <auth-password>]
[--os-tenant-name <auth-tenant-name>]
[--os-tenant-id <tenant-id>] [--os-auth-url <auth-url>]
[--os-region-name <region-name>]
[--os-identity-api-version <identity-api-version>]
[--os-token <service-token>]
[--os-endpoint <service-endpoint>]
[--os-cacert <ca-certificate>] [--insecure]
[--os-cert <certificate>] [--os-key <key>] [--os-cache]
[--force-new-token] [--stale-duration <seconds>]
<subcommand> ...
Pending deprecation: Command-line interface to the OpenStack Identity API.
This CLI is pending deprecation in favor of python-openstackclient. For a
Python library, continue using python-keystoneclient.
Positional arguments:
<subcommand>
catalog List service catalog, possibly filtered by service.
ec2-credentials-create #兼容於亞馬遜的EC2
Create EC2-compatible credentials for user per tenant.
ec2-credentials-delete
Delete EC2-compatible credentials.
ec2-credentials-get
Display EC2-compatible credentials.
ec2-credentials-list
List EC2-compatible credentials for a user. #訪問端點endpoint管理
endpoint-create Create a new endpoint associated with a service.
endpoint-delete Delete a service endpoint.
endpoint-get Find endpoint filtered by a specific attribute or
service type.
endpoint-list List configured service endpoints.
password-update Update own password.
role-create Create new role. #角色role的管理
role-delete Delete role.
role-get Display role details.
role-list List all roles.
service-create Add service to Service Catalog. #服務service的管理
service-delete Delete service from Service Catalog.
service-get Display service from Service Catalog.
service-list List all services in Service Catalog.
tenant-create Create new tenant. #租戶tenant的管理
tenant-delete Delete tenant.
tenant-get Display tenant details.
tenant-list List all tenants.
tenant-update Update tenant name, description, enabled status.
token-get Display the current user token.
user-create Create new user #用戶user的管理
user-delete Delete user.
user-get Display user details.
user-list List users.
user-password-update
Update user password.
user-role-add Add role to user. #用戶角色和tenant的管理
user-role-list List roles granted to a user.
user-role-remove Remove role from user.
user-update Update user's name, email, and enabled status.
discover Discover Keystone servers, supported API versions and
extensions.
bootstrap Grants a new role to a new user on a new tenant, after
creating each.
bash-completion Prints all of the commands and options to stdout.
help Display help about this program or one of its
subcommands.