OpenStack云平台搭建(2) | 安装Keystone
| 阿里云国内75折 回扣 微信号:monov8 |
| 阿里云国际,腾讯云国际,低至75折。AWS 93折 免费开户实名账号 代冲值 优惠多多 微信号:monov8 飞机:@monov6 |
目录
- KeystoneOpenStack Identity Service是 OpenStack 框架中负责管理身份验证、服务访问规则和服务令牌功能的组件。
- 下面我们进行Keystone的安装部署
1、登录数据库配置
1.Use the database access client to connect to the database server as the root user登录数据库
[root@controller ~]# mysql -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 18
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
2.Create the keystone database(数据库里创建keystone)
MariaDB [(none)]> CREATE DATABASE keystone;3. Grant proper access to the keystone database(授权对keystone数据库的正确访问)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
IDENTIFIED BY '123';4.退出数据库
MariaDB [(none)]> quit
2、数据库导入Keystone表
1.安装phthon3环境
[root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y
2.备份配置文件并且修改
[root@controller ~]# cp /etc/keystone/keystone.conf{,.bak}
[root@controller ~]# grep -Ev "^$|#" /etc/keystone/keystone.conf.bak > /etc/keystone/keystone.conf
[root@controller ~]# vi /etc/keystone/keystone.conf
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[credential]
[database]
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
[catalog]
[cors]
[credential]
[database]
connection = mysql+pymysql://keystone:123@controller/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_receipts]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[jwt_tokens]
[ldap]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_middleware]
[oslo_policy]
[policy]
[profiler]
[receipt]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[token]
provider = fernet
[tokenless_auth]
[totp]
3.同步数据库
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
进数据库检查一下看keystone是否有表了如下说明同步完成
[root@controller ~]# mysql -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 25
Server version: 10.3.20-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
| mysql |
| performance_schema |
+--------------------+
4 rows in set (0.001 sec)
MariaDB [(none)]> use keystone;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [keystone]> show tables;
+------------------------------------+
| Tables_in_keystone |
+------------------------------------+
| access_rule |
| access_token |
| application_credential |
| application_credential_access_rule |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_option |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| role_option |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
+------------------------------------+4.安装key repositories:
[root@controller ~]# # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5.引导Identity服务:
keystone-manage bootstrap --bootstrap-password 123 \
--bootstrap-admin-url http://controller:5000/v3/ \
--bootstrap-internal-url http://controller:5000/v3/ \
--bootstrap-public-url http://controller:5000/v3/ \
--bootstrap-region-id RegionOne3、配置http服务
1.编辑http配置文件
[root@controller ~]# vi /etc/httpd/conf/httpd.conf # ServerName gives the name and port that the server uses to identify itself.
# This can often be determined automatically, but we recommend you specify
# it explicitly to prevent problems during startup.
#
# If your host doesn't have a registered DNS name, enter its IP address here.
#
#ServerName www.example.com:80
ServerName controller
2.生成软链接
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3.启动httpd
[root@controller ~]# systemctl enable httpd
[root@controller ~]# systemctl start httpd
4.配置环境变量
[root@controller ~]# vi /etc/keystone/admin-openrc.sh#!/bin/bash
export OS_USERNAME=admin
export OS_PASSWORD=123
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
[root@controller ~]# source /etc/keystone/admin-openrc.sh 4、创建域、用户
[root@controller ~]# openstack domain create --description "An Example Domain" example
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | An Example Domain |
| enabled | True |
| id | ee0a6bbc972d4355a0910e73c515f96f |
| name | example |
| options | {} |
| tags | [] |
+-------------+----------------------------------+
[root@controller ~]# openstack project create --domain default \
> --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 13c13a875184458a940e9e195688c2ff |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
+-------------+----------------------------------+
5、创建脚本
[root@controller ~]# vi /etc/keystone/admin-openrc.sh#!/bin/bah
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
~ 加载一下
[root@controller ~]# source /etc/keystone/admin-openrc.sh [root@controller ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2023-02-08T16:49:18+0000 |
| id | gAAAAABj48R-5UKgioRRedEM1uDIImmqKdI00OnFYE2yy-7vzw8MpO2NZgpfbEvk90Sq4SqMN2aK4PRXT5TLExWMVbZacpJHHcr0gPLQ_B1cMj0TgDqHtZ9Tohngxh6ImnFZ7VA-sUu2n4oWZjSmFOySWgDCBdYJ8MJaIPCsxlnCf8riQFQiRQI |
| project_id | 4c7bdbb75b9e481db886549f7d2711be |
| user_id | 41944ebcbb2541acbc31bfd591107fff |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
到这里keystone部署完成
KeystoneOpenStack Identity Service是 OpenStack 框架中负责管理身份验证、服务访问规则和服务令牌功能的组件。用户访问资源需要验证用户的身份与权限服务执行操作也需要进行权限检测这些都需要通过 Keystone 来处理。Keystone 类似一个服务总线 或者说是整个 Openstack 框架的注册表OpenStack 服务通过 Keystone 来注册其 Endpoint服务访问的URL任何服务之间的相互调用都需要先经过 Keystone 的身份验证获得目标服务的 Endpoint 然后再调用。
Keystone 的主要功能如下
- 管理用户及其权限
- 维护 OpenStack 服务的 Endpoint
- Authentication认证和 Authorization鉴权。
用户认证介绍
在用户认证中有以下名词
1、User用户
- 在Openstack中使用一个数字来代表使用Openstack的人、系统或者是一个服务Openstack会对用户的请求进行验证。在Openstack中一个租户可以有多个用户、一个用户也可以有多个租户用户对租户的操作权限由用户在租户中承担的角色来确定。
2、Project项目
- Project是Openstack中一些可被访问的资源或者是资源组本质上是一个容器可以起到隔离的作用或者用于标识对象。
3、Token令牌
- Openstack中的用户用来进行身份验证的凭证。
4、Role角色
- 在Openstack中Role代表一组权限并且总是和用户所绑定用于声明用户可以访问的资源。
服务目录介绍
在服务目录中有以下名词
1、Service服务
- Service就是Openstack中的服务比如Nova、Glance、Swift等等。
2、Endpoints端点
- 一个Endpoints即一个服务所对外暴露的接口如果我们要访问一个服务那么我们必须知道该服务的Endpoints。Endpoint的每个URL都对应一个服务实例访问地址并且具有public、private和admin三种权限。public url可以被公开访问private url可以被局域网内的设备所访问而admin url则被从常规的访问中分离。