Hi 你好,欢迎访问!登录
当前位置:首页 - 虚拟化 - 正文 忍人所不忍,能人所不能。

OpenStack install KeyStone(认证服务)

2020-09-02虚拟化90root46°c
A+ A-

一. KeyStone介绍

用户与认证: 用户权限与用户行为跟踪.

服务目录 : 提供一个服务目录 包括所有服务项与相关API的端点.

二. yum install keystone(控制节点)

[[email protected]_214 ~]# vim /etc/yum.repos.d/rdo-release.repo[openstack-icehouse]
name=OpenStack Icehouse Repository
baseurl=http://repos.fedorapeople.org/repos/openstack/EOL/openstack-icehouse/epel-6/
enabled=1
gpgcheck=0
gpgkey=
[[email protected]_214 ~]# yum clean all[[email protected]_214 ~]# yum makecache[[email protected]_214 ~]# yum install -y openstack-keystone python-keystoneclient

三、设置admin token

  • 3.1 设置admin token

[[email protected]_214 ~]# ADMIN_TOKEN=$(openssl rand -hex 10)[[email protected]_214 ~]# echo $ADMIN_TOKEN452aa0a1b434843913fa
[[email protected]_214 ~]# vim /etc/keystone/keystone.confadmin_token=452aa0a1b434843913fa
  • 3.2 设置数据库连接

[[email protected]_214 keystone]# vim keystone.conf connection=mysql://keystone:[email protected]/keystone
[[email protected]_214 keystone]# keystone-manage db_sync        #同步数据库[[email protected]_214 ~]# mysql -h192.168.15.11 -ukeystone -pkeystone -e"use keystone;show tables"+-----------------------+
| Tables_in_keystone    |
+-----------------------+
| assignment            |
| credential            |
| domain                |
| endpoint              |
| group                 |
| migrate_version       |
| policy                |
| project               |
| region                |
| role                  |
| service               |
| token                 |
| trust                 |
| trust_role            |
| user                  |
| user_group_membership |
+-----------------------+
  • 3.3 设置日志目录

[[email protected]_214 keystone]# vim keystone.conf log_file=/var/log/keystone/keystone.log
debug=true
  • 3.4 设置PKI Token

[[email protected]_214 keystone]# keystone-manage pki_setup --keystone-user root --keystone-group root      #笔者拿root用户生成token[[email protected]_214 keystone]# chown -R keystone:keystone ssl/
  • 3.5 检查keystone配置文件

[[email protected]_214 keystone]# grep '^[a-z]' keystone.conf admin_token=452aa0a1b434843913fa
debug=truelog_file=/var/log/keystone/keystone.log
connection=mysql://keystone:[email protected]/keystone

四、KeyStone管理

  • 4.1 启动keystone

[[email protected]_214 keystone]# keystone-all --config-file=/etc/keystone/keystone.conf ********** log_opt_values /usr/lib/python2.6/site-packages/oslo/config/cfg.py:1955
2016-10-29 20:21:52.667 5984 CRITICAL keystone [-] ConfigFileNotFound: The Keystone configuration file keystone-paste.ini could not be found.
2016-10-29 20:21:52.667 5984 TRACE keystone Traceback (most recent call last):
2016-10-29 20:21:52.667 5984 TRACE keystone   File "/usr/bin/keystone-all", line 126, in <module>
2016-10-29 20:21:52.667 5984 TRACE keystone     paste_config = config.find_paste_config()
2016-10-29 20:21:52.667 5984 TRACE keystone   File "/usr/lib/python2.6/site-packages/keystone/config.py", line 90, in find_paste_config
2016-10-29 20:21:52.667 5984 TRACE keystone     raise exception.ConfigFileNotFound(config_file=paste_config_value)
2016-10-29 20:21:52.667 5984 TRACE keystone ConfigFileNotFound: The Keystone configuration file keystone-paste.ini could not be found.
2016-10-29 20:21:52.667 5984 TRACE keystone 
觉得这会是什么问题导致的?看了会报错python文件,没看明白. 尝试另外一种启动方式。[[email protected]_214 keystone]# /etc/init.d/openstack-keystone start[[email protected]_214 ~]# tail -f /var/log/keystone/keystone-startup.log IOError: [Errno 13] Permission denied: '/var/log/keystone/keystone.log'。。。。。 权限导致的.   下面修改权限[[email protected]_214 ~]# chown -R keystone:keystone /var/log/keystone/[[email protected]_214 keystone]# /etc/init.d/openstack-keystone start[[email protected]_214 keystone]# netstat -anp | grep -E "5000|35357"tcp        0      0 0.0.0.0:35357               0.0.0.0:*                   LISTEN      6151/python         #keystone管理端口tcp        0      0 0.0.0.0:5000                0.0.0.0:*                   LISTEN      6151/python 
[[email protected]_214 keystone]# chkconfig --add openstack-keystone[[email protected]_214 keystone]# chkconfig openstack-keystone on
  • 4.2 创建admin用户

[[email protected] keystone]# export OS_SERVICE_TOKEN=452aa0a1b434843913fa    [[email protected] keystone]# export OS_SERVICE_ENDPOINT=http://192.168.15.11:35357/v2.0[[email protected] keystone]# keystone role-list           +----------------------------------+----------+
|                id                |   name   |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
+----------------------------------+----------+
[[email protected] keystone]# keystone user-create --name=admin --pass=admin     #创建admin用户+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | f46943ed0ea1428eb20628cb3ec067be |
|   name   |              admin               |
| username |              admin               |
+----------+----------------------------------+
[[email protected] keystone]# keystone role-create --name=admin      #创建admin角色+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | abccf9494a054b1590160f5f408f6aeb |
|   name   |              admin               |
+----------+----------------------------------+
[[email protected] keystone]# keystone tenant-create --name=admin        #创建admin租户+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | b94ae73b569e46a6a04fdc02d561865d |
|     name    |              admin               |
+-------------+----------------------------------+
[[email protected] keystone]# keystone user-role-add --user=admin --tenant=admin --role=admin     #连接admin的用户、角色、租户[[email protected] keystone]# keystone user-role-add --user=admin --tenant=admin --role=_member_  #连接admin用户、_member_角色、admin租户
  • 4.3 查看用户、租户、角色信息

[[email protected] keystone]# keystone user-list     #查看用户+----------------------------------+-------+---------+-------+
|                id                |  name | enabled | email |
+----------------------------------+-------+---------+-------+
| f46943ed0ea1428eb20628cb3ec067be | admin |   True  |       |
+----------------------------------+-------+---------+-------+
[[email protected] keystone]# keystone role-list     #查看角色+----------------------------------+----------+
|                id                |   name   |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| abccf9494a054b1590160f5f408f6aeb |  admin   |
+----------------------------------+----------+
[[email protected] keystone]# keystone tenant-list       #查看租户+----------------------------------+-------+---------+
|                id                |  name | enabled |
+----------------------------------+-------+---------+
| b94ae73b569e46a6a04fdc02d561865d | admin |   True  |
+----------------------------------+-------+---------+
  • 4.4 创建普通用户

创建一个普通用户和租户,并连接到_member_角色

[[email protected] keystone]# keystone user-create --name=demo --pass=demo     #创建demo用户+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |                                  |
| enabled  |               True               |
|    id    | d2c09dba25bc4a1db5a52aac804a406b |
|   name   |               demo               |
| username |               demo               |
+----------+----------------------------------+
[[email protected] keystone]# keystone tenant-create --name=demo     #创建demo租户+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | 47f0c3604d804bdd97258d4b49b58616 |
|     name    |               demo               |
+-------------+----------------------------------+
[[email protected] keystone]# keystone user-role-add --user=demo --role=_member_ --tenant=demo       #连接到_member_角色
  • 4.5 创建Keystone的service和endpoint

[[email protected] keystone]# keystone service-create --name=keystone --type=identity --description="Openstack Identity"      #创建keystone服务+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |        Openstack Identity        |
|   enabled   |               True               |
|      id     | e39a683d743340dea051005c3ae35046 |
|     name    |             keystone             |
|     type    |             identity             |
+-------------+----------------------------------+
[[email protected] keystone]# keystone service-list      #查看keystone服务列表+----------------------------------+----------+----------+--------------------+
|                id                |   name   |   type   |    description     |
+----------------------------------+----------+----------+--------------------+
| e39a683d743340dea051005c3ae35046 | keystone | identity | Openstack Identity |
+----------------------------------+----------+----------+--------------------+
[[email protected] keystone]# keystone endpoint-create \> --service-id=e39a683d743340dea051005c3ae35046  \
> --publicurl=http://192.168.15.11:5000/v2.0 \
> --internalurl=http://192.168.15.11:5000/v2.0 \
> --adminurl=http://192.168.15.11:35357/v2.0                #创建一个端点+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
|   adminurl  | http://192.168.15.11:35357/v2.0  |
|      id     | 7b923b2e790b43ee8b5be99d5c8262d6 |
| internalurl |  http://192.168.15.11:5000/v2.0  |
|  publicurl  |  http://192.168.15.11:5000/v2.0  |
|    region   |            regionOne             |
|  service_id | e39a683d743340dea051005c3ae35046 |
+-------------+----------------------------------+
[[email protected] keystone]# keystone endpoint-list+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
|                id                |   region  |           publicurl            |          internalurl           |             adminurl            |            service_id            |
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+
| 7b923b2e790b43ee8b5be99d5c8262d6 | regionOne | http://192.168.15.11:5000/v2.0 | http://192.168.15.11:5000/v2.0 | http://192.168.15.11:35357/v2.0 | e39a683d743340dea051005c3ae35046 |
+----------------------------------+-----------+--------------------------------+--------------------------------+---------------------------------+----------------------------------+

`Endpoint,直译为“端点”,它是一个服务暴露出来的访问地址,具有region属性。如果需要访问一个服务,必须知道它的Endpoint`
  • 4.6 验证Keystone 
    为了验证身份服务的安装和配置是否正确,清除OS_SERVICE_TOKEN和OS_SERVICE_ENDPOINT的变量值。

### 去掉环境变量[[email protected] keystone]# unset OS_SERVICE_TOKEN[[email protected] keystone]# unset OS_SERVICE_ENDPOINT[[email protected] keystone]# keystone --os-username=admin --os-password=admin --os-auth-url=http://192.168.15.11:35357/v2.0 token-get+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Property |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        Value                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 2016-11-05T19:25:15Z                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 |
|    id    | MIIC8QYJKoZIhvcNAQcCoIIC4jCCAt4CAQExCTAHBgUrDgMCGjCCAUcGCSqGSIb3DQEHAaCCATgEggE0eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxNi0xMS0wNVQxODoyNToxNS4xNjI4MDgiLCAiZXhwaXJlcyI6ICIyMDE2LTExLTA1VDE5OjI1OjE1WiIsICJpZCI6ICJwbGFjZWhvbGRlciJ9LCAic2VydmljZUNhdGFsb2ciOiBbXSwgInVzZXIiOiB7InVzZXJuYW1lIjogImFkbWluIiwgInJvbGVzX2xpbmtzIjogW10sICJpZCI6ICJmNDY5NDNlZDBlYTE0MjhlYjIwNjI4Y2IzZWMwNjdiZSIsICJyb2xlcyI6IFtdLCAibmFtZSI6ICJhZG1pbiJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogW119fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEARc2fRvewSm8MVKs3selufDgp4TAK1tk8QVPD1oLffh3U+dagDxOGkqS+E7NwcLCkUhCGbf5QRfCIZ6fWkFT6ZCBQtZbjyY3l8JaKVRblZ11h7JKkWyzQur9BkgJg+tPvT3NB2DWIGPcFXQhxoEhmYTlHoet4JmF35Hcj3uGL9zDv5XVp2Zc6ieXEkXKUC8y1Eb4t-lGHZOVJipl3jMTmVnP+o8knhwAMooSzAeC7NKlLCfdBBgIQ2So1BCOMunK5AOyuCkNCkaDrHzcJAj88H8CTcjMLVWecNZChrLLCwaRdPU+9CJCaS5DZd9MOp1VmmxhbZ+RgFcKyIcEmCaKA1Q== |
| user_id  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           f46943ed0ea1428eb20628cb3ec067be                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           |
+----------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
  • 4.7 配置Keystone环境变量

[[email protected] keystone]# vim /root/keystone-adminexport OS_TENANT_NAME=adminexport OS_USERNAME=adminexport OS_PASSWORD=adminexport OS_AUTH_URL=http://192.168.15.11:35357/v2.0
[[email protected] keystone]# keystone token-get[[email protected] keystone]# keystone user-listExpecting an auth URL via either --os-auth-url or env[OS_AUTH_URL]
[[email protected] keystone]# source /root/keystone-admin[[email protected] keystone]# keystone user-list    +----------------------------------+-------+---------+-------+
|                id                |  name | enabled | email |
+----------------------------------+-------+---------+-------+
| f46943ed0ea1428eb20628cb3ec067be | admin |   True  |       |
| d2c09dba25bc4a1db5a52aac804a406b |  demo |   True  |       |
+----------------------------------+-------+---------+-------+
  移步手机端
OpenStack install KeyStone(认证服务)

1、打开你手机的二维码扫描APP
2、扫描左则的二维码
3、点击扫描获得的网址
4、可以在手机端阅读此文章
标签:

发表评论

选填

必填

必填

选填

请拖动滑块解锁
>>


  用户登录