openstack部署之keystone

简介

keystone作为openstack的认证服务，有很多组件都需要于keystone交互，所以我们首先来部署keystone组件。

创建数据库

下边需要创建一个keystone数据库，并进行授权

$ mysql -u root -p
MariaDB [(none)]> CREATE DATABASE keystone;
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS'; #指定本机
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS'; 　　

安装配置

# yum install openstack-keystone httpd mod_wsgi 

修改/etc/keystone/keystone.conf，此为keystone的配置文件，在其中指定连接的mysql

[database]
connection = mysql+pymysql://keystone:keystone@192.168.46.130/keystone
[token]
# ...
provider = fernet

初始化

• 初始化keystone数据库

# su -s /bin/sh -c "keystone-manage db_sync" keystone

执行完初始化后，会在keystone中创建一些数据表

• 初始化密钥库

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

 初始化完成后会在/etc/keystone/下生成两个密钥的目录

• 启动服务

keystone-manage bootstrap --bootstrap-password admin 
	--bootstrap-admin-url http://192.168.46.130:35357/v3/ 
	--bootstrap-internal-url http://192.168.46.130:5000/v3/ 
	--bootstrap-public-url http://192.168.46.130:5000/v3/ 
	--bootstrap-region-id RegionOne

此处指定了keystone的35357和5000端口，这是keystone的默认的两个端口，为后续其他组件与keystone交互使用。

安装HTTP server

keystone需要用到Apache HTTP server，之前我们已经安装过了，在此进行配置，编辑 /etc/httpd/conf/httpd.conf 

ServerName 192.168.46.130:80

创建/usr/share/keystone/wsgi-keystone.conf的软连接

# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

/usr/share/keystone/wsgi-keystone.conf是keystone生效的配置（内容如下），涉及到两个端口，下边启动httpd服务以后，会开始监听5000和35357两个端口

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    LimitRequestBody 114688
    <IfVersion >= 2.4>
      ErrorLogFormat "%{cu}t %M"
    </IfVersion>
    ErrorLog /var/log/httpd/keystone.log
    CustomLog /var/log/httpd/keystone_access.log combined

    <Directory /usr/bin>
        <IfVersion >= 2.4>
            Require all granted
        </IfVersion>
        <IfVersion < 2.4>
            Order allow,deny
            Allow from all
        </IfVersion>
    </Directory>
</VirtualHost>

Alias /identity /usr/bin/keystone-wsgi-public
<Location /identity>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

Alias /identity_admin /usr/bin/keystone-wsgi-admin
<Location /identity_admin>
    SetHandler wsgi-script
    Options +ExecCGI

    WSGIProcessGroup keystone-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
</Location>

• 启动httpd服务

# systemctl enable httpd.service
# systemctl start httpd.service

• 设置环境变量

export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3

通过以上的配置，keystone组件就安装完成了，下边我们在keystone中创建project、user和role

创建domain、projects、users 和roles

•  创建project：service

$ openstack project create --domain default 
  --description "Service Project" service

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 24ac7f19cd944f4cba1d77469b2a73ed |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | default                          |
+-------------+----------------------------------+

•  创建project：demo

$ openstack project create --domain default 
  --description "Demo Project" demo

+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Demo Project                     |
| domain_id   | default                          |
| enabled     | True                             |
| id          | 231ad6e7ebba47d6a1e57e1cc07ae446 |
| is_domain   | False                            |
| name        | demo                             |
| parent_id   | default                          |
+-------------+----------------------------------+

• 创建user：demo

$ openstack user create --domain default 
  --password-prompt demo

User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | default                          |
| enabled             | True                             |
| id                  | aeda23aa78f44e859900e22c24817832 |
| name                | demo                             |
| options             | {}                               |
| password_expires_at | None                             |
+---------------------+----------------------------------+

•  创建role：user

$ openstack role create user

+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 997ce8d05fc143ac97d83fdfb5998552 |
| name      | user                             |
+-----------+----------------------------------+

• 设置demo用户为user角色并添加到demo项目中

$ openstack role add --project demo --user demo user

 经过上边的操作可能有点懵，现在解释以下，在keystone中有三个名词，分别为project（可以称为项目，之前叫tenument租户），user（用户），role（角色）。以上三个名词可以做如下理解，user就是用户，用来登录openstack的，可以在openstack上做一些操作，但是不同的用户应该有不同的操作权限，所以就有了role，角色的称呼，每个用户可以分配到一个角色里，每个角色的权限是不一样的。为了对用户进行管理，就把每个用户放到了project中，每个project中可能有多个用户。所以project相当于我们公司的部门，role相当于员工的角色，不同角色权限不一样，user就相当于公司员工了。

验证操作

经过以上的部署，下边验证下keystone的部署是否成功。之前我们设置了一堆环境变量，如下：

export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_PROJECT_NAME=admin
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_DOMAIN_NAME=Default
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3

这些环境变量我们可以不用设置，但是在执行openstack的时候需要指定，像如下的操作

$ openstack --os-auth-url http://192.168.46.130:35357/v3 
  --os-project-domain-name Default --os-user-domain-name Default 
  --os-project-name admin --os-username admin token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:14:07.056119Z                                     |
| id         | gAAAAABWvi7_B8kKQD9wdXac8MoZiQldmjEO643d-e_j-XXq9AmIegIbA7UHGPv |
|            | atnN21qtOMjCFWX7BReJEQnVOAj3nclRQgAYRsfSU_MrsuWb4EDtnjU7HEpoBb4 |
|            | o6ozsA_NmFWEpLeKy0uNn_WeKbAhYygrsmQGA49dclHVnz-OMVLiyM9ws       |
| project_id | 343d245e850143a096806dfaefa9afdc                                |
| user_id    | ac3377633149401296f6c0d92d79dc16                                |
+------------+-----------------------------------------------------------------+

以上操作是admin用户向keystone发起请求，keystone返回一个token

如下验证刚才创建的demo用户

$ openstack --os-auth-url http://192.168.46.130:5000/v3 
  --os-project-domain-name Default --os-user-domain-name Default 
  --os-project-name demo --os-username demo token issue

Password:
+------------+-----------------------------------------------------------------+
| Field      | Value                                                           |
+------------+-----------------------------------------------------------------+
| expires    | 2016-02-12T20:15:39.014479Z                                     |
| id         | gAAAAABWvi9bsh7vkiby5BpCCnc-JkbGhm9wH3fabS_cY7uabOubesi-Me6IGWW |
|            | yQqNegDDZ5jw7grI26vvgy1J5nCVwZ_zFRqPiz_qhbq29mgbQLglbkq6FQvzBRQ |
|            | JcOzq3uwhzNxszJWmzGC7rJE_H0A_a3UFhqv8M4zMRYSbS2YF0MyFmp_U       |
| project_id | ed0b60bf607743088218b0a533d5943f                                |
| user_id    | 58126687cbcc4888bfa9ab73a2256f27                                |
+------------+-----------------------------------------------------------------+

 如果以上的操作都正常执行，则说明keystone我们已经成功部署完成了

设置环境变量脚本

上边向keystone发起请求每次都需要设置很多参数，其实在openstack的其他组件与keystone交互时，要求我们首先应该设置一系列的环境变量，不需要再指定众多参数

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.46.130:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

我们把以上内容保存到admin-openstack.sh，以后每次开始使用keystone认证时执行下source admin-openstack.sh

export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.46.130:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

以上内容保存到demo-openstack.sh，我想大家应该也发现了，上边的admin用户使用的OS_AUTH_URL=http://192.168.46.130:35357/v3。demo用户使用的是OS_AUTH_URL=http://192.168.46.130:5000/v3，这就是keystone提供两个端口的用处，不同的用户可以使用两个端口中的任何一个，至于使用那个端口，应该看用户的使用权限。

至此keystone组件就部署完成了。