zoukankan      html  css  js  c++  java
  • Centos7 Openstack

    Centos7 install Openstack - (第二节)添加认证服务(Keystone)

    我的blog地址:http://www.cnblogs.com/caoguo

    根据openstack官方文档配置

    官方文档地址: http://docs.openstack.org/juno/install-guide/install/yum/content/#

    0x01.认证服务安装与配置(控制节点)

    [root@controller ~]# mysql -uroot -p
    MariaDB [(none)]> CREATE DATABASE keystone;
    
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' 
    -> IDENTIFIED BY 'KEYSTONE_DBPASS';
    
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' 
    -> IDENTIFIED BY 'KEYSTONE_DBPASS';
    
    MariaDB [(none)]> flush privileges;
    [root@controller ~]# openssl rand -hex 10
    cdda1486bf623ac74d53
    [root@controller ~]# yum install -y openstack-keystone python-keystoneclient
    [root@controller ~]# cp -rf /etc/keystone/keystone.conf /etc/keystone/keystone.conf.old
    [root@controller ~]# vi /etc/keystone/keystone.conf   #增加一下配置就可以了
    [DEFAULT]
    admin_token = cdda1486bf623ac74d53
    verbose = True
    
    [database]
    connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone
    
    [token]
    provider = keystone.token.providers.uuid.Provider
    driver = keystone.token.persistence.backends.sql.Token
    
    [revoke]
    driver = keystone.contrib.revoke.backends.sql.Revoke
    [root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
    [root@controller ~]# chown -R keystone:keystone /var/log/keystone
    [root@controller ~]# chown -R keystone:keystone /etc/keystone/ssl
    [root@controller ~]# chmod -R o-rwx /etc/keystone/ssl
    [root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
    
    [root@controller ~]# systemctl enable openstack-keystone.service
    [root@controller ~]# systemctl start openstack-keystone.service




    0x02. Create tenants, users, and roles(控制节点)

    [root@controller ~]# export OS_SERVICE_TOKEN=cdda1486bf623ac74d53
    [root@controller ~]# export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0



    2-1. Create an administrative tenant, user, and role for administrative operations in your environment:
      a. Create the admin tenant:(创建租户admin)

    [root@controller ~]# keystone tenant-create --name admin --description "Admin Tenant"
    +-------------+----------------------------------+
    | Property | Value |
    +-------------+----------------------------------+
    | description | Admin Tenant |
    | enabled | True |
    | id | f42937a2fd484d638ce58e67fef59b67 |
    | name | admin |
    +-------------+----------------------------------+


      b. Create the admin user:(创建用户admin)

    [root@controller ~]# keystone user-create --name admin --pass ADMIN_PASS --email admin@example.com
    
    +----------+----------------------------------+
    | Property | Value |
    +----------+----------------------------------+
    | email | admin@example.com |
    | enabled | True |
    | id | cc58749f0ecb402d9f627ee72bda5afb |
    | name | admin |
    | username | admin |
    +----------+----------------------------------+

     

      c. Create the admin role:(创建角色admin)

    [root@controller ~]# keystone role-create --name admin
    +----------+----------------------------------+
    | Property | Value |
    +----------+----------------------------------+
    | id | 4fa15a3b9fc6464694696fa75696b191 |
    | name | admin |
    +----------+----------------------------------+

     

      d. Add the admin role to the admin tenant and user:(添加用户到租户以及角色中)

    [root@controller ~]# keystone user-role-add --user admin --tenant admin --role admin


    2-2. Create a demo tenant and user for typical operations in your environment:
      a. Create the demo tenant:(创建租户demo)

    [root@controller ~]# keystone tenant-create --name demo --description "Demo Tenant"
    +-------------+----------------------------------+
    | Property | Value |
    +-------------+----------------------------------+
    | description | Demo Tenant |
    | enabled | True |
    | id | e15976585a8b45c4984f4ebd9db90b5c |
    | name | demo |
    +-------------+----------------------------------+

     


      b. Create the demo user under the demo tenant:(添加demo用户到租户demo中)

    [root@controller ~]# keystone user-create --name demo --tenant demo --pass DEMO_PASS --email demo@example.com
    +----------+----------------------------------+
    | Property | Value |
    +----------+----------------------------------+
    | email | demo@example.com |
    | enabled | True |
    | id | 5c8155359c20422c96e7bcd6aa6388ba |
    | name | demo |
    | tenantId | e15976585a8b45c4984f4ebd9db90b5c |
    | username | demo |
    +----------+----------------------------------+

     

    2-3.OpenStack services also require a tenant, user, and role to interact with other services.
    Each service typically requires creating one or more unique users with the admin role
    under the service tenant

     a. Create the service tenant:(创建租户service)

    [root@controller ~]# keystone tenant-create --name service --description "Service Tenant"
    +-------------+----------------------------------+
    | Property | Value |
    +-------------+----------------------------------+
    | description | Service Tenant |
    | enabled | True |
    | id | 6826a4d9fa7f4e438f3c79010ad80dcd |
    | name | service |
    +-------------+----------------------------------+

     




    0x03. Create the service entity and API endpoint(控制节点)
      3-1. Create the service entity for the Identity service:

    [root@controller ~]# keystone service-create --name keystone --type identity 
    --description "OpenStack Identity"
    +-------------+----------------------------------+
    | Property | Value |
    +-------------+----------------------------------+
    | description | OpenStack Identity |
    | enabled | True |
    | id | 5da5b6f72df341a7959ee7b42131c082 |
    | name | keystone |
    | type | identity |
    +-------------+----------------------------------+

     

      3-2. Create the Identity service API endpoints:

    [root@controller ~]# keystone endpoint-create 
    --service-id $(keystone service-list | awk '/ identity / {print $2}') 
    --publicurl http://controller:5000/v2.0 
    --internalurl http://controller:5000/v2.0 
    --adminurl http://controller:35357/v2.0 
    --region regionOne
    +-------------+----------------------------------+
    | Property | Value |
    +-------------+----------------------------------+
    | adminurl | http://controller:35357/v2.0 |
    | id | 90af99e76cc54249b5ac3ec4269b0d99 |
    | internalurl | http://controller:5000/v2.0 |
    | publicurl | http://controller:5000/v2.0 |
    | region | regionOne |
    | service_id | 5da5b6f72df341a7959ee7b42131c082 |
    +-------------+----------------------------------+

     




    0x04. 确认以上操作(控制节点)
      4-1. 销毁变量

    [root@controller ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT



      4-2. 验证token

    [root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS 
    --os-auth-url http://controller:35357/v2.0 token-get
    +-----------+----------------------------------+
    | Property | Value |
    +-----------+----------------------------------+
    | expires | 2015-11-01T09:43:34Z |
    | id | 6ce0cc1d7cf94cd39f66f8cad8d78da1 |
    | tenant_id | f42937a2fd484d638ce58e67fef59b67 |
    | user_id | cc58749f0ecb402d9f627ee72bda5afb |
    +-----------+----------------------------------+


      4-3.租户列表

    [root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS 
    --os-auth-url http://controller:35357/v2.0 tenant-list
    +----------------------------------+---------+---------+
    | id | name | enabled |
    +----------------------------------+---------+---------+
    | f42937a2fd484d638ce58e67fef59b67 | admin | True |
    | e15976585a8b45c4984f4ebd9db90b5c | demo | True |
    | 6826a4d9fa7f4e438f3c79010ad80dcd | service | True |
    +----------------------------------+---------+---------+

      

      4-4. 用户列表

    [root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS 
    --os-auth-url http://controller:35357/v2.0 user-list
    +----------------------------------+-------+---------+------------------+
    | id | name | enabled | email |
    +----------------------------------+-------+---------+------------------+
    | cc58749f0ecb402d9f627ee72bda5afb | admin | True | admin@example.com |
    | 5c8155359c20422c96e7bcd6aa6388ba | demo | True | demo@example.com |
    +----------------------------------+-------+---------+------------------+

      4-5. 角色列表

    [root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS 
    --os-auth-url http://controller:35357/v2.0 role-list
    +----------------------------------+----------+
    | id | name |
    +----------------------------------+----------+
    | 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
    | 4fa15a3b9fc6464694696fa75696b191 | admin |
    +----------------------------------+----------+



      4-6.  demo用户获取token

    [root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS 
    --os-auth-url http://controller:35357/v2.0 token-get
    +-----------+----------------------------------+
    | Property | Value |
    +-----------+----------------------------------+
    | expires | 2015-11-01T10:04:54Z |
    | id | 8beacb3ab30e402583b9e1ff2bdf05ba |
    | tenant_id | e15976585a8b45c4984f4ebd9db90b5c |
    | user_id | 5c8155359c20422c96e7bcd6aa6388ba |
    +-----------+----------------------------------+



      4-7. 尝试无权限访问

    [root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS 
    > --os-auth-url http://controller:35357/v2.0 user-list
    You are not authorized to perform the requested action: admin_required (HTTP 403)



    0x05. Create OpenStack client environment scripts(控制节点)
      5-1. 添加admin的环境变量

    [root@controller ~]# vi admin-openrc.s
    export OS_TENANT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=ADMIN_PASS
    export OS_AUTH_URL=http://controller:35357/v2.0


      5-2. 添加demo用户的环境变量

    [root@controller ~]# vi demo-openrc.sh
    export OS_TENANT_NAME=demo
    export OS_USERNAME=demo
    export OS_PASSWORD=DEMO_PASS
    export OS_AUTH_URL=http://controller:5000/v2.0
  • 相关阅读:
    又见Python<4>:Pandas之DataFrame对象的使用
    又见Python<3>:Pandas之Series对象的使用
    使用tdload工具将本地数据导入到Teradata数据库中
    解决ubuntu系统root用户下Chrome无法启动问题
    又见Python<2>:如何安装第三方库(Windows)
    又见Python<1>:使用Anaconda搭建Python开发环境(Windows7)
    数据仓库原理<4>:联机分析处理(OLAP)
    数据仓库原理<3>:数据仓库与ODS
    配置hibernate,Struts。文件
    jQuery +ajax +json+实现分页
  • 原文地址:https://www.cnblogs.com/caoguo/p/4934414.html
Copyright © 2011-2022 走看看