zoukankan      html  css  js  c++  java
  • CentOS7安装OpenStack(Rocky版)-02.安装Keyston认证服务组件(控制节点)

    本文分享openstack的认证服务组件keystone

    --------------- 完美的分割线 ----------------

    2.0.keystone认证服务

    1)用户与认证:用户权限与用户行为跟踪

    User          用户
    Tenant        租户
    Token         令牌
    Role          角色

    2)服务目录:提供一个服务目录,包括所有服务项与相关API的端点

    Service       服务
    Endpoint      端点

    2.1.在控制节点创建keystone相关数据库

    1)创建keystone数据库并授权

    mysql -p123456
    --------------------------------
    CREATE DATABASE keystone;
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone';
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone';
    flush privileges;
    show databases;
    select user,host from mysql.user;
    exit
    --------------------------------

    2.2.在控制节点安装keystone相关软件包

    1)安装keystone相关软件包

    # 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务仍然监听这些端口

    yum install openstack-keystone httpd mod_wsgi -y
    yum install openstack-keystone python-keystoneclient openstack-utils -y

    2)快速修改keystone配置

    # 下面使用的快速配置方法需要安装Openstack-utils才可以实现

    openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone
    openstack-config --set /etc/keystone/keystone.conf token provider fernet

    # 注意:keystone不需要连接rabbitmq

    # 查看生效的配置

    egrep -v "^#|^$" /etc/keystone/keystone.conf  

    # 其他方式查看生效配置

    grep '^[a-z]' /etc/keystone/keystone.conf

    # 实例演示:

    [root@openstack01 tools]# grep '^[a-z]' /etc/keystone/keystone.conf
    connection = mysql+pymysql://keystone:keystone@controller/keystone
    provider = fernet

    # keystone不需要启动,通过http服务进行调用

    2.3.初始化同步keystone数据库

    1)同步keystone数据库(44张)

    su -s /bin/sh -c "keystone-manage db_sync" keystone

    2)同步完成进行连接测试

    # 保证所有需要的表已经建立,否则后面可能无法进行下去

    mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"

    实例演示:

    [root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"
    +-----------------------------+
    | Tables_in_keystone          |
    +-----------------------------+
    | access_token                |
    | application_credential      |
    | application_credential_role |
    | assignment                  |
    | config_register             |
    | consumer                    |
    | credential                  |
    | endpoint                    |
    | endpoint_group              |
    | federated_user              |
    | federation_protocol         |
    | group                       |
    | id_mapping                  |
    | identity_provider           |
    | idp_remote_ids              |
    | implied_role                |
    | limit                       |
    | local_user                  |
    | mapping                     |
    | migrate_version             |
    | nonlocal_user               |
    | password                    |
    | policy                      |
    | policy_association          |
    | project                     |
    | project_endpoint            |
    | project_endpoint_group      |
    | project_tag                 |
    | region                      |
    | registered_limit            |
    | request_token               |
    | revocation_event            |
    | role                        |
    | sensitive_config            |
    | service                     |
    | service_provider            |
    | system_assignment           |
    | token                       |
    | trust                       |
    | trust_role                  |
    | user                        |
    | user_group_membership       |
    | user_option                 |
    | whitelisted_config          |
    +-----------------------------+
    [root@openstack01 ~]# mysql -h192.168.1.81 -ukeystone -pkeystone -e "use keystone;show tables;"|wc -l
    45

    2.4.初始化Fernet令牌库

    # Initialize Fernet key repositories:

    # 关于Fernet令牌可以参考:https://blog.csdn.net/wllabs/article/details/79064094

    # 以下命令无返回信息

    keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
    keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

    2.5.配置启动Apache(httpd) 

    1)修改httpd主配置文件

    vim /etc/httpd/conf/httpd.conf +95
    ----------------------------------
    ServerName controller
    ----------------------------------

    # 或者

    sed  -i  "s/#ServerName www.example.com:80/ServerName 192.168.1.81/" /etc/httpd/conf/httpd.conf
    cat /etc/httpd/conf/httpd.conf |grep ServerName

    2)配置虚拟主机

    # 创建keystone虚拟主机配置文件的快捷方式,也可以复制过来

    ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

    # 或者可以手动编辑创建该文件

    cat /usr/share/keystone/wsgi-keystone.conf
    -------------------------------
    [root@openstack01 ~]# cat /usr/share/keystone/wsgi-keystone.conf
    Listen 5000
    
    <VirtualHost *:5000>
        WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
        WSGIProcessGroup keystone-public
        WSGIScriptAlias / /usr/bin/keystone-wsgi-public
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
        LimitRequestBody 114688
        <IfVersion >= 2.4>
          ErrorLogFormat "%{cu}t %M"
        </IfVersion>
        ErrorLog /var/log/httpd/keystone.log
        CustomLog /var/log/httpd/keystone_access.log combined
    
        <Directory /usr/bin>
            <IfVersion >= 2.4>
                Require all granted
            </IfVersion>
            <IfVersion < 2.4>
                Order allow,deny
                Allow from all
            </IfVersion>
        </Directory>
    </VirtualHost>
    
    Alias /identity /usr/bin/keystone-wsgi-public
    <Location /identity>
        SetHandler wsgi-script
        Options +ExecCGI
    
        WSGIProcessGroup keystone-public
        WSGIApplicationGroup %{GLOBAL}
        WSGIPassAuthorization On
    </Location>
    --------------------------------

    3)启动httpd并配置开机自启动

    systemctl start httpd.service
    systemctl status httpd.service
    netstat -anptl|grep httpd
    
    systemctl enable httpd.service
    systemctl list-unit-files |grep httpd.service

    # 如果http起不来,需要关闭 selinux 或者安装 yum install openstack-selinux

    实例演示:

    [root@openstack01 ~]# systemctl start httpd.service
    [root@openstack01 ~]# systemctl status httpd.service
    ● httpd.service - The Apache HTTP Server
       Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
       Active: active (running) since 五 2018-10-26 18:06:20 CST; 98ms ago
         Docs: man:httpd(8)
               man:apachectl(8)
     Main PID: 1978 (httpd)
       Status: "Processing requests..."
       CGroup: /system.slice/httpd.service
               ├─1978 /usr/sbin/httpd -DFOREGROUND
               ├─1981 (wsgi:keystone- -DFOREGROUND
               ├─1982 (wsgi:keystone- -DFOREGROUND
               ├─1983 (wsgi:keystone- -DFOREGROUND
               ├─1984 (wsgi:keystone- -DFOREGROUND
               ├─1985 (wsgi:keystone- -DFOREGROUND
               ├─1986 /usr/sbin/httpd -DFOREGROUND
               ├─1988 /usr/sbin/httpd -DFOREGROUND
               └─1989 /usr/sbin/httpd -DFOREGROUND
    
    10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Starting The Apache HTTP Server...
    10月 26 18:06:20 openstack01.zuiyoujie.com systemd[1]: Started The Apache HTTP Server.
    [root@openstack01 ~]# netstat -anptl|grep httpd
    tcp        0      0 0.0.0.0:5000            0.0.0.0:*               LISTEN      1978/httpd          
    tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      1978/httpd          
    [root@openstack01 ~]# systemctl enable httpd.service
    Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
    [root@openstack01 ~]# systemctl list-unit-files |grep httpd.service
    httpd.service                                 enabled 

    # 至此,http服务配置完成

    2.6.初始化keystone认证服务

    1)创建 keystone 用户,初始化的服务实体和API端点

    # 在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),本版本通过同一个端口提供服务

    # 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。

    # 需要创建一个密码ADMIN_PASS,作为登陆openstack的管理员用户,这里创建为123456

    keystone-manage bootstrap --bootstrap-password ADMIN_PASS 
      --bootstrap-admin-url http://controller:5000/v3/ 
      --bootstrap-internal-url http://controller:5000/v3/ 
      --bootstrap-public-url http://controller:5000/v3/ 
      --bootstrap-region-id RegionOne

    # 以下为命令实例:

    keystone-manage bootstrap --bootstrap-password 123456 
      --bootstrap-admin-url http://controller:5000/v3/ 
      --bootstrap-internal-url http://controller:5000/v3/ 
      --bootstrap-public-url http://controller:5000/v3/ 
      --bootstrap-region-id RegionOne

    # 运行这条命令,会在keystone数据库执增加以下任务,之前的版本需要手动创建:

    1)在endpoint表增加3个服务实体的API端点
    2)在local_user表中创建admin用户
    3)在project表中创建admin和Default项目(默认域)
    4)在role表创建3种角色,admin,member和reader
    5)在service表中创建identity服务

    2)临时配置管理员账户的相关变量进行管理

    # 这里的export OS_PASSWORD要使用上面配置的ADMIN_PASS

    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=admin
    export OS_USER_DOMAIN_NAME=Default
    export OS_USERNAME=admin
    export OS_PASSWORD=123456
    export OS_AUTH_URL=http://controller:5000/v3
    export OS_IDENTITY_API_VERSION=3

    # 查看声明的变量

    env |grep OS_

    实例演示:

    [root@openstack01 ~]# env|grep OS_
    OS_USER_DOMAIN_NAME=Default
    OS_PROJECT_NAME=admin
    OS_IDENTITY_API_VERSION=3
    OS_PASSWORD=123456
    OS_AUTH_URL=http://controller:5000/v3
    OS_USERNAME=admin
    OS_PROJECT_DOMAIN_NAME=Default

    # 之前的版本采用admin_token来设置初始化的管理用户认证令牌,类似下面的

    export OS_TOKEN=c0053993bb39ad3de84a
    export OS_URL=http://192.168.1.81:35357/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

    附:常用的openstack管理命令,需要应用管理员的环境变量

    # 查看keystone实例相关信息

    openstack endpoint list
    openstack project list
    openstack user list

    实例演示:

    [root@openstack01 ~]# openstack endpoint list
    +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
    | ID                               | Region    | Service Name | Service Type | Enabled | Interface | URL                        |
    +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
    | b8dabe6c548e435eb2b1f7efe3b23236 | RegionOne | keystone     | identity     | True    | admin     | http://controller:5000/v3/ |
    | eb72eb6ea51842feb67ba5849beea48c | RegionOne | keystone     | identity     | True    | internal  | http://controller:5000/v3/ |
    | f172f6159ad34fbd8e10e0d42828d8cd | RegionOne | keystone     | identity     | True    | public    | http://controller:5000/v3/ |
    +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+
    [root@openstack01 ~]# openstack project list
    +----------------------------------+-----------+
    | ID                               | Name      |
    +----------------------------------+-----------+
    | 3706708374804e2eb4ed056f55d84666 | admin     |
    | 84cc7185f2c8461eb19a14968228b272 | myproject |
    | b8e318b3c7a844708762169959c34ff8 | service   |
    +----------------------------------+-----------+
    [root@openstack01 ~]# openstack user list
    +----------------------------------+--------+
    | ID                               | Name   |
    +----------------------------------+--------+
    | cbb2b3830a8f44bc837230bca27ae563 | myuser |
    | e5dbfc8b394c41679fd5ce229cdd6ed3 | admin  |
    +----------------------------------+--------+

    # 删除endpoint

    # 以前的版本单独创建endpoint可能会出错需要删除,新版本已经优化好,只要系统配置没问题,会自动生成一般也不会出错

    openstack endpoint delete [ID]

    2.7.创建keystone的一般实例

    # Create a domain, projects, users, and roles

    https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html

    1)创建一个名为example的keystone域

    # 以下命令会在project表中创建名为example的项目

    openstack domain create --description "An Example Domain" example

    实例演示:

    [root@openstack01 ~]# openstack domain create --description "An Example Domain" example
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | An Example Domain                |
    | enabled     | True                             |
    | id          | 17254ea898de477ca4a1f6f3cbc6c5bc |
    | name        | example                          |
    | tags        | []                               |
    +-------------+----------------------------------+

    2)为keystone系统环境创建名为service的项目提供服务

    # 用于常规(非管理)任务,需要使用无特权用户

    # 以下命令会在project表中创建名为service的项目

    openstack project create --domain default --description "Service Project" service

    实例演示:

    [root@openstack01 ~]# openstack project create --domain default --description "Service Project" service
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Service Project                  |
    | domain_id   | default                          |
    | enabled     | True                             |
    | id          | b8e318b3c7a844708762169959c34ff8 |
    | is_domain   | False                            |
    | name        | service                          |
    | parent_id   | default                          |
    | tags        | []                               |
    +-------------+----------------------------------+

    3)创建myproject项目和对应的用户及角色

    # 作为一般用户(非管理员)的项目,为普通用户提供服务

    # 以下命令会在project表中创建名为myproject项目

    openstack project create --domain default --description "Demo Project" myproject

    实例演示:

    [root@openstack01 ~]# openstack project create --domain default --description "Demo Project" myproject
    +-------------+----------------------------------+
    | Field       | Value                            |
    +-------------+----------------------------------+
    | description | Demo Project                     |
    | domain_id   | default                          |
    | enabled     | True                             |
    | id          | 84cc7185f2c8461eb19a14968228b272 |
    | is_domain   | False                            |
    | name        | myproject                        |
    | parent_id   | default                          |
    | tags        | []                               |
    +-------------+----------------------------------+

    4)在默认域创建myuser用户

    # 使用--password选项为直接配置明文密码,使用--password-prompt选项为交互式输入密码
    # 以下命令会在local_user表增加myuser用户

    openstack user create --domain default  --password-prompt myuser    # 交互式输入密码
    # openstack user create --domain default  --password=myuser myuser    # 直接创建用户和密码

    实例演示:

    [root@openstack01 ~]# openstack user create --domain default  --password-prompt myuser
    User Password:
    Repeat User Password:
    +---------------------+----------------------------------+
    | Field               | Value                            |
    +---------------------+----------------------------------+
    | domain_id           | default                          |
    | enabled             | True                             |
    | id                  | cbb2b3830a8f44bc837230bca27ae563 |
    | name                | myuser                           |
    | options             | {}                               |
    | password_expires_at | None                             |
    +---------------------+----------------------------------+

    5)在role表创建myrole角色

    openstack role create myrole

    实例演示:

    [root@openstack01 ~]# openstack role create myrole
    +-----------+----------------------------------+
    | Field     | Value                            |
    +-----------+----------------------------------+
    | domain_id | None                             |
    | id        | 75ac33f79cc945afa42a18a3dd0ba0ad |
    | name      | myrole                           |
    +-----------+----------------------------------+

    6)将myrole角色添加到myproject项目中和myuser用户组中

    # 以下命令无返回,数据表操作不太明显

    openstack role add --project myproject --user myuser myrole

    2.8.验证操作keystone是否安装成功

    1)去除环境变量

    # 关闭临时认证令牌机制,获取 token,验证keystone配置成功

    unset OS_AUTH_URL OS_PASSWORD
    env |grep OS_

    2)作为管理员用户去请求一个认证的token

    # 测试是否可以使用admin账户进行登陆认证,请求认证令牌

    openstack --os-auth-url http://controller:5000/v3 
      --os-project-domain-name Default --os-user-domain-name Default 
      --os-project-name admin --os-username admin token issue

    实例演示:

    [root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 
    >   --os-project-domain-name Default --os-user-domain-name Default 
    >   --os-project-name admin --os-username admin token issue
    Password: 
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Field      | Value                                                                                                                                                                                   |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | expires    | 2018-10-26T11:48:40+0000                                                                                                                                                                |
    | id         | gAAAAABb0vEIENgBaYEBJZSJX7RDelXdM2sHi_hbfT-FHTjd3z5j5Mt-sssJpW1EXeWVAbMdyBI2t9XNCxG5m1XNm_2k1xWP7WnbOYAp1rl2FZCwz4LL0F-mER_bOW-HnE0rjA6YvP0MzW4HVg0eEE_6zACr0R0NaaVytK_eRsvO_Lhco6vacYY |
    | project_id | 3706708374804e2eb4ed056f55d84666                                                                                                                                                        |
    | user_id    | e5dbfc8b394c41679fd5ce229cdd6ed3                                                                                                                                                        |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

    3)使用普通用户获取认证token

    # 以下命令使用”myuser“用户的密码和API端口5000,只允许对身份认证服务API的常规(非管理)访问。

    openstack --os-auth-url http://controller:5000/v3 
      --os-project-domain-name Default --os-user-domain-name Default 
      --os-project-name myproject --os-username myuser token issue

    实例演示:

    [root@openstack01 ~]# openstack --os-auth-url http://controller:5000/v3 
    >   --os-project-domain-name Default --os-user-domain-name Default 
    >   --os-project-name myproject --os-username myuser token issue
    Password: 
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Field      | Value                                                                                                                                                                                   |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | expires    | 2018-10-26T11:49:18+0000                                                                                                                                                                |
    | id         | gAAAAABb0vEuxOrgkmLfcZJl8vB6dJyrHFtvxBT1m7qLYzuD-WkOVoQUzE9mTGcrKE6CrZbLU57Nc7mv-50-ggH9pf2qrW5uWQu7MRJcUb3rgpmoYn7EVdv8X0lGK3IiWEPSF48u1b2y7mEmvYb7TGOFO8l87of6L2aaJmdMxp9KgM87_3Mu2-g |
    | project_id | 84cc7185f2c8461eb19a14968228b272                                                                                                                                                        |
    | user_id    | cbb2b3830a8f44bc837230bca27ae563                                                                                                                                                        |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

    2.9.创建OpenStack客户端环境脚本

    # Create OpenStack client environment scripts

    # 上面使用环境变量和命令选项的组合通过“openstack”客户端与身份认证服务交互。
    # 为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件,我这里使用自定义的文件名

    1)创建admin用户的环境管理脚本

    # vim admin-openrc
    cd /server/tools
    vim keystone-admin-pass.sh
    ----------------------------------
    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=123456
    export OS_AUTH_URL=http://controller:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    ----------------------------------
    env |grep OS_

    # 应用:
    如果修改dashboard登陆密码忘记了,可以使用admin_token认证机制修改登陆密码

    2)创建普通用户myuser的客户端环境变量脚本

    vim keystone-myuser-pass.sh
    -------------------------------
    export OS_PROJECT_DOMAIN_NAME=Default
    export OS_USER_DOMAIN_NAME=Default
    export OS_PROJECT_NAME=myproject
    export OS_USERNAME=myuser
    export OS_PASSWORD=myuser
    export OS_AUTH_URL=http://controller:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    -------------------------------

    3)测试环境管理脚本

    # 使用脚本加载相关客户端配置,以便快速使用特定租户和用户运行客户端

    source keystone-admin-pass.sh

    4)请求认证令牌

    openstack token issue

    实例演示:

    [root@openstack01 tools]# openstack token issue
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | Field      | Value                                                                                                                                                                                   |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
    | expires    | 2018-10-26T12:13:28+0000                                                                                                                                                                |
    | id         | gAAAAABb0vbYr--LRd1NJ9ZXH68zSR4mIW4hDr6UqqiPmsA7vNEGDcMx8o-6Ihy8o47c5jo5GInOCe9KpKMfbXtdWPz6QkkWzZcFMqwXYS4tUI8DjjamEUBqFwlI10Oxbq7pEIGKVtFdMrOHy3EoLmE1rjY0p4DDm48pt3u8ON807nr0MUa1zIE |
    | project_id | 3706708374804e2eb4ed056f55d84666                                                                                                                                                        |
    | user_id    | e5dbfc8b394c41679fd5ce229cdd6ed3                                                                                                                                                        |
    +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

    # 可以看到user_id和上面用命令获取到的是一样的,说明配置成功

    # 至此,keystone安装完毕

    ======== 完毕,呵呵呵呵 ========

  • 相关阅读:
    Benelux Algorithm Programming Contest 2016 Preliminary K. Translators’ Dinner(思路)
    Benelux Algorithm Programming Contest 2016 Preliminary Target Practice
    Benelux Algorithm Programming Contest 2016 Preliminary I. Rock Band
    Benelux Algorithm Programming Contest 2016 Preliminary A. Block Game
    ICPC Northeastern European Regional Contest 2019 Apprentice Learning Trajectory
    ICPC Northeastern European Regional Contest 2019 Key Storage
    2018 ACM ICPC Asia Regional
    2018 ACM ICPC Asia Regional
    Mybatis入库出现异常后,如何捕捉异常
    优雅停止 SpringBoot 服务,拒绝 kill -9 暴力停止
  • 原文地址:https://www.cnblogs.com/tssc/p/9858655.html
Copyright © 2011-2022 走看看