Openstack Keystone 认证服务(四)
keystone 的安装完全依赖ocata的源, 如果没有建议自己搭建. 否则用的源不对会产生各种奇葩问题.
创建keystone库和用户:
## 建库和用户:
mysql -u root -p123456
CREATE DATABASE keystone;
GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';
flush privileges;
*** 做完后去2台控制机上测试一下keystone 账号是否能够正常登录.
控制节点安装内容(2台):
# 控制节点安装:
yum install -y openstack-keystone httpd mod_wsgi
## 编辑文件 /etc/keystone/keystone.conf 并完成如下动作,在 [database] 部分,配置数据库访问:
vim /etc/keystone/keystone.conf
[database]
......
#connection = <None> # 574行
connection = mysql+pymysql://keystone:123456@openstack-linux36-vip.magedu.net/keystone
keystone:123456 # 用户名和密码
openstack-linux36-vip.magedu.net # 内部域名可以直接指向DB或者VIP,写成域名方便后期自行切换.
## 写入/etc/hosts ***
vim /etc/hosts
10.10.5.140 openstack-linux36-vip.magedu.net
*** 测试一下: mysql -h openstack-linux36-vip.magedu.net -u keystone -p123456
## 在``[token]``部分,配置Fernet UUID令牌的提供者。
[token]
# ...
provider = fernet
## 添加admin验证token(手工生成并添加):
[root@cont-1 ~]# openssl rand -hex 10
99251e93898c371cb0c1
vim +15 /etc/keystone/keystone.conf
[DEFAULT]
......
[DEFAULT]
admin_token = 99251e93898c371cb0c1
### 总结一下内容(省略默认的内容):
[root@cro-1 yum.repos.d]# grep -vE '^$|^#' /etc/keystone/keystone.conf
[DEFAULT]
admin_token = 99251e93898c371cb0c1
[database]
connection = mysql+pymysql://keystone:123456@openstack-linux36-vip.magedu.net/keystone
[token]
provider = fernet
......
####################################################################################
### 初始化keystone 身份认证服务的数据库:
su -s /bin/sh -c "keystone-manage db_sync" keystone
*** 连接数据库查看keystone 库,如果配置文件的mysql连接正常,会生成很多表.
### 初始化Fernet key:
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
*** 会在/etc/keystone 下生成2个目录,credential-keys , fernet-keys
### 创建自定义的配置文件:
ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
########################################################################################################################
## 启动httpd:
systemctl enable httpd
systemctl start httpd
## 添加环境变量让我们可以跳过密码通过token创建项目:
*** 目前没有方法可以认证keystone 通过环境变量的方法去做一下认证:
export OS_TOKEN=99251e93898c371cb0c1
export OS_AUTH_URL=http://10.10.5.138:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_URL=http://10.10.5.138:35357/v3
## 测试一下 是否可以不出错误:
openstack user list
创建并初始化一个项目:
# 初始化:
openstack domain create --description "Default Domain" default
查看并删除一个domain:
# 查看domain list:
[root@cont-1 ~]# openstack domain list
+----------------------------------+---------+---------+----------------+
| ID | Name | Enabled | Description |
+----------------------------------+---------+---------+----------------+
| 317ace63cb8f4562af682ca6c7bdf955 | default | True | Default Domain |
+----------------------------------+---------+---------+----------------+
## 删除一个domain id:
** openstack domain delete + ID
openstack domain delete 317ace63cb8f4562af682ca6c7bdf955
创建一个admin的项目:
## 创建admin 项目:
[root@cont-1 ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 317ace63cb8f4562af682ca6c7bdf955 |
| enabled | True |
| id | 7895c74b24e640498acb869a790f7092 |
| is_domain | False |
| name | admin |
| parent_id | 317ace63cb8f4562af682ca6c7bdf955 |
+-------------+----------------------------------+
## 创建admin 账号(我设置的是:123456):
[root@cont-1 ~]# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 317ace63cb8f4562af682ca6c7bdf955 |
| enabled | True |
| id | 7e5fe95e8caa48f78e218919d05693d5 |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
## 创建admin role(创建admin角色, 账号和role角色关联后就有了admin role的权限.(角色即权限)):
[root@cont-1 ~]# openstack role create admin
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | ff08ecd7583542bc94ac3eb56794638a |
| name | admin |
+-----------+----------------------------------+
## 给admin 用户授权(角色即权限):
#将admin用户授予admin项目的admin 角色,即给admin项目添加一个用户叫做admin, 并将其添加至admin角色,角色是权限的一种集合:
[root@cont-1 ~]# openstack role add --project admin --user admin admin
*** --project admin # 给admin项目
*** --user admin # 添加admin用户账号
*** 最后的admin # 角色名称(role admin)
############################ 现在 admin 才是一个真正的管理员账号 拥有权限和项目 ##############################################
创建一个Demo 项目:
# 创建一个Demo 项目组(没啥大用处,给其他人演示可以放在这个项目里面。):
[root@cont-1 ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 317ace63cb8f4562af682ca6c7bdf955 |
| enabled | True |
| id | bebe93941d3d4203a2c630ff4da4596c |
| is_domain | False |
| name | demo |
| parent_id | 317ace63cb8f4562af682ca6c7bdf955 |
+-------------+----------------------------------+
# 创建demo用户并设置密码为demo:
[root@cont-1 ~]# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 317ace63cb8f4562af682ca6c7bdf955 |
| enabled | True |
| id | 00ff302f8c924bb1b171965c5d5aca92 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
## 创建一个User角色:
[root@cont-1 ~]# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 66a589c005b0410eb71f5e4aaa5f0418 |
| name | user |
+-----------+----------------------------------+
## 把Demo 用户添加到Demo 项目:
[root@cont-1 ~]# openstack role add --project demo --user demo user
#############################至此 demo 用户已经被添加到user role里,权限就没有admin 那么大了#####################################
创建一个service项目:
*** 各服务之间与keystone进行访问和认证,service用于给服务创建用户:
openstack project create --domain default --description "Service Project" service
[root@cont-1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 317ace63cb8f4562af682ca6c7bdf955 |
| enabled | True |
| id | 89067cca56fd477d86aed5c221b4c55d |
| is_domain | False |
| name | service |
| parent_id | 317ace63cb8f4562af682ca6c7bdf955 |
+-------------+----------------------------------+
XX 服务注册:
*** 将Keystone 服务地址注册到 openstack ***
# 3.9.1 创建一个keystone 认证服务:
[root@cont-1 ~]# openstack service list
[root@cont-1 ~]# openstack service create --name keystone --description "Openstack Identity" identity # identity 是验证方式
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Openstack Identity |
| enabled | True |
| id | 376d49d3d59147a49e5f5081cb04a2b1 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[root@cont-1 ~]# openstack service list ## 验证服务是否创建成功
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 376d49d3d59147a49e5f5081cb04a2b1 | keystone | identity |
+----------------------------------+----------+----------+
# 3.9.2 创建端点 (public interntl admin)
public # 公共端点
internal # 私有端点
admin # 管理端点
# 注册以上3个端点服务,后面的所有服务都执行以上操作:
*** 此处注册一定要写上域名 或者 VIP地址,这样以后方便扩容和更换设备:
*** 不记得是哪个 可以看/etc/hosts 里面的绑定IP 和 keystone 里面的"connection"
*** 既然写了VIP 地址或者域名,也要去haproxy 上做一下 端口转发.
openstack endpoint create --region RegionOne identity public http://openstack-linux36-vip.magedu.net:5000/v3
openstack endpoint create --region RegionOne identity internal http://openstack-linux36-vip.magedu.net:5000/v3
openstack endpoint create --region RegionOne identity admin http://openstack-linux36-vip.magedu.net:35357/v3
## 执行过程:
[root@cont-1 ~]# openstack endpoint create --region RegionOne identity public http://openstack-linux36-vip.magedu.net:5000/v3
+--------------+-------------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------------+
| enabled | True |
| id | 65605d57632a4c8ba0521b20f28bbcc2 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 376d49d3d59147a49e5f5081cb04a2b1 |
| service_name | keystone |
| service_type | identity |
| url | http://openstack-linux36-vip.magedu.net:5000/v3 |
+--------------+-------------------------------------------------+
[root@cont-1 ~]# openstack endpoint create --region RegionOne identity internal http://openstack-linux36-vip.magedu.net:5000/v3
+--------------+-------------------------------------------------+
| Field | Value |
+--------------+-------------------------------------------------+
| enabled | True |
| id | ec3647ea42f347008d7e35b52324d995 |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 376d49d3d59147a49e5f5081cb04a2b1 |
| service_name | keystone |
| service_type | identity |
| url | http://openstack-linux36-vip.magedu.net:5000/v3 |
+--------------+-------------------------------------------------+
[root@cont-1 ~]# openstack endpoint create --region RegionOne identity admin http://openstack-linux36-vip.magedu.net:35357/v3
+--------------+--------------------------------------------------+
| Field | Value |
+--------------+--------------------------------------------------+
| enabled | True |
| id | 858dee6eafb54902826175be76954094 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 376d49d3d59147a49e5f5081cb04a2b1 |
| service_name | keystone |
| service_type | identity |
| url | http://openstack-linux36-vip.magedu.net:35357/v3 |
+--------------+--------------------------------------------------+
## 验证是否添加成功:
[root@cont-1 ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
| 65605d57632a4c8ba0521b20f28bbcc2 | RegionOne | keystone | identity | True | public | http://openstack-linux36-vip.magedu.net:5000/v3 |
| 858dee6eafb54902826175be76954094 | RegionOne | keystone | identity | True | admin | http://openstack-linux36-vip.magedu.net:35357/v3 |
| ec3647ea42f347008d7e35b52324d995 | RegionOne | keystone | identity | True | internal | http://openstack-linux36-vip.magedu.net:5000/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+--------------------------------------------------+
## 去haproxy 上配置转发服务:
*** 目前就一台服务器在做这个验证, 所以呢 haproxy也只能吧5000 35357 80 这几个端口给转发到 10。10.5.138 上.
########### keystone ###########
listen openstack_keystone_port_5000
bind 0.0.0.0:5000
mode tcp
log global
server 10.10.5.138 10.10.5.138:5000 check inter 3000 fall 2 rise 5
listen openstack_keystone_port_35357
bind 0.0.0.0:35357
mode tcp
log global
server 10.10.5.138 10.10.5.138:35357 check inter 3000 fall 2 rise 5
########################################
/etc/init.d/haproxy restart
########### 重启 搞定 ###############
## 测试Keystone 是否可以做用户验证:
*** 验证admin用户, 密码123456 , 新打开一个窗口并进行一下操作:
*** 验证demo用户, 密码demo , 新打开一个窗口并进行一下操作:
1 打开新窗口
2 查看/etc/hosts文件,内容一定要对 "10.10.5.140 openstack-linux36-vip.magedu.net"
3 测试本机IP, VIP(haproxy) 随便切换,最后都能通过keystone的验证就行.
export OS_IDENTITY_API_VERSION=3 # 设置环境变量,
openstack --os-auth-url http://10.10.5.138:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
openstack --os-auth-url http://openstack-linux36-vip.magedu.net:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
# 测试结果如下
[root@cont-1 ~]# export OS_IDENTITY_API_VERSION=3
[root@cont-1 ~]# openstack --os-auth-url http://10.10.5.140:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name demo --os-username demo token issue
Password:
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-21T10:43:32+0000 |
| id | gAAAAABexk1E0Ya99oG-mHnbZ2s95Uy-HCRuii7rMraVmv5Mk2IEz41Hj0gysnaknb65H-D8RtimuXmlmxUqn4c9EC8lYDy6iMM- |
| | UYrw0ChvWrJ1HxGwC7IxsVGEFsYEApjgINyrT9fDtYQQZPh3GBFcuP8mGokiPb0PTZNMTWrxMSxZpRfJlr0 |
| project_id | bebe93941d3d4203a2c630ff4da4596c |
| user_id | 00ff302f8c924bb1b171965c5d5aca92 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
[root@cont-1 ~]# openstack --os-auth-url http://openstack-linux36-vip.magedu.net:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
Password:
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-21T10:44:51+0000 |
| id | gAAAAABexk2TBJXILbxI3l2F56SLisp7IIC9EqPM- |
| | fPpgR4p_DoHe_YGsz5z6rcPHtkEuHNvwD2OInIZFC33LknuuLRmGEXMXlYbLXkiyJ2_TlgROPEz1J3MU3Jkxbz6NcCxHJD1mR16VgY5_OPLpJ1bKowxFisM3khnnQVD62_NcSqLVbCcOlA |
| project_id | 7895c74b24e640498acb869a790f7092 |
| user_id | 7e5fe95e8caa48f78e218919d05693d5 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
使用脚本设置环境变量:
## 验证admin 用户
[root@cont-1 ~]# cat admin.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://10.10.5.140:35357/v3 # 注意此处端口是35357
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@cont-1 ~]# source admin.sh
[root@cont-1 ~]# sh s.sh
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-21T19:06:47+0000 |
| id | gAAAAABexsM3OugdYsDazpfSVf34OUH4Vp4Zb0HJdA21eHQ8mHHLuxxtoXbvL4nRDsgJHW5_zT8mPdLc64HXClqIgT6nZluWqnoGSwroGjdXaSQV08ij5h02qZYRIxnZxLi5N4FkijuArwq_6GiFhUedCBMq4jt8EZEk_2KZwa4y |
| | fgTQ-s44Sm8 |
| project_id | 7895c74b24e640498acb869a790f7092 |
| user_id | 7e5fe95e8caa48f78e218919d05693d5 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
## 验证demo 用户:
[root@cont-1 ~]# cat demo.sh
#!/bin/bash
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://10.10.5.140:5000/v3 # 注意此处端口是5000
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@cont-1 ~]# source demo.sh
[root@cont-1 ~]# sh s.sh
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-21T19:05:16+0000 |
| id | gAAAAABexsLcyDOe4bL1Y5QLApF0i6OXu-S6iE-psbXCS3ZuySwPpkYyAieK2Ffe85mc5SUDJc_uN1vJsS9Wx7DOU6X16HF7anyWNYY4mKaWplcJPCDn9lQlOIPgMs48hodyHiDWrIjQDdLcY- |
| | UZIt6jvpfvqGsgGDSrRz4VI4G7iogJ546aPCY |
| project_id | bebe93941d3d4203a2c630ff4da4596c |
| user_id | 00ff302f8c924bb1b171965c5d5aca92 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------