zoukankan      html  css  js  c++  java
  • openstack-on-centos7之各组件服务

    认证服务keystone(安装和配置)

    在配置 OpenStack 身份认证服务前,必须创建一个数据库和管理员令牌

    [用数据库连接客户端以root用户连接到数据库服务]
    # mysql -u root -p
    [创建keystone数据库]
    # CREATE DATABASE keystone
    [对keystone数据库给予授权]
    # GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' 
      IDENTIFIED BY 'KEYSTONE_DBPASS';    //KEYSTONE_DBPASS替换成自己的密码
      
    # GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' 
      IDENTIFIED BY 'KEYSTONE_DBPASS';    //KEYSTONE_DBPASS替换成自己的密码
    

    [主节点安装配置keystone]

    安装openstack-keystone和httpd mod_wsgi

    # yum -y install openstack-keystone httpd mod_wsgi
    

    修改配置keystone配置文件:/etc/keystone/keystone.conf

    [database]部分添加:
    connection = mysql+pymysql://keystone:ketstone@localhost:3306/keystone   
                                  @用户名:密码@mysql地址/哪个库
    [token]令牌部分添加:
     provider = fernet
    

    初始化数据库

    su -s /bin/sh -c "keystone-manage db_sync" keystone
    

    初始化Fernet key库(生成token)

    # keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
    # keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
    
    

    [配置 Apache HTTP 服务器]

    编辑配置文件:/etc/httpd/conf/httpd.conf

    ServerName controller     //controller为主机名字
    

    拷贝wsgi-keystone.conf

    # cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
    

    启动httpd服务

    # systemctl start httpd.service    #启动httpd服务
    # systemctl enable httpd.service    #设置成开机自启
    

    查看服务状态

    [创建keystone的catalog]

    配置/etc/keystone/keystone.conf

    # openssl rand -hex 10   //生成一个随机值在初始的配置中作为管理员的令牌
    [DEFAULT]部分添加:
    admin_token="openssl rand -hex 10"生成的随机数
    

    设置环境变量

    # vim ~/.bashrc
    [添加一下内容]
    export OS_TOKEN= admin_token     //keystone.conf中admin_token的值
    export OS_URL=http://192.168.1.156:35357/v3    //v3代表用的keystone版本为3
    export OS_IDENTITY_API_VERSION=3
    

    为keystone创建catalog

    # openstack service create --name keystone --description "OpenStack Identity" identity
    

    基于建立的服务实体,创建访问该实体的三个api端点

    # openstack endpoint create --region RegionOne identity public http://192.168.1.156:5000/v3
    

    openstack endpoint create --region RegionOne identity internal http://192.168.1.156:5000/v3   //前两个为5000端口,专门处理内部和外部的访问
    

    openstack endpoint create --region RegionOne identity admin http://192.168.1.156:35357/v3  //5357端口,专门处理admin#用keystone-wsgi-admin
    

    登录数据库查看keystone库中的表

    [创建域,项目,用户,角色,并把四个元素关联在一起]

    创建域

    openstack domain create --description "Default Domain" default  //#创建一个默认的域“default”
    

    创建管理的项目,用户和角色

    创建admin项目,在"default"域中

    openstack project create --domain default --description "Admin Project" admin
    

    创建admin用户 在“default”域中

     openstack user create --domain default --password-prompt admin       
    

    创建admin角色

    openstack role create admin
    

    添加admin 角色到 admin 项目和用户上:

    openstack role add --project admin --user admin admin
    

    验证:

    # openstack role assignment list
    # openstack role list
    # openstack user list
    # openstack project list
    

    [测试]
    在“default”域中,创建项目名为fzu

    openstack project create --domain default --description "FZU Project" fzu
    

    创建用户名为zlx(自己名字的缩写)

    openstack user create --domain default --password-prompt zlx 
    

    创建普通用户的角色

    openstack role create user
    

    添加admin角色到fzu项目和用户zlx上

    openstack role add --project fzu --user zlx admin 
    

    验证

    # openstack role assignment list
    # openstack role list
    # openstack user list
    # openstack project list
    

    处于安全考虑 关闭临时认证令牌机制

    编辑/etc/keystone/keystone-paste.ini

    [pipeline:public_api],[pipeline:admin_api][pipeline:api_v3]部分删除admin_token_auth 。

    重置OS_TOKENOS_URL 环境变量:

    unset OS_TOKEN OS_URL
    

    作为admin用户,请求认证令牌:

    openstack --os-auth-url http://192.168.1.156:35357/v3 
      --os-project-domain-name default --os-user-domain-name default 
      --os-project-name admin --os-username admin token issue
    

    作为zlx用户,请求认证令牌:

    openstack --os-auth-url http://192.168.1.156:5000/v3 
      --os-project-domain-name default --os-user-domain-name default 
      --os-project-name fzu --os-username zlx token issue
    

    在etc/keystone下新建文件admin-openrc 并添加如下内容:

    export OS_PROJECT_DOMAIN_NAME=default
    export OS_USER_DOMAIN_NAME=default
    export OS_PROJECT_NAME=admin
    export OS_USERNAME=admin
    export OS_PASSWORD=ADMIN_PASS     //ADMIN_PASS为admin密码
    export OS_AUTH_URL=http://192.168.1.156:35357/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    

    同理新建文件demo-openrc 并添加如下内容:

    export OS_PROJECT_DOMAIN_NAME=default
    export OS_USER_DOMAIN_NAME=default
    export OS_PROJECT_NAME=demo
    export OS_USERNAME=demo
    export OS_PASSWORD=DEMO_PASS   //ADMIN_PASS为demo用户密码
    export OS_AUTH_URL=http://192.168.1.156:5000/v3
    export OS_IDENTITY_API_VERSION=3
    export OS_IMAGE_API_VERSION=2
    

    使用脚本验证

    source admin-openrc
    openstack token issue
    

    [使用openstack api实现]

    获取token:

    curl -v -s -X POST $OS_AUTH_URL/auth/tokens?nocatalog   -H "Content-Type: application/json"   -d '{ "auth": { "identity": { "methods": ["password"],"password": {"user": {"domain": {"name": "'"$OS_USER_DOMAIN_NAME"'"},"name": "'"$OS_USERNAME"'", "password": "'"$OS_PASSWORD"'"} } }, "scope": { "project": { "domain": { "name": "'"$OS_PROJECT_DOMAIN_NAME"'" }, "name":  "'"$OS_PROJECT_NAME"'" } } }}' | python -m json.tool
    

    用火狐浏览器下载安装restClient
    参考:https://developer.openstack.org/api-ref/identity/v3/
    [获取token]
    URL地址为:htttp://192.168.1.156:35357/v3/auth/tokens
    在header添加Content-Type=application/json
    body


    请求token成功:状态码(201)

    [获取/创建/修改/删除domain]

    请求成功:


    • 修改domain

    • 删除domain
      先将状态改成false

      再删除成功

    [获取catalog]

    [获取service]

    [创建service]

    [修改service]

    [删除service]

  • 相关阅读:
    java多线程编程(一)
    java的本地文件操作
    Java基础总结(二)
    Gym 100851 Distance on Triangulation
    Gym 100851 题解
    Gym 101482 题解
    CodeForces Round 521 div3
    zoj 5823 Soldier Game 2018 青岛 I
    CodeForces round 520 div2
    CodeForces 1042 F Leaf Sets 贪心
  • 原文地址:https://www.cnblogs.com/zlxbky/p/9203409.html
Copyright © 2011-2022 走看看