以下操作均在控制节点进行
1.控制节点安装keystone服务
概念理解:
Keystone是OpenStack框架中,负责身份验证、服务规则和服务令牌的功能, 它实现了OpenStack的Identity API。Keystone类似一个服务总线,是整个Openstack框架的注册表, 其他服务通过在keystone中注册其服务的Endpoint(服务访问的URL),任何服务之间相互的调用,每次的调用都需要经过Keystone的身份验证,来获得目标服务的相关Endpoint来找到目标服务。Keystone为openstack中认证管理,授权管理和服务目录服务管理提供单点整合。其它OpenStack服务将身份认证服务当做通用统一API来使用。此外,还用来提供用户相关信息。服务名为:identity service
keystone中相关术语理解:
User 用户
project(Tenant) 租户
Token 令牌
Role 角色
Service 服务
Endpoint 端点
1)登录mysql,创建keystone数据库,赋予相关权限
1 [root@controller ~]# mysql -uroot -p 2 Enter password: 密码123456 3 MariaDB [(none)]> CREATE DATABASE keystone; 4 Query OK, 1 row affected (0.00 sec) 5 6 MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'keystone'; 7 Query OK, 0 rows affected (0.00 sec) 8 9 MariaDB [keystone]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'controller' IDENTIFIED BY 'keystone'; 10 Query OK, 0 rows affected (0.00 sec) 11 12 MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone'; 13 Query OK, 0 rows affected (0.00 sec) 14 15 MariaDB [(none)]> flush privileges; 16 Query OK, 0 rows affected (0.00 sec) 17 18 MariaDB [(none)]> show databases; 19 +--------------------+ 20 | Database | 21 +--------------------+ 22 | information_schema | 23 | keystone | 24 | mysql | 25 | performance_schema | 26 | test | 27 +--------------------+ 28 5 rows in set (0.01 sec) 29 30 MariaDB [(none)]> select user,host from mysql.user; 31 +----------+------------+ 32 | user | host | 33 +----------+------------+ 34 | keystone | % | 35 | root | 127.0.0.1 | 36 | root | ::1 | 37 | | controller | 38 | root | controller | 39 | | localhost | 40 | keystone | localhost | 41 | root | localhost | 42 +----------+------------+ 43 8 rows in set (0.00 sec) 44 45 MariaDB [(none)]> quit 46 Bye 47 [root@controller ~]#
2.控制节点安装keystone认证服务相关软件包
# 配置Apache服务,使用带有“mod_wsgi”的HTTP服务器来相应认证服务请求,端口为5000和35357, 默认情况下,Kestone服务依然监听
1)安装keystone软件包
1 [root@controller ~]# yum install openstack-keystone httpd mod_wsgi -y 2 #安装openstack命令工具 openstack-utils,后期则可以使用openstack-config 命令配置openstack 3 [root@controller ~]# yum install openstack-keystone python-keystoneclient openstack-utils -y
2)修改keystone配置文件
1 [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection mysql+pymysql://keystone:keystone@controller/keystone 2 [root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider fernet
3).查看配置是否修改成功
方法1:(个人常用)
1 [root@controller ~]# grep ^[a-Z] /etc/keystone/keystone.conf 2 connection = mysql+pymysql://keystone:keystone@controller/keystone 3 provider = fernet
方法2:
[root@controller ~]# egrep -v "^#|^$" /etc/keystone/keystone.conf 注意:## keystone不需要启动,通过http服务进行调用。keystone不需要启动,而是通过http服务进行调用
3.初始化keystone数据库,进行数据库同步操作
1)同步keystone数据库
##keyston数据库同步成功后,会生成44张表 [root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
2)keystone数据库的连接测试
[root@controller ~]# mysql -ukeystone -pkeystone -hcontroller -e "use keystone;show tables;" #统计keystone中有多少张表生成 [root@controller ~]# mysql -ukeystone -pkeystone -hcontroller -e "use keystone;show tables;"|wc -l
4.初始化fernet令牌库
1 [root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone 2 [root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
5.修改配置apache(httpdf服务)
1)修改httpd主配置文件
方法1
1 [root@controller ~]# vim /etc/httpd/conf/httpd.conf +95 2 ServerName controller
方法2
使用sed命令直接替换
[root@controller ~]# sed -i "s/#ServerName www.example.com:80/ServerName controller/" /etc/httpd/conf/httpd.conf
grep "ServerName" /etc/httpd/conf/httpd.conf |
2)配置虚拟主机
[root@controller ~]#ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
3)启动httpd服务且设置开机自启动
1 [root@controller ~]# systemctl start httpd 2 [root@controller ~]# systemctl enable httpd 3 [root@controller ~]# netstat -lntpv|grep httpd
4)查看是否已经设置开机自启动
1 [root@controller ~]# systemctl list-unit-files |grep httpd
6.初始化keystone身份认证服务
1)创建keystone用户,初始化service实体和endpoint api端点
#在之前的版本(queens之前),引导服务需要2个端口提供服务(用户5000和管理35357),最新版本通过同一个端口提供服务
# 创建keystone服务实体和身份认证服务,以下三种类型分别为公共的、内部的、管理的。需要创建一个admin的密码,此处设置为123456
1 [root@controller ~]# keystone-manage bootstrap --bootstrap-password 123456 --bootstrap-admin-url http://controller:5000/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne 2 注意 3 # 运行这条命令,会在keystone数据库中增加以下任务,在之前的版本需要手动创建: 4 <1>在endpoint表增加3个服务实体的API端点 5 <2>在local_user表中创建admin用户 6 <3>在project表中创建admin和Default项目(默认域) 7 <4>在role表创建3种角色,admin,member和reader 8 <5>在service表中创建identity服务
2)使用export临时导入管理员相关变量进行认证管理
1 [root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default 2 [root@controller ~]# export OS_PROJECT_NAME=admin 3 [root@controller ~]# export OS_USER_DOMAIN_NAME=Defaul 4 [root@controller ~]# export OS_USERNAME=admin 5 [root@controller ~]# export OS_PASSWORD=123456 6 [root@controller ~]# export OS_AUTH_URL=http://control 7 [root@controller ~]# export OS_IDENTITY_API_VERSION=3
3)查看是否导入成功
1 [root@controller ~]# env |grep OS_ 2 OS_USER_DOMAIN_NAME=Default 3 OS_PROJECT_NAME=admin 4 OS_IDENTITY_API_VERSION=3 5 OS_PASSWORD=123456 6 OS_AUTH_URL=http://controller:5000/v3 7 OS_USERNAME=admin 8 OS_PROJECT_DOMAIN_NAME=Default 9 [root@controller ~]#
可能会遇到的问题:
1.提示以下错误
[root@controller ~]# openstack endpoint list Failed to discover available identity versions when contacting http://controller:5000/v3. Attempting to parse version from URL. Unable to establish connection to http://controller:5000/v3/auth/tokens: HTTPConnectionPool(host='controller', port=5000): Max retries exceeded with url: /v3/auth/tokens (Caused by NewConnectionError('<urllib3.connection.HTTPConnection object at 0x7fd8c8d7cf90>: Failed to establish a new connection: [Errno 111] Connection refused',))
解决:
1)检查apache服务是否出现问题
查看apache服务是否启动
2)keystone的wsgi-keystone.conf软连接是否正确
1 [root@controller conf.d]# pwd 2 /etc/httpd/conf.d 3 [root@controller conf.d]# ls 4 autoindex.conf README userdir.conf welcome.conf wsgi-keystone.conf 5 [root@controller conf.d]#
3)重启httpd
1 [root@controller conf.d]# systemctl restart httpd
4)验证openstack命令查看是否有返回信息
1 [root@controller conf.d]# openstack user list 2 +----------------------------------+-------+ 3 | ID | Name | 4 +----------------------------------+-------+ 5 | 5d52ade18b88414bb3ab5a29b8709da0 | admin | 6 +----------------------------------+-------+ 7 [root@controller conf.d]# openstack endpoint list 8 +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ 9 | ID | Region | Service Name | Service Type | Enabled | Interface | URL | 10 +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ 11 | 4958b09872894953b50257fd3ee41cfa | RegionOne | keystone | identity | True | internal | http://controller:5000/v3/ | 12 | 8191331923ef477aa9eb08c33c968671 | RegionOne | keystone | identity | True | public | http://controller:5000/v3/ | 13 | d239bdcfaa0046f89919833333ef01d4 | RegionOne | keystone | identity | True | admin | http://controller:5000/v3/ | 14 +----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------+ 15 [root@controller conf.d]# openstack project list 16 +----------------------------------+-------+ 17 | ID | Name | 18 +----------------------------------+-------+ 19 | ddaa0a6cfeb448bc9a7cc3427366bf10 | admin | 20 +----------------------------------+-------+ 21 [root@controller conf.d]#
7.创建keystone相关认证信息
# Create a domain, projects, users, and roles
---参考openstack官方文档
https://docs.openstack.org/keystone/rocky/install/keystone-users-rdo.html
1)创建keystone域,名称为example
1 [root@controller conf.d]# openstack domain create --description "An Example Domain" example 2 +-------------+----------------------------------+ 3 | Field | Value | 4 +-------------+----------------------------------+ 5 | description | An Example Domain | 6 | enabled | True | 7 | id | 6ea97972027e43a0a8e74132636e5a59 | 8 | name | example | 9 | tags | [] | 10 +-------------+----------------------------------+ 11 [root@controller conf.d]#
2)keystone系统环境创建名为service的项目提供服务
# 用于普通(非管理)任务,需要使用无特权的用户
1 [root@controller ~]# openstack project create --domain default --description "Service Project" service 2 +-------------+----------------------------------+ 3 | Field | Value | 4 +-------------+----------------------------------+ 5 | description | Service Project | 6 | domain_id | default | 7 | enabled | True | 8 | id | 6560a25781764bd4ba4abea849980d31 | 9 | is_domain | False | 10 | name | service | 11 | parent_id | default | 12 | tags | [] | 13 +-------------+----------------------------------+ 14 [root@controller ~]#
3)创建myproject项目和对应的用户及角色
1 [root@controller ~]# openstack project create --domain default --description "Demo Project" myproject 2 +-------------+----------------------------------+ 3 | Field | Value | 4 +-------------+----------------------------------+ 5 | description | Demo Project | 6 | domain_id | default | 7 | enabled | True | 8 | id | 7bda925fd8924e5caf7f4f8d628f83f0 | 9 | is_domain | False | 10 | name | myproject | 11 | parent_id | default | 12 | tags | [] | 13 +-------------+----------------------------------+ 14 [root@controller ~]#
4)在默认域创建myuser用户
非交互式设置密码
1 [root@controller ~]#openstack user create --domain default --password=myuser myuse
交互式设置密码
1 [root@controller ~]#openstack user create --domain default --password=myuser myuse
5)在role表创建myrole角色
1 [root@controller ~]# openstack role create myrole 2 +-----------+----------------------------------+ 3 | Field | Value | 4 +-----------+----------------------------------+ 5 | domain_id | None | 6 | id | bebc009484f445299c368281e16c8053 | 7 | name | myrole | 8 +-----------+----------------------------------+ 9 [root@controller ~]#
6)将myrole角色添加到myproject项目中和myuser用户组
1 [root@controller ~]# openstack role add --project myproject --user myuser myrole
8.验证以上keystone相关操作是否成功
1)使用unset去除环境变量
1 #关闭临时认证令牌机制,查看是否可以正常获取token,来验证keystone是否配置成功 2 unset OS_AUTH_URL 3 unset OS_PASSWORD 4 env |grep OS
2)以admin管理员用户去请求token
1 # 测试是否可以使用admin账户进行登陆认证,请求认证令牌 2 [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name admin --os-username admin token issue 3 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 4 | Field | Value | 5 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 6 | expires | 2019-11-29T08:11:16+0000 | 7 | id | gAAAAABd4MSUoRA8SHhaIxsJYzg6uH20LwoM1eN8sN6GeUZ0Z7JifZy4a_1BkEIJWVIc9S6nEXfJSCdv5HviLovjmcJ04ZcfFuqRVMU1zG4nAGpOeMzTxV7s6oREYMb_55CDMrxDpRYiF4pNdDdWZP19Z2XZ95c_-rrCAZsx5PvwYeSOwXHXtUc | 8 | project_id | ddaa0a6cfeb448bc9a7cc3427366bf10 | 9 | user_id | 5d52ade18b88414bb3ab5a29b8709da0 | 10 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 11 [root@controller ~]#
3)使用普通用户获取认证token
1 [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name Default --os-user-domain-name Default --os-project-name myproject --os-username myuser token issue 2 Password: 密码为myuser用户的密码,也为myuser 3 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 4 | Field | Value | 5 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 6 | expires | 2019-11-29T08:13:42+0000 | 7 | id | gAAAAABd4MUm-zT8q8FJNnfRMvwad3VxxFzKAVzPLISyHqlIa4ldbl_Is359-E4esI609UgMwSPAiIt0LMz_WPLy6g23VAA7fpnm2lo79Haizpg95iqAJTTNiXLiuiyw6p077__J-v-_ia09XkbpIMAyKitF0YAPXTRYCFpPCN0leVrvWXYpDp0 | 8 | project_id | 7bda925fd8924e5caf7f4f8d628f83f0 | 9 | user_id | 35a3fdebbc6c4a9797397ae0aa036bf3 | 10 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 11 [root@controller ~]#
9.创建openstack客户端环境变量脚本
#先前内容中使用环境变量和命令选项的组合通过``openstack``客户端与身份认证服务交互。为了提升客户端操作的效率,OpenStack支持简单的客户端环境变量脚本即OpenRC 文件。这些脚本通常包含客户端所有常见的选项,当然也支持独特的选项。具体可参考: http://docs.openstack.org/user-guide/common/
1)编辑客户端环境变量脚本
admin用户环境变量脚本
1 [root@controller ~]# cat admin-openrc 2 export OS_PROJECT_DOMAIN_NAME=Default 3 export OS_USER_DOMAIN_NAME=Default 4 export OS_PROJECT_NAME=admin 5 export OS_USERNAME=admin 6 export OS_PASSWORD=123456 7 export OS_AUTH_URL=http://controller:5000/v3 8 export OS_IDENTITY_API_VERSION=3 9 export OS_IMAGE_API_VERSION=2
myuser用户环境变量脚本:
1 [root@controller ~]# cat myuser-openrc 2 export OS_PROJECT_DOMAIN_NAME=Default 3 export OS_USER_DOMAIN_NAME=Default 4 export OS_PROJECT_NAME=myproject 5 export OS_USERNAME=myuser 6 export OS_PASSWORD=myuser 7 export OS_AUTH_URL=http://controller:5000/v3 8 export OS_IDENTITY_API_VERSION=3 9 export OS_IMAGE_API_VERSION=2 10 [root@controller ~]#
2)使环境变量脚本生效
1 [root@controller ~]# source admin-openrc
3)检查环境变量脚本是否生效
1 [root@controller ~]# openstack user list 2 +----------------------------------+--------+ 3 | ID | Name | 4 +----------------------------------+--------+ 5 | 35a3fdebbc6c4a9797397ae0aa036bf3 | myuser | 6 | 5d52ade18b88414bb3ab5a29b8709da0 | admin | 7 +----------------------------------+--------+ 8 [root@controller ~]#
4)token请求认证令牌
1 #对比获取到的 user_id与获取到的是否一致 2 [root@controller ~]# openstack token issue 3 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 4 | Field | Value | 5 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 6 | expires | 2019-11-29T08:19:38+0000 | 7 | id | gAAAAABd4MaKC_aPAFlYRLx4oK4oNA7V0ymp66c7XNiQu5pJ6b-Tvkj5ch56-WH9M2oP6G8UMIxs291HkII_iirhGxfEKLRglf38vhTWEefv8J2ZK9NiPrMPM1wNXQNWkc5LMTlVQcZp5FYzDD2ndLjciM_mkXSMlnL8_xse4lR2SCwnp3ksAVI | 8 | project_id | ddaa0a6cfeb448bc9a7cc3427366bf10 | 9 | user_id | 5d52ade18b88414bb3ab5a29b8709da0 | 10 +------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+ 11 [root@controller ~]#