【N版】openstack——认证服务keystone(三)
【N版】openstack——認證服務keystone
一.keystone介紹
1.1keystone
Keystone(OpenStack Identity Service)是 OpenStack 框架中負責管理身份驗證、服務規則和服務令牌功能的模塊。用戶訪問資源需要驗證用戶的身份與權限,服務執行操作也需要進行權限檢測,這些都需要通過 Keystone 來處理。
用戶認證:用戶權限與用戶行為跟蹤
服務目錄:提供一個服務目錄,包括所有服務項與相關API的端點
主要涉及如下概念:
User:?? 用戶
Project:項目(老版本中tenant:租戶)
Token:? 令牌
Role:?? 角色
1.2keystone配置
1.2.1創建庫及用戶
注:在這里為了方便,提前把之后要創建的庫,以及用戶和授權,都做好
[root@linux-node1 ~]# mysql -uroot –p????????????? <- 登陸數據庫 ->
MariaDB [(none)]>? create database keystone;?????????? <- 創建keystone庫 ->
MariaDB [(none)]> grant all privileges on keystone.*to keystone@'localhost' identified by 'keystone';??????????????????????????? <- 創建keystone用戶 ->
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on keystone.*to keystone@'%' identified by 'keystone';????????
Query OK, 0 rows affected (0.00 sec)
?
MariaDB [(none)]> create database glance;??????????? <- 創建glance庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on glance.* toglance@'localhost' identified by 'glance';
Query OK, 0 rows affected (0.00 sec)?????????????? <- 創建glance用戶 ->
MariaDB [(none)]> grant all privileges on glance.* toglance@'%' identified by 'glance';????????
Query OK, 0 rows affected (0.00 sec)
?
?
MariaDB [(none)]> create database nova;????????????? <- 創建nova庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova.* tonova@'%' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)??????????????? <- 創建nova用戶 ->
MariaDB [(none)]> grant all privileges on nova.* tonova@'localhost' identified by 'nova';
Query OK, 0 rows affected (0.00 sec)
?
MariaDB [(none)]> create database nova_api;??????????? <- 創建nova_api庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'localhost' identified by 'nova';???
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'%' identified by 'nova';????????
Query OK, 0 rows affected (0.00 sec)
?
MariaDB [(none)]> create database neutron;???????????? <- 創建neutron庫 ->
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'%' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)??????????????? <- 創建neutron用戶 ->
MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'localhost' identified by 'neutron';
Query OK, 0 rows affected (0.00 sec)
?
MariaDB [(none)]> create database cinder;???????????? <- 創建cinder庫 ->
Query OK, 1 row affected (0.00 sec)
MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'localhost' identified by 'cinder';???????????????????????????? <- 創建cinder用戶 ->
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'%' identified by 'cinder';????????
Query OK, 0 rows affected (0.00 sec)
?
1.2.2keystone配置文件
[root@linux-node1 ~]# vim/etc/keystone/keystone.conf? <- 編輯配置文件 ->
613 [database] ???????????????????? <- 數據庫設置->
640 connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone
1458 [memcache]??????????? ???????? <- memcache設置 ->
1472 servers = 192.168.56.11:11211?????????? <- memcache服務地址 ->
2655 provider = fernet??? ???????????? <- 配置令牌 ->
2665 driver = memcache???????????????? <- 選擇driver為memcache默認是sql ->
?
[root@linux-node1 ~]# grep '^[a-z]'/etc/keystone/keystone.conf? <- 檢查 ->
connection =mysql+pymysql://keystone:keystone@192.168.56.11/keystone
servers = 192.168.56.11:11211
provider = fernet
driver = memcache
?
1.2.3數據庫,memcache配置
[root@linux-node1 ~]# su -s /bin/sh -c"keystone-manage db_sync" keystone
?????????????????????????? <- 初始化數據庫 ->
[root@linux-node1 ~]# mysql -h 192.168.56.11-ukeystone -pkeystone -e "use keystone;show tables;"????????????????? ? ??? <- 檢查表是否導入成功 ->
[root@linux-node1 ~]# vim/etc/sysconfig/memcached?? <- 修改memcache配置文件 ->
OPTIONS="-l 192.168.56.11,::1"
[root@linux-node1 ~]# systemctl restartmemcached?? <- 重啟memcache ->
[root@linux-node1 ~]# cd /etc/keystone/
[root@linux-node1 keystone]# keystone-managefernet_setup --keystone-user keystone --keystone-group keystone?????????????? <- 初始化fernet key ->
[root@linux-node1 keystone]# keystone-managecredential_setup --keystone-user keystone --keystone-group keystone?????????????? <- 初始化fernet key ->
[root@linux-node1 keystone]#? keystone-manage bootstrap--bootstrap-password admin \???????????????????????????????????????????? <- 引導身份服務 ->
--bootstrap-admin-urlhttp://192.168.56.11:35357/v3/ \
--bootstrap-internal-urlhttp://192.168.56.11:35357/v3/ \
--bootstrap-public-urlhttp://192.168.56.11:5000/v3/ \
--bootstrap-region-id RegionOne
?
1.2.4配置apache服務
[root@linux-node1 keystone]# vim/etc/httpd/conf/httpd.conf <- 編輯配置文件 ->
95 ServerName 192.168.56.11:80
[root@linux-node1 ~]# ln -s/usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/???????????????????????????????????????? <- 軟連接配置文件 ->
[root@linux-node1 ~]# systemctl enablehttpd.service???? <- 啟動apache ->
[root@linux-node1 ~]# systemctl start httpd.service
[root@linux-node1 ~]# exportOS_USERNAME=admin??????? <- 配置環境變量 ->
[root@linux-node1 ~]# exportOS_PASSWORD=admin
[root@linux-node1 ~]# exportOS_PROJECT_NAME=admin
[root@linux-node1 ~]# exportOS_USER_DOMAIN_NAME=Default
[root@linux-node1 ~]# exportOS_PROJECT_DOMAIN_NAME=Default
[root@linux-node1 ~]# exportOS_AUTH_URL=http://192.168.56.11:35357/v3
[root@linux-node1 ~]# exportOS_IDENTITY_API_VERSION=3
[root@linux-node1 ~]# openstack user list????????? <- 查看用戶列表 ->
[root@linux-node1 ~]# openstack role list????????? <- 查看角色列表 ->
[root@linux-node1 ~]# openstack project list???????? <- 查看項目列表 ->
[root@linux-node1 ~]# openstack endpointlist???????? <- 查看端點列表 ->
?
?
1.2.5創建項目
[root@linux-node1 ~]# openstack project create --domaindefault --description "Service Project" service???????????? ?????????? <- 創建服務項目 ->
[root@linux-node1 ~]# openstack project list????????? <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack project create --domaindefault --description "Demo Project" demo???????????? ???????????? <- 創建demo項目 ->
[root@linux-node1 ~]# openstack project list????????? <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack user create --domaindefault --password-prompt demo
User Password:demo
Repeat User Password:demo???????????? <- 創建demo用戶,密碼:demo ->
[root@linux-node1 ~]# openstack user list???? <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack role create user? <- 創建user角色 ->
[root@linux-node1 ~]# openstack role list????? <- 查看是否創建成功 ->
[root@linux-node1 ~]# openstack role add --project demo--user demo user
?????????? <- 將demo用戶加入到demo項目并且賦予user角色->
?
注:為了方便,以下操作將之后要用到的所有用戶都創建好
[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt glance?????????????????? <- 創建glance用戶,密碼:glance ->
User Password:glance
[root@linux-node1 ~]# openstack role add --projectservice --user glance admin
?????????????????????<- 將glance用戶加入到service項目并且賦予admin角色->
?
[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt nova???????????????? ?? <- 創建nova用戶,密碼:nova ->
User Password:nova
[root@linux-node1 ~]# openstack role add --projectservice --user nova admin
??????????????????? <- 將glance用戶加入到service項目并且賦予admin角色->
?
[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt neutron????????????? ? ? <- 創建neutron用戶,密碼:neutron ->
User Password: neutron
[root@linux-node1 ~]# openstack role add --projectservice --user neutron admin
?????????????????? <- 將glance用戶加入到service項目并且賦予admin角色->
?
[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt cinder??????????????? <- 創建cinder用戶,密碼:cinder ->
User Password:cinder
[root@linux-node1 ~]# openstack role add --projectservice --user cinder admin
?????????????????? <- 將glance用戶加入到service項目并且賦予admin角色->
1.3驗證keystone
1.3.1驗證用戶
[root@linux-node1 ~]# unset OS_AUTH_URL OS_PASSWORD?? <- 取消之前的環境變量 ->
[root@linux-node1~]# openstack \
--os-auth-urlhttp://192.168.56.11:35357/v3 \
--os-project-domain-namedefault \
--os-user-domain-namedefault \
--os-project-nameadmin \
--os-usernameadmin token issue
<-驗證admin用戶,提示密碼時輸入admin出來如下界面證明admin用戶沒問題 ->
[root@linux-node1keystone]#? openstack \
--os-auth-urlhttp://192.168.56.11:35357/v3 \
--os-project-domain-namedefault \
--os-user-domain-namedefault \
--os-project-namedemo \
--os-usernamedemo token issue
<-驗證demo用戶,提示密碼時輸入demo出來如下界面證明demo用戶沒問題 ->
1.3.2創建環境變量腳本
[root@linux-node1 ~]# vim admin-openstack???????? <- admin環境變量 ->
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://192.168.56.11:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
?
[root@linux-node1 ~]# vim demo-openstack????????? <- demo環境變量 ->
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://192.168.56.11:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
?
[root@linux-node1 ~]# source admin-openstack????? <- source環境變量 ->
[root@linux-node1 ~]# source demo-openstack
1.4Keystone常見錯誤
401 #驗證失敗,keystone相關用戶賬戶密碼設置錯誤,時間不同步,或者輸入的項目名稱不對
403 #可能未初始化OS_token變量,需要使用source命令使其生效,也可能是配置的配置文件未生效,需要重啟相關服務
409 #keystone創建用戶,用戶已存在
500 #服務器內部錯誤,服務配置有問題,看日志,檢查配置
503 #keystone相關賬戶密碼設置有問題,請將相關的glance賬戶刪除,重新創建即可
服務故障??? #相關服務沒有起來
轉載于:https://blog.51cto.com/goodcook/1887429
總結
以上是生活随笔為你收集整理的【N版】openstack——认证服务keystone(三)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: 一次超级蛋疼的渗透
- 下一篇: tzwhere模块 根据经纬度判断时区