openstack-on-centos7之各組件服務
認證服務keystone(安裝和配置)
在配置 OpenStack 身份認證服務前,必須創建一個數據庫和管理員令牌
[用數據庫連接客戶端以root用戶連接到數據庫服務] # mysql -u root -p [創建keystone數據庫] # CREATE DATABASE keystone [對keystone數據庫給予授權] # GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘localhost‘ IDENTIFIED BY ‘KEYSTONE_DBPASS‘; //KEYSTONE_DBPASS替換成自己的密碼 # GRANT ALL PRIVILEGES ON keystone.* TO ‘keystone‘@‘%‘ IDENTIFIED BY ‘KEYSTONE_DBPASS‘; //KEYSTONE_DBPASS替換成自己的密碼
[主節點安裝配置keystone]
安裝openstack-keystone和httpd mod_wsgi
# yum -y install openstack-keystone httpd mod_wsgi
修改配置keystone配置文件:/etc/keystone/keystone.conf
[database]部分添加: connection = mysql+pymysql://keystone:ketstone@localhost:3306/keystone @用戶名:密碼@mysql地址/哪個庫 [token]令牌部分添加: provider = fernet
初始化數據庫
su -s /bin/sh -c "keystone-manage db_sync" keystone
初始化Fernet key庫(生成token)
# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[配置 Apache HTTP 服務器]
編輯配置文件:/etc/httpd/conf/httpd.conf
ServerName controller //controller為主機名字
拷貝wsgi-keystone.conf
# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
啟動httpd服務
# systemctl start httpd.service #啟動httpd服務
# systemctl enable httpd.service #設置成開機自啟
查看服務狀態
[創建keystone的catalog]
配置/etc/keystone/keystone.conf
# openssl rand -hex 10 //生成一個隨機值在初始的配置中作為管理員的令牌
[DEFAULT]部分添加:
admin_token="openssl rand -hex 10"生成的隨機數
設置環境變量
# vim ~/.bashrc
[添加一下內容]
export OS_TOKEN= admin_token //keystone.conf中admin_token的值
export OS_URL=http://192.168.1.156:35357/v3 //v3代表用的keystone版本為3
export OS_IDENTITY_API_VERSION=3
為keystone創建catalog
# openstack service create --name keystone --description "OpenStack Identity" identity
基於建立的服務實體,創建訪問該實體的三個api端點
# openstack endpoint create --region RegionOne identity public http://192.168.1.156:5000/v3
openstack endpoint create --region RegionOne identity internal http://192.168.1.156:5000/v3 //前兩個為5000端口,專門處理內部和外部的訪問
openstack endpoint create --region RegionOne identity admin http://192.168.1.156:35357/v3 //5357端口,專門處理admin#用keystone-wsgi-admin
登錄數據庫查看keystone庫中的表
[創建域,項目,用戶,角色,並把四個元素關聯在一起]
創建域
openstack domain create --description "Default Domain" default //#創建一個默認的域“default”
創建管理的項目,用戶和角色
創建admin項目,在"default"域中
openstack project create --domain default --description "Admin Project" admin
創建admin用戶 在“default”域中
openstack user create --domain default --password-prompt admin
創建admin角色
openstack role create admin
添加admin
角色到 admin 項目和用戶上:
openstack role add --project admin --user admin admin
驗證:
# openstack role assignment list
# openstack role list
# openstack user list
# openstack project list
[測試]
在“default”域中,創建項目名為fzu
openstack project create --domain default --description "FZU Project" fzu
創建用戶名為zlx(自己名字的縮寫)
openstack user create --domain default --password-prompt zlx
創建普通用戶的角色
openstack role create user
添加user角色到fzu項目和用戶zlx上
openstack role add --project fzu --user zlx user
驗證
# openstack role assignment list
# openstack role list
# openstack user list
# openstack project list
處於安全考慮 關閉臨時認證令牌機制
編輯/etc/keystone/keystone-paste.ini
從[pipeline:public_api]
,[pipeline:admin_api]和
[pipeline:api_v3]部分刪除
admin_token_auth 。
重置OS_TOKEN
和OS_URL
環境變量:
unset OS_TOKEN OS_URL
作為admin用戶,請求認證令牌:
openstack --os-auth-url http://192.168.1.156:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
作為zlx用戶,請求認證令牌:
openstack --os-auth-url http://192.168.1.156:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name fzu --os-username zlx token issue
在etc/keystone下新建文件admin-openrc 並添加如下內容:
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS //ADMIN_PASS為admin密碼
export OS_AUTH_URL=http://192.168.1.156:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
同理新建文件demo-openrc 並添加如下內容:
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS //ADMIN_PASS為demo用戶密碼
export OS_AUTH_URL=http://192.168.1.156:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
使用腳本驗證
source admin-openrc
openstack token issue
[使用openstack api實現]
獲取token:
curl -v -s -X POST $OS_AUTH_URL/auth/tokens?nocatalog -H "Content-Type: application/json" -d ‘{ "auth": { "identity": { "methods": ["password"],"password": {"user": {"domain": {"name": "‘"$OS_USER_DOMAIN_NAME"‘"},"name": "‘"$OS_USERNAME"‘", "password": "‘"$OS_PASSWORD"‘"} } }, "scope": { "project": { "domain": { "name": "‘"$OS_PROJECT_DOMAIN_NAME"‘" }, "name": "‘"$OS_PROJECT_NAME"‘" } } }}‘ | python -m json.tool
openstack-on-centos7之各組件服務