@[TOC](openstack 认证服务keystone(小节1))
环境
| 名称 | 系统版本 | IP地址 |
|---|---|---|
| controller1 | CentOS7.6 | 37.101 |
| node1 | CentOS7.2 | 37.103 |
| mysql | CentOS7.6 | 37.105 |
controller1
[root@controller1 ~]# yum install centos-release-openstack-stein.noarch -y
[root@controller1 ~]# yum install python-openstackclient openstack-selinux -y
node1
[root@node1 ~]# yum install centos-release-openstack-stein.noarch -y
[root@node1 ~]# yum install python-openstackclient openstack-selinux -y
mysql
[root@mysql ~]# yum install centos-release-openstack-stein.noarch -y
#安装mariadb
[root@mysql ~]# yum install mariadb mariadb-server -y
#配置监听地址等信息
[root@mysql ~]# vim /etc/my.cnf.d/openstack.cnf
[mysqld]
bind-address = 0.0.0.0
default-storage-engine = innodb
innodb_file_per_table = on
max_connections = 4096
collation-server = utf8_general_ci
character-set-server = utf8
#启动mariadb服务
[root@mysql ~]# systemctl start mariadb.service
#开机启动mariadb服务
[root@mysql ~]# systemctl enable mariadb.service
#设置安全策略
[root@mysql ~]# mysql_secure_installation
NOTE: RUNNING ALL PARTS OF THIS SCRIPT IS RECOMMENDED FOR ALL MariaDB
SERVERS IN PRODUCTION USE! PLEASE READ EACH STEP CAREFULLY!
In order to log into MariaDB to secure it, we'll need the current
password for the root user. If you've just installed MariaDB, and
you haven't set the root password yet, the password will be blank,
so you should just press enter here.
Enter current password for root (enter for none): '回车'
OK, successfully used password, moving on...
Setting the root password ensures that nobody can log into the MariaDB
root user without the proper authorisation.
Set root password? [Y/n] y
New password: 设置密码:123.com
Re-enter new password: 再次输入密码:123.com
Password updated successfully!
Reloading privilege tables..
... Success!
By default, a MariaDB installation has an anonymous user, allowing anyone
to log into MariaDB without having to have a user account created for
them. This is intended only for testing, and to make the installation
go a bit smoother. You should remove them before moving into a
production environment.
Remove anonymous users? [Y/n] y
... Success!
Normally, root should only be allowed to connect from 'localhost'. This
ensures that someone cannot guess at the root password from the network.
Disallow root login remotely? [Y/n] y
... Success!
By default, MariaDB comes with a database named 'test' that anyone can
access. This is also intended only for testing, and should be removed
before moving into a production environment.
Remove test database and access to it? [Y/n] y
- Dropping test database...
... Success!
- Removing privileges on test database...
... Success!
Reloading the privilege tables will ensure that all changes made so far
will take effect immediately.
Reload privilege tables now? [Y/n] y
... Success!
Cleaning up...
All done! If you've completed all of the above steps, your MariaDB
installation should now be secure.
Thanks for using MariaDB!
#测试能否登陆
[root@mysql ~]# mysql -uroot -p123.com -h127.0.0.1
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
+--------------------+
3 rows in set (0.001 sec)
MariaDB [(none)]> exit
Bye
准备消息队列
[root@mysql ~]# yum install rabbitmq-server -y
#启动服务
[root@mysql ~]# systemctl start rabbitmq-server.service
#设置开机启动
[root@mysql ~]# systemctl enable rabbitmq-server.service
#添加openstack账号 账号 密码
[root@mysql ~]# rabbitmqctl add_user openstack openstack123
#设置权限
[root@mysql ~]# rabbitmqctl set_permissions openstack ".*" ".*" ".*"
controller1
不装后面会导致日志用不了
[root@controller1 ~]# yum install memcached mysql python-memcached python2-PyMySQL -y
mysql
[root@mysql ~]# yum install -y memcached
[root@mysql ~]# vim /etc/sysconfig/memcached
PORT="11211" -->端口
USER="memcached" -->连接账号
MAXCONN="1024" -->最大连接数
CACHESIZE="1024" -->最大大小
OPTIONS="-l 0.0.0.0,::1" -->ip
[root@mysql ~]# systemctl restart memcached
[root@mysql ~]# systemctl enable memcached
[root@mysql ~]# ss -ntl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:25672 *:*
LISTEN 0 128 *:3306 *:*
LISTEN 0 128 *:11211 *:*
LISTEN 0 128 *:4369 *:*
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::5672 :::*
LISTEN 0 128 ::1:11211 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
认证服务
[root@mysql ~]# mysql -uroot -p123.com -h127.0.0.1
#创建库
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.000 sec)
#授权
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'keystone123';
Query OK, 0 rows affected (0.000 sec)
controller1
测试能否远程连接
[root@controller1 ~]# mysql -ukeystone -pkeystone123 -h192.168.37.105
#确认登录数据库能看到'keystone'数据库
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| keystone |
+--------------------+
2 rows in set (0.001 sec)
MariaDB [(none)]> exit
[root@controller1 ~]# yum install openstack-keystone httpd mod_wsgi -y
#生成临时token
[root@controller1 ~]# openssl rand -hex 10
011af0ed5f657d6638f4
#修改配置文件
[root@controller1 ~]# vim /etc/keystone/keystone.conf
#在[database]、[DEFAULT]和[token]中、分别添加
...
[DEFAULT]
admin_token = 011af0ed5f657d6638f4 <--
[database]
# 密码 域名需要写到hosts文件中
connection = mysql+pymysql://keystone:keystone123@openstack.123.net/keystone <--
[token]
provider = fernet <--
...
#添加域名
[root@controller1 ~]# vim /etc/hosts
192.168.37.105 openstack.123.net <--
[root@controller1 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller1 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
#修改apache配置文件
[root@controller1 ~]# vim /etc/httpd/conf/httpd.conf
...
ServerName 192.168.37.101:80 <--改为本机地址
...
#软链接
[root@controller1 ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
#初始化数据库
[root@controller1 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
新开窗口(2)生成环境变量
[root@controller1 ~]# export OS_TOKEN=011af0ed5f657d6638f4
[root@controller1 ~]# echo $OS_TOKEN
011af0ed5f657d6638f4
[root@controller1 ~]# export OS_URL=http://192.168.37.101:5000/v3
[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3
[root@controller1 ~]# systemctl start httpd
[root@controller1 ~]# systemctl enable httpd
[root@controller1 ~]# ss -tnl
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 *:22 *:*
LISTEN 0 100 127.0.0.1:25 *:*
LISTEN 0 128 :::5000 :::*
LISTEN 0 128 :::80 :::*
LISTEN 0 128 :::22 :::*
LISTEN 0 100 ::1:25 :::*
#创建默认域
[root@controller1 ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 55332a7a3f05453da5cb6e6747e91427 |
| name | default |
| tags | [] |
+-------------+----------------------------------+
[root@controller1 ~]# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 55332a7a3f05453da5cb6e6747e91427 |
| enabled | True |
| id | 11171541d49b4670946a19eb7c9056fb |
| is_domain | False |
| name | admin |
| parent_id | 55332a7a3f05453da5cb6e6747e91427 |
| tags | [] |
+-------------+----------------------------------+
#查看project表
[root@controller1 ~]# openstack project list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 11171541d49b4670946a19eb7c9056fb | admin |
+----------------------------------+-------+
[root@controller1 ~]# openstack project --help
Command "project" matches:
project create <--创建
project delete <--删除
project list
project purge
project set
project show
#创建admin用户并设置密码
[root@controller1 ~]# openstack user create --domain default --password-prompt admin
User Password: <--密码:admin
Repeat User Password: <--密码:admin
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 55332a7a3f05453da5cb6e6747e91427 |
| enabled | True |
| id | af15a1bff0c1491b91af92f72211701d |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#创建角色
[root@controller1 ~]# openstack role create admin
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | 4c82271cd9c64808947240430a2140af |
| name | admin |
+-------------+----------------------------------+
#查看role信息
[root@controller1 ~]# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 4c82271cd9c64808947240430a2140af | admin |
+----------------------------------+-------+
#用户授权(将admin用户授予admin项目的admin角色,即给admin项目添加一个用户叫admin,并将其添加至admin角色,角色是权限的一种集合)
[root@controller1 ~]# openstack role add --project admin --user admin admin
[root@controller1 ~]# openstack project create --domain default --description "Demo Project" demo
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 55332a7a3f05453da5cb6e6747e91427 |
| enabled | True |
| id | f9207ec768874644acfd65f9ef2b00fb |
| is_domain | False |
| name | demo |
| parent_id | 55332a7a3f05453da5cb6e6747e91427 |
| tags | [] |
+-------------+----------------------------------+
#创建demo用户并设置密码
[root@controller1 ~]# openstack user create --domain default --password-prompt demo
User Password: <--密码:demo
Repeat User Password: <--密码:demo
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 55332a7a3f05453da5cb6e6747e91427 |
| enabled | True |
| id | 9e044169dcdf4121a2edcb42b641a483 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
#创建user角色
[root@controller1 ~]# openstack role create user
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | None |
| domain_id | None |
| id | af1b7249870a4799b5ee66f82207c4cc |
| name | user |
+-------------+----------------------------------+
#把demo用户添加到demo项目
[root@controller1 ~]# openstack role add --project demo --user demo user
[root@controller1 ~]# openstack project create --domain default --description "Service Project" service
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 55332a7a3f05453da5cb6e6747e91427 |
| enabled | True |
| id | 460878b2943a45579c7ecfd507ff5811 |
| is_domain | False |
| name | service |
| parent_id | 55332a7a3f05453da5cb6e6747e91427 |
| tags | [] |
+-------------+----------------------------------+
服务注册
将keystone服务地址注册到openstack
#创建一个keystone认证服务
[root@controller1 ~]# openstack service list
[root@controller1 ~]# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 65357d96e5334fd4aced034f2da9a2ef |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
[root@controller1 ~]# openstack service list
+----------------------------------+----------+----------+
| ID | Name | Type |
+----------------------------------+----------+----------+
| 65357d96e5334fd4aced034f2da9a2ef | keystone | identity |
+----------------------------------+----------+----------+
#注册API
[root@controller1 ~]# openstack endpoint create --region RegionOne identity public http://openstack.123.net:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 1d29569362074cbbafd02ad078b82295 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 65357d96e5334fd4aced034f2da9a2ef |
| service_name | keystone |
| service_type | identity |
| url | http://openstack.123.net:5000/v3 |
+--------------+----------------------------------+
[root@controller1 ~]# openstack endpoint create --region RegionOne identity admin http://openstack.123.net:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 4ed2fcbd27bb47ccb341e1b14edba123 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 65357d96e5334fd4aced034f2da9a2ef |
| service_name | keystone |
| service_type | identity |
| url | http://openstack.123.net:5000/v3 |
+--------------+----------------------------------+
[root@controller1 ~]# openstack endpoint create --region RegionOne identity internal http://openstack.123.net:5000/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 3570254f487a471b8f98c72bdacbd36d |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | 65357d96e5334fd4aced034f2da9a2ef |
| service_name | keystone |
| service_type | identity |
| url | http://openstack.123.net:5000/v3 |
+--------------+----------------------------------+
#确认一下端口号'5000'、注意如果有一个端口不是'5000',需要用'openstack endpoint delete ID号' 都给删除了,重新加载
[root@controller1 ~]# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------+
| 1d29569362074cbbafd02ad078b82295 | RegionOne | keystone | identity | True | public | http://openstack.123.net:5000/v3 |
| 3570254f487a471b8f98c72bdacbd36d | RegionOne | keystone | identity | True | internal | http://openstack.123.net:5000/v3 |
| 4ed2fcbd27bb47ccb341e1b14edba123 | RegionOne | keystone | identity | True | admin | http://openstack.123.net:5000/v3 |
+----------------------------------+-----------+--------------+--------------+---------+-----------+----------------------------------+
再新打开一个窗口(3)
#域名改成'192.168.37.101'
[root@controller1 ~]# vim /etc/hosts
192.168.37.101 openstack.123.net <--修改此行
#添加变量
[root@controller1 ~]# export OS_IDENTITY_API_VERSION=3
[root@controller1 ~]# openstack --os-auth-url http://openstack.123.net:5000/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
Password: <--密码:admin
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-09-19T06:16:56+0000 |
| id | gAAAAABjJ_tITeXOQzG-cRm-PySM89Z0cglEwAqQA03K-36DD0-r_prl4a_iRQiYRMuUZL0mLXhDEfQxSNbRT0_tkeoM1w1c74sRTzIKXaoTsGJl1PTkkMb38sVmzd7aaMjnEecRnOWQSoqXPHOIhtbfwdXl24WEeMfNdTARuqQ3pUB6CuezoUQ |
| project_id | 0c1e7970dcb044c7a4b31bec89c8765d |
| user_id | 7d54dc0518f944e58662c28791746531 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
窗口(2)
ID号是对的上的
[root@controller1 ~]# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 646554fe968a41dba4a808a40c5fe764 | demo |
| 7d54dc0518f944e58662c28791746531 | admin |
+----------------------------------+-------+
[root@controller1 ~]# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 0c1e7970dcb044c7a4b31bec89c8765d | admin |
| 6981b2287cd240e3af6dce336206ae58 | service |
| 6f4ccd7c5c7b4a55bc7cec2b5894e0e5 | demo |
+----------------------------------+---------+
窗口(3)
[root@controller1 ~]# mkdir scripts
[root@controller1 ~]# cd scripts
#admin脚本
[root@controller1 scripts]# cat admin_stein.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://openstack.123.net:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#demo脚本
[root@controller1 scripts]# cat demo_stein.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=demo
export OS_AUTH_URL=http://openstack.123.net:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
再次打开一个新窗口(4)
#导入环境变量
[root@controller1 ~]# source scripts/admin_stein.sh
#查看导入的变量有哪些
[root@controller1 ~]# cat scripts/admin_stein.sh
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=admin
export OS_AUTH_URL=http://openstack.123.net:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
#随便echo一个查看是否可以看到环境变量
[root@controller1 ~]# echo $OS_AUTH_URL
http://openstack.123.net:5000/v3
#不用输入密码直接返回token值(因为再'admin'、'demo'脚本中已经定义)
[root@controller1 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-09-19T06:32:09+0000 |
| id | gAAAAABjJ_7ZmkfIoHPd8xuv6Lz8Y93Rz-C9fYtDprwBIEtF2zEHfDGqTWxQe44731GN5jPKWiXiwNZv-lL4yTrIDIFRZ856kdMDKkwfMw-upE9d1rKr1cvNIWiownwhtB8d8sLXJr1C-qvK1qn8GB4IS-eApiL_pHkpAw5-c27wWeqrm1NlSp8 |
| project_id | 0c1e7970dcb044c7a4b31bec89c8765d |
| user_id | 7d54dc0518f944e58662c28791746531 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
#再测试一下'demo'
[root@controller1 ~]# source scripts/demo_stein.sh
[root@controller1 ~]# openstack token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2022-09-19T06:34:43+0000 |
| id | gAAAAABjJ_9zo1HBiNZ3xYkNJmLzqLAqybcU7k5m6ml-hp9tb-qLzYYWXJCBI7kJL7_LrPVqfHu1_Nfs3rUXyqRuVgBE8Xfl94w6VbUzUQcOz_rdwltfMqEEsPX8ReKPqW4LQzjnhuiGsYbIwaEYe0bgeN66KLxyh8lljOKzgV9PVeOX1uuUTiU |
| project_id | 6f4ccd7c5c7b4a55bc7cec2b5894e0e5 |
| user_id | 646554fe968a41dba4a808a40c5fe764 |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
