部署keystone-阿里云开发者社区

部署keystone

完成基础环境配置后，应先部署keystone组件，只需在controller节点上部署。

1、创建数据库实例和数据库用户

在MySQL中创建数据库keystone，同时创建数据库用户，并授权权限。

[root@controller ~]# mysql -u root -p000000

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 15

Server version: 10.3.20-MariaDB MariaDB Server

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE keystone;

Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘localhost’ IDENTIFIED BY ‘keystone’;*

Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘controller’ IDENTIFIED BY ‘keystonee’;*

Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@’%’ IDENTIFIED BY ‘keystone’;*

Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> exit

Bye

2、安装keystone软件包

[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi

3、配置keystone

[root@controller ~]# vim /etc/keystone/keystone.conf

[database]

connection=mysql+pymysql://keystone:keystone@controller/keystone //添加此行命令

[token]

provider=fernet//添加此行命令

1/article/details/106004933

4、初始化认证服务数据库

[root@controller ~]# su -s /bin/sh -c “keystone-manage db_sync” keystone

验证数据库是否同步成功

[root@controller ~]# mysql -h 192.168.16.128 -u keystone -pkeystone -e “USE keystone; SHOW TABLES;”

±-----------------------------------+

| Tables_in_keystone |

±-----------------------------------+

| access_rule |

| access_token |

| application_credential |

| application_credential_access_rule |

| application_credential_role |

| assignment |

| config_register |

| consumer |

| credential |

| endpoint |

| endpoint_group |

| federated_user |

| federation_protocol |

| group |

| id_mapping |

| identity_provider |

| idp_remote_ids |

| implied_role |

| limit |

| local_user |

| mapping |

| migrate_version |

| nonlocal_user |

| password |

| policy |

| policy_association |

| project |

| project_endpoint |

| project_endpoint_group |

| project_option |

| project_tag |

| region |

| registered_limit |

| request_token |

| revocation_event |

| role |

| role_option |

| sensitive_config |

| service |

| service_provider |

| system_assignment |

| token |

| trust |

| trust_role |

| user |

| user_group_membership |

| user_option |

| whitelisted_config |

±-----------------------------------+

5、初始化Fernet keys

Fernet keys是用于API令牌的安全信息格式

[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

6、配置bootstrap身份认证服务

[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

7、配置Apache HTTP服务器

（1）修改服务器主机名

[root@controller ~]# vim /etc/httpd/conf/httpd.conf

修改前#ServerName www.example.com:80

修改后ServerName controller

保存退出

（2）创建配置文件

[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

（3）启动服务并设置开机自启

[root@controller ~]# systemctl start httpd.service

[root@controller ~]# systemctl enable httpd.service

Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

8、配置管理员账户的环境变量

[root@controller ~]# export OS_USERNAME=admin

[root@controller ~]# export OS_PASSWORD=000000

[root@controller ~]# export OS_PROJECT_NAME=admin

[root@controller ~]# export OS_USER_DOMAIN_NAME=Default

[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default

[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3

[root@controller ~]# export OS_IDENTITY_API_VERSION=3

9、创建OpenStack域、项目、用户、角色

[root@controller ~]# openstack project create --domain default --description “Service Project” service //创建service项目

±------------±---------------------------------+

| Field | Value |

±------------±---------------------------------+

| description | Service Project |

| domain_id | default |

| enabled | True |

| id | 034564ee72e6440ebe7f32e7e6156aa2 |

| is_domain | False |

| name | service |

| options | {} |

| parent_id | default |

| tags | [] |

±------------±---------------------------------+

[root@controller ~]# openstack project create --domain default --description “Demo Project” demo //创建demo项目

±------------±---------------------------------+

| Field | Value |

±------------±---------------------------------+

| description | Demo Project |

| domain_id | default |

| enabled | True |

| id | 5350cda310b9484680c28fcfc92587e9 |

| is_domain | False |

| name | demo |

| options | {} |

| parent_id | default |

| tags | [] |

±------------±---------------------------------+

[root@controller ~]# openstack user create --domain default --password-prompt demo //创建demo用户

User Password:000000

Repeat User Password:000000

±--------------------±---------------------------------+

| Field | Value |

±--------------------±---------------------------------+

| domain_id | default |

| enabled | True |

| id | d34d1f0450c24546b157f624b2adb33f |

| name | demo |

| options | {} |

| password_expires_at | None |

±--------------------±---------------------------------+

[root@controller ~]# openstack role create user //创建user用户

±------------±---------------------------------+

| Field | Value |

±------------±---------------------------------+

| description | None |

| domain_id | None |

| id | 1f43962ba43244058f25dad2b7150129 |

| name | user |

| options | {} |

±------------±---------------------------------+

[root@controller ~]# openstack role add --project demo --user demo user //添加demo用户到demo项目和user角色

10、验证认证服务

（1）鉴于安全因素，出去临时的令牌认证授权机制

编辑/etc/keystone/keystone-paste.ini配置文件，将[pipeline:public_api]、[pipeline:admin_api]、[pipeline:api_v3]中的admin_token值删除

（2）取消临时环境变量

[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD

（3）以admin用户身份请求令牌

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3

–os-project-domain-name default --os-user-domain-name default

–os-project-name admin --os-username admin token issue

Password: 000000

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Field | Value |

| expires | 2020-05-08T13:56:14+0000 |

| id | gAAAAABetVbuwnOJRVKoaPPfHOmowVHRwgGzzhL0trOrLnUdSgAHlVX_QWpnNdnVAX_nsfqpPvVYyH7y9nvXMdCsCubfY0ElgAaiUVSxrZ3BndNfoM9jZOpOmzMU-9k0Dlixt5CaymMgXDba4yNXsUAUv-Wb2UgYZrmH3ukVznio-aENViOeQx8 |

| project_id | fa7f256af0d447f1977ec4a781502e38 |

| user_id | 6e3faf98b03a480e862c340753855ae4 |

（4）以demo用户身份请求令牌

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3

–os-project-domain-name default --os-user-domain-name default

–os-project-name demo --os-username demo token issue

Password: 000000

| Field | Value |

| expires | 2020-05-08T13:58:17+0000 |

| id | gAAAAABetVdpGLwJsqGWyustkFtb5elYYJnErdPbSBoVBVA8k1FUkMvRVYkdUOvEdUzxklTVJS7Qvst-kKOSRo_gL0U8-gmKaRDUUcwTlosEntMw_2KMjeB1wx-BT-j-aT82oHYOM-dH_IhJo2okvm1YzY_HABew0XBHO65LM7ve_yUUj2539xw |

| project_id | 5350cda310b9484680c28fcfc92587e9 |

| user_id | d34d1f0450c24546b157f624b2adb33f |

（5）创建环境脚本，命令如下

①创建admin用户环境脚本

[root@controller ~]# vim admin-openrc

[root@controller ~]# cat admin-openrc

export OS_PROJECT_DOMAIN_NAME=Default

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=000000

export OS_AUTH_URL=http://controller:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

②创建demo用户环境脚本，命令如下：

[root@controller ~]# vim demo-openrc

[root@controller ~]# cat demo-openrc

export OS_PROJECT_DOMAIN_NAME=Default

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=000000

export OS_AUTH_URL=http://controller:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

③给环境脚本增加可执行权限，命令如下：

[root@controller ~]# chmod +x admin-openrc

[root@controller ~]# chmod +x demo-openrc

（6）验证管理员admin环境脚本

①执行管理员admin的环境脚本

[root@controller ~]# ./admin-openrc

②给予脚本中的环境变量，直接请求令牌

[root@controller ~]# openstack token issue

Missing value auth-url required for auth plugin password

解决办法：
在admin-openrc目录下执行
[root@controller ~]# source admin-openrc

[root@controller ~]# openstack token issue

| Field | Value |

| expires | 2020-05-08T14:09:19+0000 |

| id | gAAAAABetVn_XtdknvviCFdNnESEBM7CZcQBrf-mCSoUKq-LVkwP2ajb9B65BwXWGKMMd8-aR2M6nVX3mNsXviG42OaE8_mjaaDpvTZv-6TpqqTbxbawUVbOUqm3qw8M13_hH-E3cOlKiDXtiVGvcs418nU1pXJQuCyfWKF8rNCTy8HkbydDZxE |

| project_id | fa7f256af0d447f1977ec4a781502e38 |

| user_id | 6e3faf98b03a480e862c340753855ae4 |

至此，部署Keystone完成。

部署keystone

部署keystone

热门文章

最新文章

相关电子书