部署keystone
完成基础环境配置后,应先部署keystone组件,只需在controller节点上部署。
1、创建数据库实例和数据库用户
在MySQL中创建数据库keystone,同时创建数据库用户,并授权权限。
[root@controller ~]# mysql -u root -p000000
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 15
Server version: 10.3.20-MariaDB MariaDB Server
Copyright © 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.001 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘localhost’ IDENTIFIED BY ‘keystone’;*
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘controller’ IDENTIFIED BY ‘keystonee’;*
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@’%’ IDENTIFIED BY ‘keystone’;*
Query OK, 0 rows affected (0.000 sec)
MariaDB [(none)]> exit
Bye
2、安装keystone软件包
[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi
3、配置keystone
[root@controller ~]# vim /etc/keystone/keystone.conf
[database]
connection=mysql+pymysql://keystone:keystone@controller/keystone //添加此行命令
[token]
provider=fernet//添加此行命令
4、初始化认证服务数据库
[root@controller ~]# su -s /bin/sh -c “keystone-manage db_sync” keystone
验证数据库是否同步成功
[root@controller ~]# mysql -h 192.168.16.128 -u keystone -pkeystone -e “USE keystone; SHOW TABLES;”
±-----------------------------------+
| Tables_in_keystone |
±-----------------------------------+
| access_rule |
| access_token |
| application_credential |
| application_credential_access_rule |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_option |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| role_option |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
±-----------------------------------+
5、初始化Fernet keys
Fernet keys是用于API令牌的安全信息格式
[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
6、配置bootstrap身份认证服务
[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne
7、配置Apache HTTP服务器
(1)修改服务器主机名
[root@controller ~]# vim /etc/httpd/conf/httpd.conf
修改前#ServerName www.example.com:80
修改后ServerName controller
保存退出
(2)创建配置文件
[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
(3)启动服务并设置开机自启
[root@controller ~]# systemctl start httpd.service
[root@controller ~]# systemctl enable httpd.service
Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.
8、配置管理员账户的环境变量
[root@controller ~]# export OS_USERNAME=admin
[root@controller ~]# export OS_PASSWORD=000000
[root@controller ~]# export OS_PROJECT_NAME=admin
[root@controller ~]# export OS_USER_DOMAIN_NAME=Default
[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default
[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3
[root@controller ~]# export OS_IDENTITY_API_VERSION=3
9、创建OpenStack域、项目、用户、角色
[root@controller ~]# openstack project create --domain default --description “Service Project” service //创建service项目
±------------±---------------------------------+
| Field | Value |
±------------±---------------------------------+
| description | Service Project |
| domain_id | default |
| enabled | True |
| id | 034564ee72e6440ebe7f32e7e6156aa2 |
| is_domain | False |
| name | service |
| options | {} |
| parent_id | default |
| tags | [] |
±------------±---------------------------------+
[root@controller ~]# openstack project create --domain default --description “Demo Project” demo //创建demo项目
±------------±---------------------------------+
| Field | Value |
±------------±---------------------------------+
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | 5350cda310b9484680c28fcfc92587e9 |
| is_domain | False |
| name | demo |
| options | {} |
| parent_id | default |
| tags | [] |
±------------±---------------------------------+
[root@controller ~]# openstack user create --domain default --password-prompt demo //创建demo用户
User Password:000000
Repeat User Password:000000
±--------------------±---------------------------------+
| Field | Value |
±--------------------±---------------------------------+
| domain_id | default |
| enabled | True |
| id | d34d1f0450c24546b157f624b2adb33f |
| name | demo |
| options | {} |
| password_expires_at | None |
±--------------------±---------------------------------+
[root@controller ~]# openstack role create user //创建user用户
±------------±---------------------------------+
| Field | Value |
±------------±---------------------------------+
| description | None |
| domain_id | None |
| id | 1f43962ba43244058f25dad2b7150129 |
| name | user |
| options | {} |
±------------±---------------------------------+
[root@controller ~]# openstack role add --project demo --user demo user //添加demo用户到demo项目和user角色
10、验证认证服务
(1)鉴于安全因素,出去临时的令牌认证授权机制
编辑/etc/keystone/keystone-paste.ini配置文件,将[pipeline:public_api]、[pipeline:admin_api]、[pipeline:api_v3]中的admin_token值删除
(2)取消临时环境变量
[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD
(3)以admin用户身份请求令牌
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3
–os-project-domain-name default --os-user-domain-name default
–os-project-name admin --os-username admin token issue
Password: 000000
Password: 000000
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-08T13:56:14+0000 |
| id | gAAAAABetVbuwnOJRVKoaPPfHOmowVHRwgGzzhL0trOrLnUdSgAHlVX_QWpnNdnVAX_nsfqpPvVYyH7y9nvXMdCsCubfY0ElgAaiUVSxrZ3BndNfoM9jZOpOmzMU-9k0Dlixt5CaymMgXDba4yNXsUAUv-Wb2UgYZrmH3ukVznio-aENViOeQx8 |
| project_id | fa7f256af0d447f1977ec4a781502e38 |
| user_id | 6e3faf98b03a480e862c340753855ae4 |
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
(4)以demo用户身份请求令牌
[root@controller ~]# openstack --os-auth-url http://controller:5000/v3
–os-project-domain-name default --os-user-domain-name default
–os-project-name demo --os-username demo token issue
Password: 000000
Password: 000000
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-08T13:58:17+0000 |
| id | gAAAAABetVdpGLwJsqGWyustkFtb5elYYJnErdPbSBoVBVA8k1FUkMvRVYkdUOvEdUzxklTVJS7Qvst-kKOSRo_gL0U8-gmKaRDUUcwTlosEntMw_2KMjeB1wx-BT-j-aT82oHYOM-dH_IhJo2okvm1YzY_HABew0XBHO65LM7ve_yUUj2539xw |
| project_id | 5350cda310b9484680c28fcfc92587e9 |
| user_id | d34d1f0450c24546b157f624b2adb33f |
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
(5)创建环境脚本,命令如下
①创建admin用户环境脚本
[root@controller ~]# vim admin-openrc
[root@controller ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
②创建demo用户环境脚本,命令如下:
[root@controller ~]# vim demo-openrc
[root@controller ~]# cat demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=000000
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
③给环境脚本增加可执行权限,命令如下:
[root@controller ~]# chmod +x admin-openrc
[root@controller ~]# chmod +x demo-openrc
(6)验证管理员admin环境脚本
①执行管理员admin的环境脚本
[root@controller ~]# ./admin-openrc
②给予脚本中的环境变量,直接请求令牌
[root@controller ~]# openstack token issue
Missing value auth-url required for auth plugin password
解决办法:
在admin-openrc目录下执行
[root@controller ~]# source admin-openrc
[root@controller ~]# openstack token issue
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2020-05-08T14:09:19+0000 |
| id | gAAAAABetVn_XtdknvviCFdNnESEBM7CZcQBrf-mCSoUKq-LVkwP2ajb9B65BwXWGKMMd8-aR2M6nVX3mNsXviG42OaE8_mjaaDpvTZv-6TpqqTbxbawUVbOUqm3qw8M13_hH-E3cOlKiDXtiVGvcs418nU1pXJQuCyfWKF8rNCTy8HkbydDZxE |
| project_id | fa7f256af0d447f1977ec4a781502e38 |
| user_id | 6e3faf98b03a480e862c340753855ae4 |
±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
至此,部署Keystone完成。