部署keystone

本文涉及的产品
RDS MySQL Serverless 基础系列,0.5-2RCU 50GB
云数据库 RDS MySQL,集群系列 2核4GB
推荐场景:
搭建个人博客
云数据库 RDS MySQL,高可用系列 2核4GB
简介: 部署keystone

部署keystone

完成基础环境配置后,应先部署keystone组件,只需在controller节点上部署。

1、创建数据库实例和数据库用户

在MySQL中创建数据库keystone,同时创建数据库用户,并授权权限。

[root@controller ~]# mysql -u root -p000000

Welcome to the MariaDB monitor. Commands end with ; or \g.

Your MariaDB connection id is 15

Server version: 10.3.20-MariaDB MariaDB Server


Copyright © 2000, 2018, Oracle, MariaDB Corporation Ab and others.


Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.


MariaDB [(none)]> CREATE DATABASE keystone;

Query OK, 1 row affected (0.001 sec)


MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘localhost’ IDENTIFIED BY ‘keystone’;*

Query OK, 0 rows affected (0.000 sec)


MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘controller’ IDENTIFIED BY ‘keystonee’;*

Query OK, 0 rows affected (0.000 sec)


MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@’%’ IDENTIFIED BY ‘keystone’;*

Query OK, 0 rows affected (0.000 sec)


MariaDB [(none)]> exit

Bye

2、安装keystone软件包

[root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi

3、配置keystone

[root@controller ~]# vim /etc/keystone/keystone.conf

[database]

connection=mysql+pymysql://keystone:keystone@controller/keystone //添加此行命令

[token]

provider=fernet//添加此行命令

1/article/details/106004933

4、初始化认证服务数据库

[root@controller ~]# su -s /bin/sh -c “keystone-manage db_sync” keystone

验证数据库是否同步成功

[root@controller ~]# mysql -h 192.168.16.128 -u keystone -pkeystone -e “USE keystone; SHOW TABLES;”

±-----------------------------------+

| Tables_in_keystone |

±-----------------------------------+

| access_rule |

| access_token |

| application_credential |

| application_credential_access_rule |

| application_credential_role |

| assignment |

| config_register |

| consumer |

| credential |

| endpoint |

| endpoint_group |

| federated_user |

| federation_protocol |

| group |

| id_mapping |

| identity_provider |

| idp_remote_ids |

| implied_role |

| limit |

| local_user |

| mapping |

| migrate_version |

| nonlocal_user |

| password |

| policy |

| policy_association |

| project |

| project_endpoint |

| project_endpoint_group |

| project_option |

| project_tag |

| region |

| registered_limit |

| request_token |

| revocation_event |

| role |

| role_option |

| sensitive_config |

| service |

| service_provider |

| system_assignment |

| token |

| trust |

| trust_role |

| user |

| user_group_membership |

| user_option |

| whitelisted_config |

±-----------------------------------+

5、初始化Fernet keys

Fernet keys是用于API令牌的安全信息格式

[root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

[root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone

6、配置bootstrap身份认证服务

[root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne

7、配置Apache HTTP服务器

(1)修改服务器主机名

[root@controller ~]# vim /etc/httpd/conf/httpd.conf

修改前#ServerName www.example.com:80

修改后ServerName controller

保存退出

(2)创建配置文件

[root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/

(3)启动服务并设置开机自启

[root@controller ~]# systemctl start httpd.service

[root@controller ~]# systemctl enable httpd.service

Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service.

8、配置管理员账户的环境变量

[root@controller ~]# export OS_USERNAME=admin

[root@controller ~]# export OS_PASSWORD=000000

[root@controller ~]# export OS_PROJECT_NAME=admin

[root@controller ~]# export OS_USER_DOMAIN_NAME=Default

[root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default

[root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3

[root@controller ~]# export OS_IDENTITY_API_VERSION=3

9、创建OpenStack域、项目、用户、角色

[root@controller ~]# openstack project create --domain default --description “Service Project” service //创建service项目

±------------±---------------------------------+

| Field | Value |

±------------±---------------------------------+

| description | Service Project |

| domain_id | default |

| enabled | True |

| id | 034564ee72e6440ebe7f32e7e6156aa2 |

| is_domain | False |

| name | service |

| options | {} |

| parent_id | default |

| tags | [] |

±------------±---------------------------------+

[root@controller ~]# openstack project create --domain default --description “Demo Project” demo //创建demo项目

±------------±---------------------------------+

| Field | Value |

±------------±---------------------------------+

| description | Demo Project |

| domain_id | default |

| enabled | True |

| id | 5350cda310b9484680c28fcfc92587e9 |

| is_domain | False |

| name | demo |

| options | {} |

| parent_id | default |

| tags | [] |

±------------±---------------------------------+

[root@controller ~]# openstack user create --domain default --password-prompt demo //创建demo用户

User Password:000000

Repeat User Password:000000

±--------------------±---------------------------------+

| Field | Value |

±--------------------±---------------------------------+

| domain_id | default |

| enabled | True |

| id | d34d1f0450c24546b157f624b2adb33f |

| name | demo |

| options | {} |

| password_expires_at | None |

±--------------------±---------------------------------+

[root@controller ~]# openstack role create user //创建user用户

±------------±---------------------------------+

| Field | Value |

±------------±---------------------------------+

| description | None |

| domain_id | None |

| id | 1f43962ba43244058f25dad2b7150129 |

| name | user |

| options | {} |

±------------±---------------------------------+

[root@controller ~]# openstack role add --project demo --user demo user //添加demo用户到demo项目和user角色

10、验证认证服务

(1)鉴于安全因素,出去临时的令牌认证授权机制

编辑/etc/keystone/keystone-paste.ini配置文件,将[pipeline:public_api]、[pipeline:admin_api]、[pipeline:api_v3]中的admin_token值删除

(2)取消临时环境变量

[root@controller ~]# unset OS_AUTH_URL OS_PASSWORD

(3)以admin用户身份请求令牌

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3

–os-project-domain-name default --os-user-domain-name default

–os-project-name admin --os-username admin token issue

Password: 000000

Password: 000000

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Field | Value |

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| expires | 2020-05-08T13:56:14+0000 |

| id | gAAAAABetVbuwnOJRVKoaPPfHOmowVHRwgGzzhL0trOrLnUdSgAHlVX_QWpnNdnVAX_nsfqpPvVYyH7y9nvXMdCsCubfY0ElgAaiUVSxrZ3BndNfoM9jZOpOmzMU-9k0Dlixt5CaymMgXDba4yNXsUAUv-Wb2UgYZrmH3ukVznio-aENViOeQx8 |

| project_id | fa7f256af0d447f1977ec4a781502e38 |

| user_id | 6e3faf98b03a480e862c340753855ae4 |

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

(4)以demo用户身份请求令牌

[root@controller ~]# openstack --os-auth-url http://controller:5000/v3

–os-project-domain-name default --os-user-domain-name default

–os-project-name demo --os-username demo token issue

Password: 000000

Password: 000000

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Field | Value |

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| expires | 2020-05-08T13:58:17+0000 |

| id | gAAAAABetVdpGLwJsqGWyustkFtb5elYYJnErdPbSBoVBVA8k1FUkMvRVYkdUOvEdUzxklTVJS7Qvst-kKOSRo_gL0U8-gmKaRDUUcwTlosEntMw_2KMjeB1wx-BT-j-aT82oHYOM-dH_IhJo2okvm1YzY_HABew0XBHO65LM7ve_yUUj2539xw |

| project_id | 5350cda310b9484680c28fcfc92587e9 |

| user_id | d34d1f0450c24546b157f624b2adb33f |

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

(5)创建环境脚本,命令如下

①创建admin用户环境脚本

[root@controller ~]# vim admin-openrc

[root@controller ~]# cat admin-openrc

export OS_PROJECT_DOMAIN_NAME=Default

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=000000

export OS_AUTH_URL=http://controller:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

②创建demo用户环境脚本,命令如下:

[root@controller ~]# vim demo-openrc

[root@controller ~]# cat demo-openrc

export OS_PROJECT_DOMAIN_NAME=Default

export OS_USER_DOMAIN_NAME=Default

export OS_PROJECT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=000000

export OS_AUTH_URL=http://controller:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

③给环境脚本增加可执行权限,命令如下:

[root@controller ~]# chmod +x admin-openrc

[root@controller ~]# chmod +x demo-openrc

(6)验证管理员admin环境脚本

①执行管理员admin的环境脚本

[root@controller ~]# ./admin-openrc

②给予脚本中的环境变量,直接请求令牌

[root@controller ~]# openstack token issue

Missing value auth-url required for auth plugin password

解决办法:
在admin-openrc目录下执行
[root@controller ~]# source admin-openrc

[root@controller ~]# openstack token issue

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| Field | Value |

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

| expires | 2020-05-08T14:09:19+0000 |

| id | gAAAAABetVn_XtdknvviCFdNnESEBM7CZcQBrf-mCSoUKq-LVkwP2ajb9B65BwXWGKMMd8-aR2M6nVX3mNsXviG42OaE8_mjaaDpvTZv-6TpqqTbxbawUVbOUqm3qw8M13_hH-E3cOlKiDXtiVGvcs418nU1pXJQuCyfWKF8rNCTy8HkbydDZxE |

| project_id | fa7f256af0d447f1977ec4a781502e38 |

| user_id | 6e3faf98b03a480e862c340753855ae4 |

±-----------±----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

至此,部署Keystone完成。

相关实践学习
如何在云端创建MySQL数据库
开始实验后,系统会自动创建一台自建MySQL的 源数据库 ECS 实例和一台 目标数据库 RDS。
全面了解阿里云能为你做什么
阿里云在全球各地部署高效节能的绿色数据中心,利用清洁计算为万物互联的新世界提供源源不断的能源动力,目前开服的区域包括中国(华北、华东、华南、香港)、新加坡、美国(美东、美西)、欧洲、中东、澳大利亚、日本。目前阿里云的产品涵盖弹性计算、数据库、存储与CDN、分析与搜索、云通信、网络、管理与监控、应用服务、互联网中间件、移动服务、视频服务等。通过本课程,来了解阿里云能够为你的业务带来哪些帮助     相关的阿里云产品:云服务器ECS 云服务器 ECS(Elastic Compute Service)是一种弹性可伸缩的计算服务,助您降低 IT 成本,提升运维效率,使您更专注于核心业务创新。产品详情: https://www.aliyun.com/product/ecs
相关文章
|
3月前
|
存储 API 持续交付
OpenStack组件Keystone
【8月更文挑战第20天】
54 3
|
3月前
|
存储 负载均衡 API
OpenStack核心组件Keystone
【8月更文挑战第3天】
281 8
|
Oracle 关系型数据库 MySQL
部署Glance
部署Glance
|
中间件 API 数据安全/隐私保护
|
API 数据安全/隐私保护 对象存储
|
存储 关系型数据库 API