OpenStack 安装文档(03)-- 认证服务

时间:2021-05-05 14:24:09

以下操作都在控制节点上操作完成。

认证服务 — 安装和配置:

先决条件:

1、用 root 用户连接到数据库,创建 keystone 数据库,对 keystone 数据库授予恰当的权限。KEYSTONE_DBPASS 是 keystone 数据库密码。

# mysql -u root -p***
> CREATE DATABASE keystone;
> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
> exit;

安装和配置组件:

1、安装包。

# yum install -y openstack-keystone httpd mod_wsgi

2、编辑  /etc/keystone/keystone.conf  文件。并在[DEFAULT]定义初始管理令牌的值,为安全起见,用其他值代替ADMIN_TOKEN,可以把ADMIN_TOKEN看做密码、[database]配置访问数据库,KEYSTONE_DBPASS为数据库密码、[token]配置Fernet UUID令牌的提供者下添加或修改相应内容。

[DEFAULT]
admin_token = ADMIN_TOKEN

[database]
connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone

[token]
provider = fernet

3、初始化身份认证服务的数据库。忽略任何非错误的警告信息。

# su -s /bin/sh -c "keystone-manage db_sync" keystone

4、验证是否认证数据库成功。列表为空则失败。

# mysql -ukeystone -p19896302 -hcontroller -t keystone  -e  "show tables"
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| nonlocal_user          |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+

5、初始化Fernet keys。

# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

配置 Apache HTTP 服务器:

1、编辑  /etc/httpd/conf/httpd.conf  文件,配置  ServerName  选项为控制节点。

ServerName controller

2、创建  /etc/httpd/conf.d/wsgi-keystone.conf  文件,并粘贴以下内容。

Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

3、启动 Apache HTTP 服务并配置随系统启动。httpd服务占用80、5000、35357端口

# systemctl enable httpd
# systemctl start httpd

认证服务 — 创建服务实体和API端点:

先决条件:

1、配置认证令牌 OS_TOKEN、配置端点URL OS_URL、配置认证 API 版本 OS_IDENTITY_API_VERSION。

# export OS_TOKEN=ADMIN_TOKEN
# export OS_URL=http://controller:35357/v3
# export OS_IDENTITY_API_VERSION=3

创建服务实体和API端点:

1、创建服务实体和身份认证服务。id为随机。

# openstack service create --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | 8663a9753c314703bb97b7e9f88c60eb |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

2、创建认证服务的 API 端点。

# openstack endpoint create --region RegionOne identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 489a4a9aa5844c6282e93a648e398f8e |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 8663a9753c314703bb97b7e9f88c60eb |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+--------------+----------------------------------+

# openstack endpoint create --region RegionOne identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | ba126823b7de413a99412688a09842f6 |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 8663a9753c314703bb97b7e9f88c60eb |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+--------------+----------------------------------+

# openstack endpoint create --region RegionOne identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 32de67ffe9294c38b17db1f8a7d0aa24 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | 8663a9753c314703bb97b7e9f88c60eb |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:35357/v3       |
+--------------+----------------------------------+

创建域、项目、用户和角色:

1、创建域 default 。

# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 0d041b0a51e442f2933a8b881859cd35 |
| name        | default                          |
+-------------+----------------------------------+

    在你的环境中,为进行管理操作,创建管理的项目、用户和角色:

1、创建 admin 项目。

# openstack project create --domain default --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 0d041b0a51e442f2933a8b881859cd35 |
| enabled     | True                             |
| id          | a4d2286b0bb04b819f412123925c2c49 |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 0d041b0a51e442f2933a8b881859cd35 |
+-------------+----------------------------------+

2、创建 admin 用户。请记住输入的用户密码。

# openstack user create --domain default --password-prompt admin
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field               | Value                            |
+---------------------+----------------------------------+
| domain_id           | 0d041b0a51e442f2933a8b881859cd35 |
| enabled             | True                             |
| id                  | d23a402923a4447e99e748758362754d |
| name                | admin                            |
| password_expires_at | None                             |
+---------------------+----------------------------------+

3、创建 admin 角色。

# openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | 85ea10bbcc5f44e98504fa32e177b7a5 |
| name      | admin                            |
+-----------+----------------------------------+

4、添加 admin 角色到 admin 项目和用户上。执行完命令没有输出。

# openstack role add --project admin --user admin admin

    本指南使用一个你添加到你的环境中每个服务包含独有用户的service 项目:

1、创建 service 项目。

# openstack project create --domain default  --description "Service Project" service

    常规(非管理)任务应该使用无特权的项目和用户。作为例子,本指南创建 demo 项目和用户:

1、创建 demo 项目。

# openstack project create --domain default --description "Demo Project" demo

2、创建 demo 用户。

# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:

3、创建 user 角色。

# openstack role create user

4、添加 user 角色到 demo 项目和用户。

# openstack role add --project demo --user demo user

认证服务 — 验证操作:

1、编辑  /etc/keystone/keystone-paste.ini  文件,从 [pipeline:public_api] , [pipeline:admin_api] 和 [pipeline:api_v3] 部分删除 admin_token_auth 。

[pipeline:public_api]
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension public_service

[pipeline:admin_api]
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension s3_extension admin_service

[pipeline:api_v3]
pipeline = cors sizelimit http_proxy_to_wsgi osprofiler url_normalize request_id build_auth_context token_auth json_body ec2_extension_v3 s3_extension service_v3

2、重置 OS_TOKEN 和 OS_URL  环境变量。

# unset OS_TOKEN OS_URL

3、admin 用户,请求认证令牌。

# openstack --os-auth-url http://controller:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
Password: 
+------------+-------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                 |
+------------+-------------------------------------------------------------------------------------------------------+
| expires    | 2018-03-23 20:19:44+00:00                                                                             |
| id         | gAAAAABatVNQv9n9mQ9yD4Vg9QQVZ_kXIYnwt93E8lkr6tmXfAQxt2H7IOL_c9Oy1RkueGSP68b2PFeySJ8XQClpMFnYWje_Mcwl8 |
|            | KQZ-RibahOhhIluHlX6-783spK79rqMrKZFMk1MSxS659myFLiaJXqg-KQdnTcSzrbocjc64Ki3ocn5HWw                    |
| project_id | a4d2286b0bb04b819f412123925c2c49                                                                      |
| user_id    | d23a402923a4447e99e748758362754d                                                                      |
+------------+-------------------------------------------------------------------------------------------------------+

4、demo 用户,请求认证令牌。

# openstack --os-auth-url http://controller:5000/v3 --os-project-domain-name default --os-user-domain-name default  --os-project-name demo --os-username demo token issue

认证服务 — 创建 OpenStack 客户端环境脚本:

    创建脚本:

1、创建 admin-openrc 文件并粘贴以下内容。在当前目录下创建就行了。ADMIN_PASS是admin用户的密码。

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

2、创建 demo-openrc 文件并粘贴以下内容。

export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

    使用脚本:

1、加载 admin-openrc 文件来身份认证服务的环境变量位置和 admin 项目和用户证书,在文件所在目录执行该命令。执行完无输出命令。

# . admin-openrc

2、请求认证令牌。

# openstack token issue
+------------+-------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                 |
+------------+-------------------------------------------------------------------------------------------------------+
| expires    | 2018-03-23 20:35:38+00:00                                                                             |
| id         | gAAAAABatVcKDHy67yer68xJ7B817jnuIeP0zYyo1-9W_KH3LAwie2Nh_7G3tNDGqd7qYKvk8O1vhoqizwjaVnf-              |
|            | Go4aQXp8W0sm5cfQkSWee8hyI-G-sia-Ee7BUtkw0sgPIP67GDKNUqP7CPJ2lBAMAJ9BiSMwML1AQD3MGrlZNrTCDNBlO2c       |
| project_id | a4d2286b0bb04b819f412123925c2c49                                                                      |
| user_id    | d23a402923a4447e99e748758362754d                                                                      |
+------------+-------------------------------------------------------------------------------------------------------+
标签:

相关文章