跳转至

4. 安装认证服务keystone

1. 介绍

# keystone的主要功能:认证管理,授权管理和服务目录
#1. 认证:也可以理解成 账号管理,openstack所有的用户,都是在keystone上注册的
#2. 授权:glance,nova,neutron,cinder等其他服务,都同意使用keystone的账号管理,就像现在很多网站都支持qq登录一样!
#3. 服务目录:每增加一个服务,都需要在keystone上做注册登记,用户通过keystone可以知道有哪些服务,这些服务的url地址是多少,然后用户就可以直接访问这些服务。(类似电话本)

2. 安装配置keystone

1. 创库授权

# controller
mysql
#在数据库中输入以下命令
    CREATE DATABASE keystone;
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY 'KEYSTONE_DBPASS';
    GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY 'KEYSTONE_DBPASS';
    exit

2. 安装keystone相关软件包

yum install openstack-keystone httpd mod_wsgi -y

3. 备份配置文件

\cp /etc/keystone/keystone.conf{,.bak}

4. 生成不带注释的配置文件

grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf

5. 修改keystone配置文件(手动修改)

vim /etc/keystone/keystone.conf
#添加3行内容
[root@controller ~]# cat /etc/keystone/keystone.conf -n
     1  [DEFAULT]
     2  admin_token=ADMIN_TOKEN   #添加这一行
     3  [assignment]
     4  [auth]
     5  [cache]
     6  [catalog]
     7  [cors]
     8  [cors.subdomain]
     9  [credential]
    10  [database]
    11  connection=mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone    #添加这一行
    12  [domain_config]
    13  [endpoint_filter]
    14  [endpoint_policy]
    15  [eventlet_server]
    16  [eventlet_server_ssl]
    17  [federation]
    18  [fernet_tokens]
    19  [identity]
    20  [identity_mapping]
    21  [kvs]
    22  [ldap]
    23  [matchmaker_redis]
    24  [memcache]
    25  [oauth1]
    26  [os_inherit]
    27  [oslo_messaging_amqp]
    28  [oslo_messaging_notifications]
    29  [oslo_messaging_rabbit]
    30  [oslo_middleware]
    31  [oslo_policy]
    32  [paste_deploy]
    33  [policy]
    34  [resource]
    35  [revoke]
    36  [role]
    37  [saml]
    38  [shadow_users]
    39  [signing]
    40  [ssl]
    41  [token]
    42  provider=fernet   #添加这一行
    43  [tokenless_auth]
    44  [trust]

5.1 修改keystone配置文件(自动修改)(推荐)

#1.重新生成配置文件
grep -Ev '^$|#' /etc/keystone/keystone.conf.bak >/etc/keystone/keystone.conf
#2.安装自动修改工具
yum install openstack-utils -y
#3.修改配置文件3处
openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token  ADMIN_TOKEN
openstack-config --set /etc/keystone/keystone.conf database connection  mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
openstack-config --set /etc/keystone/keystone.conf token provider  fernet
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf DEFAULT admin_token  ADMIN_TOKEN
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf database connection  mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
[root@controller ~]# openstack-config --set /etc/keystone/keystone.conf token provider  fernet
[root@controller ~]#
[root@controller ~]# cat /etc/keystone/keystone.conf -n
     1  [DEFAULT]
     2  admin_token = ADMIN_TOKEN
     3  [assignment]
     4  [auth]
     5  [cache]
     6  [catalog]
     7  [cors]
     8  [cors.subdomain]
     9  [credential]
    10  [database]
    11  connection = mysql+pymysql://keystone:KEYSTONE_DBPASS@controller/keystone
    12  [domain_config]
    13  [endpoint_filter]
    14  [endpoint_policy]
    15  [eventlet_server]
    16  [eventlet_server_ssl]
    17  [federation]
    18  [fernet_tokens]
    19  [identity]
    20  [identity_mapping]
    21  [kvs]
    22  [ldap]
    23  [matchmaker_redis]
    24  [memcache]
    25  [oauth1]
    26  [os_inherit]
    27  [oslo_messaging_amqp]
    28  [oslo_messaging_notifications]
    29  [oslo_messaging_rabbit]
    30  [oslo_middleware]
    31  [oslo_policy]
    32  [paste_deploy]
    33  [policy]
    34  [resource]
    35  [revoke]
    36  [role]
    37  [saml]
    38  [shadow_users]
    39  [signing]
    40  [ssl]
    41  [token]
    42  provider = fernet
    43  [tokenless_auth]
    44  [trust]

6. 同步数据库

su -s /bin/sh -c "keystone-manage db_sync" keystone
#查看数据库keystone中是否产生了表
mysql keystone -e "show tables;"
[root@controller ~]# mysql keystone -e "show tables;"
+------------------------+
| Tables_in_keystone     |
+------------------------+
| access_token           |
| assignment             |
| config_register        |
| consumer               |
| credential             |
| domain                 |
| endpoint               |
| endpoint_group         |
| federated_user         |
| federation_protocol    |
| group                  |
| id_mapping             |
| identity_provider      |
| idp_remote_ids         |
| implied_role           |
| local_user             |
| mapping                |
| migrate_version        |
| password               |
| policy                 |
| policy_association     |
| project                |
| project_endpoint       |
| project_endpoint_group |
| region                 |
| request_token          |
| revocation_event       |
| role                   |
| sensitive_config       |
| service                |
| service_provider       |
| token                  |
| trust                  |
| trust_role             |
| user                   |
| user_group_membership  |
| whitelisted_config     |
+------------------------+

7. 初始化fernet

keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone

8. 配置httpd

echo "ServerName controller" >>/etc/httpd/conf/httpd.conf

vim /etc/httpd/conf.d/wsgi-keystone.conf
#写入如下内容
Listen 5000
Listen 35357

<VirtualHost *:5000>
    WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-public
    WSGIScriptAlias / /usr/bin/keystone-wsgi-public
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

<VirtualHost *:35357>
    WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
    WSGIProcessGroup keystone-admin
    WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
    WSGIApplicationGroup %{GLOBAL}
    WSGIPassAuthorization On
    ErrorLogFormat "%{cu}t %M"
    ErrorLog /var/log/httpd/keystone-error.log
    CustomLog /var/log/httpd/keystone-access.log combined

    <Directory /usr/bin>
        Require all granted
    </Directory>
</VirtualHost>

9. 启动httpd并设置开机自启

systemctl enable httpd.service
systemctl start httpd.service
[root@controller ~]# netstat -tunlp|grep httpd
tcp6       0      0 :::80                   :::*                    LISTEN      34274/httpd
tcp6       0      0 :::35357                :::*                    LISTEN      34274/httpd
tcp6       0      0 :::5000                 :::*                    LISTEN      34274/httpd

10. 添加环境变量

export OS_TOKEN=ADMIN_TOKEN
export OS_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3

11. 创建服务

#如果不添加环境变量,这一步执行不了
openstack service create \
  --name keystone --description "OpenStack Identity" identity
[root@controller ~]# openstack service create \
>   --name keystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | OpenStack Identity               |
| enabled     | True                             |
| id          | a538eedaa2364bd5904e24ed2cce0928 |
| name        | keystone                         |
| type        | identity                         |
+-------------+----------------------------------+

12. 注册api

openstack endpoint create --region RegionOne \
  identity public http://controller:5000/v3

openstack endpoint create --region RegionOne \
  identity internal http://controller:5000/v3

openstack endpoint create --region RegionOne \
  identity admin http://controller:35357/v3
[root@controller ~]# openstack endpoint create --region RegionOne \
>   identity public http://controller:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 8db2585097c44633b3ada8f9a50465b5 |
| interface    | public                           |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a538eedaa2364bd5904e24ed2cce0928 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+--------------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack endpoint create --region RegionOne \
>   identity internal http://controller:5000/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | d28c0270b961445381bbaffc92aa802c |
| interface    | internal                         |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a538eedaa2364bd5904e24ed2cce0928 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:5000/v3        |
+--------------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack endpoint create --region RegionOne \
>   identity admin http://controller:35357/v3
+--------------+----------------------------------+
| Field        | Value                            |
+--------------+----------------------------------+
| enabled      | True                             |
| id           | 7c623eaaca24430a80964cd136855609 |
| interface    | admin                            |
| region       | RegionOne                        |
| region_id    | RegionOne                        |
| service_id   | a538eedaa2364bd5904e24ed2cce0928 |
| service_name | keystone                         |
| service_type | identity                         |
| url          | http://controller:35357/v3       |
+--------------+----------------------------------+

13. 创建域、项目、用户、角色

openstack domain create --description "Default Domain" default

openstack project create --domain default \
  --description "Admin Project" admin

openstack user create --domain default \
  --password ADMIN_PASS admin

openstack role create admin
[root@controller ~]# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Default Domain                   |
| enabled     | True                             |
| id          | 0d09e0b8e47144a8b0e1949dddbe922e |
| name        | default                          |
+-------------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack project create --domain default \
>   --description "Admin Project" admin
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Admin Project                    |
| domain_id   | 0d09e0b8e47144a8b0e1949dddbe922e |
| enabled     | True                             |
| id          | ddd5154c1a8e46a386f93acfe53c57fd |
| is_domain   | False                            |
| name        | admin                            |
| parent_id   | 0d09e0b8e47144a8b0e1949dddbe922e |
+-------------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack user create --domain default \
>   --password ADMIN_PASS admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | 0d09e0b8e47144a8b0e1949dddbe922e |
| enabled   | True                             |
| id        | 9f43863f530b446c9c82e7f237d599fa |
| name      | admin                            |
+-----------+----------------------------------+
[root@controller ~]#
[root@controller ~]# openstack role create admin
+-----------+----------------------------------+
| Field     | Value                            |
+-----------+----------------------------------+
| domain_id | None                             |
| id        | c6f1beae05e84386b7da1af99635fbe4 |
| name      | admin                            |
+-----------+----------------------------------+

14. 关联项目,用户,角色

#关联项目,用户,角色
openstack role add --project admin --user admin admin

15. 在admin项目上,给admin用户赋予admin角色

#在admin项目上,给admin用户赋予admin角色

openstack project create --domain default \
  --description "Service Project" service
[root@controller ~]# openstack project create --domain default \
>   --description "Service Project" service
+-------------+----------------------------------+
| Field       | Value                            |
+-------------+----------------------------------+
| description | Service Project                  |
| domain_id   | 0d09e0b8e47144a8b0e1949dddbe922e |
| enabled     | True                             |
| id          | 280a0408c56d4498b48ad77db5d0071d |
| is_domain   | False                            |
| name        | service                          |
| parent_id   | 0d09e0b8e47144a8b0e1949dddbe922e |
+-------------+----------------------------------+

16. 测试keystone的授权

#1.测试
openstack user list

#2.取消环境变量
env|grep OS
unset OS_TOKEN OS_URL
env|grep OS

#3.再次测试
openstack user list

#4.加上参数测试
openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-name default --os-user-domain-name default \
  --os-project-name admin --os-username admin --os-password ADMIN_PASS token issue

openstack --os-auth-url http://controller:35357/v3 \
  --os-project-domain-name default --os-user-domain-name default \
  --os-project-name admin --os-username admin --os-password ADMIN_PASS user list
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 9f43863f530b446c9c82e7f237d599fa | admin |
+----------------------------------+-------+
[root@controller ~]#
[root@controller ~]# env|grep OS
HOSTNAME=controller
OS_IDENTITY_API_VERSION=3
OS_TOKEN=ADMIN_TOKEN
OS_URL=http://controller:35357/v3
[root@controller ~]# unset OS_TOKEN OS_URL
[root@controller ~]# env|grep OS
HOSTNAME=controller
OS_IDENTITY_API_VERSION=3
[root@controller ~]#
[root@controller ~]# openstack user list
Missing parameter(s):
Set a username with --os-username, OS_USERNAME, or auth.username
Set an authentication URL, with --os-auth-url, OS_AUTH_URL or auth.auth_url
Set a scope, such as a project or domain, set a project scope with --os-project-name, OS_PROJECT_NAME or auth.project_name, set a domain scope with --os-domain-name, OS_DOMAIN_NAME or auth.domain_name
[root@controller ~]#
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
>   --os-project-domain-name default --os-user-domain-name default \
>   --os-project-name admin --os-username admin --os-password ADMIN_PASS token issue
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field      | Value                                                                                                                                                                                   |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires    | 2021-12-01T23:51:15.000000Z                                                                                                                                                             |
| id         | gAAAAABhp_xjavI2Wk7-SriB4LXpA33bPpMl40g0FhjKc5M_9BjXQtR5E3otI6c19xpvAhjQjfeCAfFAwFBlsbdSeiOsqfw2S7tG9ErJaVbVdlgbgJiqm99WAbaOOBei2R9Jjua5CCltFnQ4tPoUNePv8KiqjVcncRt52DGvw2cYbKeIFau1T_o |
| project_id | ddd5154c1a8e46a386f93acfe53c57fd                                                                                                                                                        |
| user_id    | 9f43863f530b446c9c82e7f237d599fa                                                                                                                                                        |
+------------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
[root@controller ~]#
[root@controller ~]# openstack --os-auth-url http://controller:35357/v3 \
>   --os-project-domain-name default --os-user-domain-name default \
>   --os-project-name admin --os-username admin --os-password ADMIN_PASS user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 9f43863f530b446c9c82e7f237d599fa | admin |
+----------------------------------+-------+

17. 创建环境变量脚本

#1.创建脚本
vim admin-openrc
####
export OS_PROJECT_DOMAIN_NAME=default
export OS_USER_DOMAIN_NAME=default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2

#2.使脚本生效
source admin-openrc
[root@controller ~]# vim admin-openrc
[root@controller ~]#
[root@controller ~]#
[root@controller ~]# source admin-openrc
[root@controller ~]#
[root@controller ~]#
[root@controller ~]# openstack user list
+----------------------------------+-------+
| ID                               | Name  |
+----------------------------------+-------+
| 9f43863f530b446c9c82e7f237d599fa | admin |
+----------------------------------+-------+

最后更新: 2022-02-20 04:00:12