【N版】openstack——認證服務keystone

一.keystone介紹

1.1keystone

Keystone(OpenStack Identity Service)是 OpenStack 框架中負責管理身份驗證、服務規(guī)則和服務令牌功能的模塊。用戶訪問資源需要驗證用戶的身份與權限，服務執(zhí)行操作也需要進行權限檢測，這些都需要通過 Keystone 來處理。

用戶認證：用戶權限與用戶行為跟蹤

服務目錄：提供一個服務目錄，包括所有服務項與相關API的端點

主要涉及如下概念：

User：?? 用戶

Project：項目（老版本中tenant：租戶）

Token：? 令牌

Role：?? 角色

1.2keystone配置

1.2.1創(chuàng)建庫及用戶

注:在這里為了方便，提前把之后要創(chuàng)建的庫，以及用戶和授權，都做好

[root@linux-node1 ~]# mysql -uroot –p????????????? <- 登陸數(shù)據(jù)庫 ->

MariaDB [(none)]>? create database keystone;?????????? <- 創(chuàng)建keystone庫 ->

MariaDB [(none)]> grant all privileges on keystone.*to keystone@'localhost' identified by 'keystone';??????????????????????????? <- 創(chuàng)建keystone用戶 ->

Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on keystone.*to keystone@'%' identified by 'keystone';????????

Query OK, 0 rows affected (0.00 sec)

?

MariaDB [(none)]> create database glance;??????????? <- 創(chuàng)建glance庫 ->

Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on glance.* toglance@'localhost' identified by 'glance';

Query OK, 0 rows affected (0.00 sec)?????????????? <- 創(chuàng)建glance用戶 ->

MariaDB [(none)]> grant all privileges on glance.* toglance@'%' identified by 'glance';????????

Query OK, 0 rows affected (0.00 sec)

?

?

MariaDB [(none)]> create database nova;????????????? <- 創(chuàng)建nova庫 ->

Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on nova.* tonova@'%' identified by 'nova';

Query OK, 0 rows affected (0.00 sec)??????????????? <- 創(chuàng)建nova用戶 ->

MariaDB [(none)]> grant all privileges on nova.* tonova@'localhost' identified by 'nova';

Query OK, 0 rows affected (0.00 sec)

?

MariaDB [(none)]> create database nova_api;??????????? <- 創(chuàng)建nova_api庫 ->

Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'localhost' identified by 'nova';???

Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on nova_api.*to 'nova'@'%' identified by 'nova';????????

Query OK, 0 rows affected (0.00 sec)

?

MariaDB [(none)]> create database neutron;???????????? <- 創(chuàng)建neutron庫 ->

Query OK, 1 row affected (0.01 sec)

MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'%' identified by 'neutron';

Query OK, 0 rows affected (0.00 sec)??????????????? <- 創(chuàng)建neutron用戶 ->

MariaDB [(none)]> grant all privileges on neutron.*to 'neutron'@'localhost' identified by 'neutron';

Query OK, 0 rows affected (0.00 sec)

?

MariaDB [(none)]> create database cinder;???????????? <- 創(chuàng)建cinder庫 ->

Query OK, 1 row affected (0.00 sec)

MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'localhost' identified by 'cinder';???????????????????????????? <- 創(chuàng)建cinder用戶 ->

Query OK, 0 rows affected (0.00 sec)

MariaDB [(none)]> grant all privileges on cinder.* to'cinder'@'%' identified by 'cinder';????????

Query OK, 0 rows affected (0.00 sec)

?

1.2.2keystone配置文件

[root@linux-node1 ~]# vim/etc/keystone/keystone.conf? <- 編輯配置文件 ->

613 [database] ???????????????????? <- 數(shù)據(jù)庫設置->

640 connection = mysql+pymysql://keystone:keystone@192.168.56.11/keystone

1458 [memcache]??????????? ???????? <- memcache設置 ->

1472 servers = 192.168.56.11:11211?????????? <- memcache服務地址 ->

2655 provider = fernet??? ???????????? <- 配置令牌 ->

2665 driver = memcache???????????????? <- 選擇driver為memcache默認是sql ->

?

[root@linux-node1 ~]# grep '^[a-z]'/etc/keystone/keystone.conf? <- 檢查 ->

connection =mysql+pymysql://keystone:keystone@192.168.56.11/keystone

servers = 192.168.56.11:11211

provider = fernet

driver = memcache

?

1.2.3數(shù)據(jù)庫，memcache配置

[root@linux-node1 ~]# su -s /bin/sh -c"keystone-manage db_sync" keystone

?????????????????????????? <- 初始化數(shù)據(jù)庫 ->

[root@linux-node1 ~]# mysql -h 192.168.56.11-ukeystone -pkeystone -e "use keystone;show tables;"????????????????? ? ??? <- 檢查表是否導入成功 ->

[root@linux-node1 ~]# vim/etc/sysconfig/memcached?? <- 修改memcache配置文件 ->

OPTIONS="-l 192.168.56.11,::1"

[root@linux-node1 ~]# systemctl restartmemcached?? <- 重啟memcache ->

[root@linux-node1 ~]# cd /etc/keystone/

[root@linux-node1 keystone]# keystone-managefernet_setup --keystone-user keystone --keystone-group keystone?????????????? <- 初始化fernet key ->

[root@linux-node1 keystone]# keystone-managecredential_setup --keystone-user keystone --keystone-group keystone?????????????? <- 初始化fernet key ->

[root@linux-node1 keystone]#? keystone-manage bootstrap--bootstrap-password admin \???????????????????????????????????????????? <- 引導身份服務 ->

--bootstrap-admin-urlhttp://192.168.56.11:35357/v3/ \

--bootstrap-internal-urlhttp://192.168.56.11:35357/v3/ \

--bootstrap-public-urlhttp://192.168.56.11:5000/v3/ \

--bootstrap-region-id RegionOne

?

1.2.4配置apache服務

[root@linux-node1 keystone]# vim/etc/httpd/conf/httpd.conf <- 編輯配置文件 ->

95 ServerName 192.168.56.11:80

[root@linux-node1 ~]# ln -s/usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/???????????????????????????????????????? <- 軟連接配置文件 ->

[root@linux-node1 ~]# systemctl enablehttpd.service???? <- 啟動apache ->

[root@linux-node1 ~]# systemctl start httpd.service

[root@linux-node1 ~]# exportOS_USERNAME=admin??????? <- 配置環(huán)境變量 ->

[root@linux-node1 ~]# exportOS_PASSWORD=admin

[root@linux-node1 ~]# exportOS_PROJECT_NAME=admin

[root@linux-node1 ~]# exportOS_USER_DOMAIN_NAME=Default

[root@linux-node1 ~]# exportOS_PROJECT_DOMAIN_NAME=Default

[root@linux-node1 ~]# exportOS_AUTH_URL=http://192.168.56.11:35357/v3

[root@linux-node1 ~]# exportOS_IDENTITY_API_VERSION=3

[root@linux-node1 ~]# openstack user list????????? <- 查看用戶列表 ->

[root@linux-node1 ~]# openstack role list????????? <- 查看角色列表 ->

[root@linux-node1 ~]# openstack project list???????? <- 查看項目列表 ->

[root@linux-node1 ~]# openstack endpointlist???????? <- 查看端點列表 ->

?

?

1.2.5創(chuàng)建項目

[root@linux-node1 ~]# openstack project create --domaindefault --description "Service Project" service???????????? ?????????? <- 創(chuàng)建服務項目 ->

[root@linux-node1 ~]# openstack project list????????? <- 查看是否創(chuàng)建成功 ->

[root@linux-node1 ~]# openstack project create --domaindefault --description "Demo Project" demo???????????? ???????????? <- 創(chuàng)建demo項目 ->

[root@linux-node1 ~]# openstack project list????????? <- 查看是否創(chuàng)建成功 ->

[root@linux-node1 ~]# openstack user create --domaindefault --password-prompt demo

User Password:demo

Repeat User Password:demo???????????? <- 創(chuàng)建demo用戶，密碼：demo ->

[root@linux-node1 ~]# openstack user list???? <- 查看是否創(chuàng)建成功 ->

[root@linux-node1 ~]# openstack role create user? <- 創(chuàng)建user角色 ->

[root@linux-node1 ~]# openstack role list????? <- 查看是否創(chuàng)建成功 ->

[root@linux-node1 ~]# openstack role add --project demo--user demo user

?????????? <- 將demo用戶加入到demo項目并且賦予user角色->

?

注:為了方便，以下操作將之后要用到的所有用戶都創(chuàng)建好

[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt glance?????????????????? <- 創(chuàng)建glance用戶，密碼：glance ->

User Password:glance

[root@linux-node1 ~]# openstack role add --projectservice --user glance admin

?????????????????????<- 將glance用戶加入到service項目并且賦予admin角色->

?

[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt nova???????????????? ?? <- 創(chuàng)建nova用戶，密碼：nova ->

User Password:nova

[root@linux-node1 ~]# openstack role add --projectservice --user nova admin

??????????????????? <- 將glance用戶加入到service項目并且賦予admin角色->

?

[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt neutron????????????? ? ? <- 創(chuàng)建neutron用戶，密碼：neutron ->

User Password: neutron

[root@linux-node1 ~]# openstack role add --projectservice --user neutron admin

?????????????????? <- 將glance用戶加入到service項目并且賦予admin角色->

?

[root@linux-node1 ~]# openstack user create --domaindefault?? --password-prompt cinder??????????????? <- 創(chuàng)建cinder用戶，密碼：cinder ->

User Password:cinder

[root@linux-node1 ~]# openstack role add --projectservice --user cinder admin
?????????????????? <- 將glance用戶加入到service項目并且賦予admin角色->

1.3驗證keystone

1.3.1驗證用戶

[root@linux-node1 ~]# unset OS_AUTH_URL OS_PASSWORD?? <- 取消之前的環(huán)境變量 ->

[root@linux-node1~]# openstack \

--os-auth-urlhttp://192.168.56.11:35357/v3 \

--os-project-domain-namedefault \

--os-user-domain-namedefault \

--os-project-nameadmin \

--os-usernameadmin token issue

<-驗證admin用戶，提示密碼時輸入admin出來如下界面證明admin用戶沒問題 ->

[root@linux-node1keystone]#? openstack \

--os-auth-urlhttp://192.168.56.11:35357/v3 \

--os-project-domain-namedefault \

--os-user-domain-namedefault \

--os-project-namedemo \

--os-usernamedemo token issue

<-驗證demo用戶，提示密碼時輸入demo出來如下界面證明demo用戶沒問題 ->

1.3.2創(chuàng)建環(huán)境變量腳本

[root@linux-node1 ~]# vim admin-openstack???????? <- admin環(huán)境變量 ->

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=admin

export OS_AUTH_URL=http://192.168.56.11:35357/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

?

[root@linux-node1 ~]# vim demo-openstack????????? <- demo環(huán)境變量 ->

export OS_PROJECT_DOMAIN_NAME=default

export OS_USER_DOMAIN_NAME=default

export OS_PROJECT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=demo

export OS_AUTH_URL=http://192.168.56.11:5000/v3

export OS_IDENTITY_API_VERSION=3

export OS_IMAGE_API_VERSION=2

?

[root@linux-node1 ~]# source admin-openstack????? <- source環(huán)境變量 ->

[root@linux-node1 ~]# source demo-openstack

1.4Keystone常見錯誤

401 #驗證失敗，keystone相關用戶賬戶密碼設置錯誤,時間不同步，或者輸入的項目名稱不對

403 #可能未初始化OS_token變量，需要使用source命令使其生效，也可能是配置的配置文件未生效，需要重啟相關服務

409 #keystone創(chuàng)建用戶，用戶已存在

500 #服務器內(nèi)部錯誤，服務配置有問題，看日志，檢查配置

503 #keystone相關賬戶密碼設置有問題，請將相關的glance賬戶刪除，重新創(chuàng)建即可

服務故障??? #相關服務沒有起來

轉載于:https://blog.51cto.com/goodcook/1887429

總結

以上是生活随笔為你收集整理的【N版】openstack——认证服务keystone（三）的全部內(nèi)容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網(wǎng)站內(nèi)容還不錯，歡迎將生活随笔推薦給好友。