概述 Keystone(OpenStack Identity Service)是 OpenStack 框架中负责管理身份验证、服务访问规则和服务令牌功能的组件。用户访问资源需要验证用户的身份与权限,服务执行操作也需要进行权限检测,这些都需要通过 Keystone 来处理。Keystone 类似一个服务总线, 或者说是整个 Openstack 框架的注册表,OpenStack 服务通过 Keystone 来注册其 Endpoint(服务访问的URL),任何服务之间的相互调用,都需要先经过 Keystone 的身份验证,获得目标服务的 Endpoint ,然后再调用。
Keystone 的主要功能如下:
管理用户及其权限; 维护 OpenStack 服务的 Endpoint; Authentication(认证)和 Authorization(鉴权)。
安装 创建keystone数据库
代码语言:javascript复制# 在任意控制节点创建数据库,数据库自动同步,以controller01节点为例;
[root@controller01 ~]# mysql -uroot -p123456
Welcome to the MariaDB monitor. Commands end with ; or g.
Your MariaDB connection id is 12
Server version: 10.2.29-MariaDB-log MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.
MariaDB [(none)]> CREATE DATABASE keystone;
Query OK, 1 row affected (0.01 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY '123456'; Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY '123456';
Query OK, 0 rows affected (0.00 sec)
MariaDB [(none)]> flush privileges;
Query OK, 0 rows affected (0.01 sec)
MariaDB [(none)]> exit;
Bye安装keystone
代码语言:javascript复制# 在全部控制节点安装keystone,以controller01节点为例;
[root@controller01 ~]# yum install openstack-keystone httpd mod_wsgi mod_ssl -y配置
代码语言:javascript复制在全部控制节点设置
[root@controller01 ~]# cp /etc/keystone/keystone.conf /etc/keystone/keystone.conf.bak
[root@controller01 ~]# egrep -v "^$|^#" /etc/keystone/keystone.conf
[DEFAULT]
[application_credential]
[assignment]
[auth]
[cache]
backend = oslo_cache.memcache_pool
enabled = true
memcache_servers = controller01:11211,controller02:11211
[catalog]
[cors]
[credential]
[database]
connection = mysql pymysql://keystone:123456@controller01/keystone
[domain_config]
[endpoint_filter]
[endpoint_policy]
[eventlet_server]
[federation]
[fernet_tokens]
[healthcheck]
[identity]
[identity_mapping]
[ldap]
[matchmaker_redis]
[memcache]
[oauth1]
[oslo_messaging_amqp]
[oslo_messaging_kafka]
[oslo_messaging_notifications]
[oslo_messaging_rabbit]
[oslo_messaging_zmq]
[oslo_middleware]
[oslo_policy]
[paste_deploy]
[policy]
[profiler]
[resource]
[revoke]
[role]
[saml]
[security_compliance]
[shadow_users]
[signing]
[token]
provider = fernet
[tokenless_auth]
[trust]
[unified_limit]
配置文件里面只需改memcache和mysql配置同步keystone数据库
代码语言:javascript复制# 任意控制节点操作
[root@controller02 ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone
[root@controller02 ~]# mysql -h controller01 -ukeystone -p123456 -e "use keystone;show tables;"
-----------------------------
| Tables_in_keystone |
-----------------------------
| access_token |
| application_credential |
| application_credential_role |
| assignment |
| config_register |
| consumer |
| credential |
| endpoint |
| endpoint_group |
| federated_user |
| federation_protocol |
| group |
| id_mapping |
| identity_provider |
| idp_remote_ids |
| implied_role |
| limit |
| local_user |
| mapping |
| migrate_version |
| nonlocal_user |
| password |
| policy |
| policy_association |
| project |
| project_endpoint |
| project_endpoint_group |
| project_tag |
| region |
| registered_limit |
| request_token |
| revocation_event |
| role |
| sensitive_config |
| service |
| service_provider |
| system_assignment |
| token |
| trust |
| trust_role |
| user |
| user_group_membership |
| user_option |
| whitelisted_config |
----------------------------- 初始化fernet秘钥
代码语言:javascript复制#在任意控制节点操作
[root@controller01 ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone
[root@controller01 ~]# scp -r /etc/keystone/fernet-keys/ /etc/keystone/credential-keys/ root@192.168.182.132:/etc/keystone/
root@192.168.182.132's password:
1 100% 44 32.3KB/s 00:00
0 100% 44 31.0KB/s 00:00
1 100% 44 30.7KB/s 00:00
0 100% 44 34.6KB/s 00:00
# 同步后,注意controller02节点上秘钥权限
[root@controller02 ~]# chown keystone:keystone /etc/keystone/credential-keys/ -R
[root@controller02 ~]# chown keystone:keystone /etc/keystone/fernet-keys/ -R配置httpd.conf
代码语言:javascript复制#在全部控制节点设置
[root@controller01 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller01 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller01 ~]# sed -i "s/Listen 80/Listen 192.168.182.131:80/g" /etc/httpd/conf/httpd.conf
[root@controller02 ~]# cp /etc/httpd/conf/httpd.conf /etc/httpd/conf/httpd.conf.bak
[root@controller02 ~]# sed -i "s/#ServerName www.example.com:80/ServerName ${HOSTNAME}/" /etc/httpd/conf/httpd.conf
[root@controller02 ~]# sed -i "s/Listen 80/Listen 192.168.182.132:80/g" /etc/httpd/conf/httpd.conf配置wsgi-keystone.conf
代码语言:javascript复制#在全部控制节点设置
[root@controller01 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller01 ~]# sed -i "s/Listen 5000/Listen 192.168.182.131:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller01 ~]# sed -i "s/*:5000/192.168.182.131:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller02 ~]# cp /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/
[root@controller02 ~]# sed -i "s/Listen 5000/Listen 192.168.182.132:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf
[root@controller02 ~]# sed -i "s/*:5000/192.168.182.132:5000/g" /etc/httpd/conf.d/wsgi-keystone.conf认证引导
代码语言:javascript复制#任意节点操作
keystone-manage bootstrap --bootstrap-password 123456
--bootstrap-admin-url http://controller01:5000/v3/
--bootstrap-internal-url http://controller01:5000/v3/
--bootstrap-public-url http://controller01:5000/v3/
--bootstrap-region-id RegionOne启动
代码语言:javascript复制# 在全部控制节点操作,以controller01节点为例
[root@controller01 ~]# systemctl enable httpd.service
[root@controller01 ~]# systemctl restart httpd.service
[root@controller01 ~]# systemctl status httpd.service创建domain, projects, users, 与roles domain
代码语言:javascript复制#domain
[root@controller01 ~]# openstack domain list
--------- --------- --------- --------------------
| ID | Name | Enabled | Description |
--------- --------- --------- --------------------
| default | Default | True | The default domain |
--------- --------- --------- --------------------
# 如果需要生成新的domain,
[root@controller01 conf.d]# openstack domain create --description "An Example Domain" example
------------- ----------------------------------
| Field | Value |
------------- ----------------------------------
| description | An Example Domain |
| enabled | True |
| id | 6e77b351784b479b8fba509ac96a7648 |
| name | example |
| tags | [] |
------------- ----------------------------------
[root@controller01 conf.d]# openstack domain list
---------------------------------- --------- --------- --------------------
| ID | Name | Enabled | Description |
---------------------------------- --------- --------- --------------------
| 6e77b351784b479b8fba509ac96a7648 | example | True | An Example Domain |
| default | Default | True | The default domain |
---------------------------------- --------- --------- -------------------- projects
代码语言:javascript复制# project属于某个domain;
# 以创建demo项目为例,demo项目属于”default” domain
[root@controller01 conf.d]# openstack project create --domain default --description "Demo Project" demo
------------- ----------------------------------
| Field | Value |
------------- ----------------------------------
| description | Demo Project |
| domain_id | default |
| enabled | True |
| id | ceb19536c29f4e2094c1a729e7121b50 |
| is_domain | False |
| name | demo |
| parent_id | default |
| tags | [] |
------------- ---------------------------------- users
代码语言:javascript复制# user属于某个domain;
# 以创建demo用户为例,demo用户属于”default” domain
[root@controller01 conf.d]# openstack user create --domain default --password=123456 demo
--------------------- ----------------------------------
| Field | Value |
--------------------- ----------------------------------
| domain_id | default |
| enabled | True |
| id | 4e1b497157304132baf57bdb054aa251 |
| name | demo |
| options | {} |
| password_expires_at | None |
--------------------- ---------------------------------- roles
代码语言:javascript复制# 创建普通用户角色(区别于admin用户)
[root@controller01 conf.d]# openstack role create user
----------- ----------------------------------
| Field | Value |
----------- ----------------------------------
| domain_id | None |
| id | 2f37516c3592405eb0c55736560d8419 |
| name | user |
----------- ----------------------------------
# 向demo项目的demo用户赋予user权限
[root@controller01 conf.d]# openstack role add --project demo --user demo user
#查看
[root@controller01 conf.d]# openstack user list
---------------------------------- -------
| ID | Name |
---------------------------------- -------
| 4e1b497157304132baf57bdb054aa251 | demo |
| 9a997ebdd0244ce1ab07c970f5941e5a | admin |
---------------------------------- -------
[root@controller01 conf.d]# openstack role list
---------------------------------- --------
| ID | Name |
---------------------------------- --------
| 2f37516c3592405eb0c55736560d8419 | user |
| 2f915bf9da734edda88c55f59bd49c56 | member |
| 7f26aba8e14842b184a8e5b3d63f566b | admin |
| ff1613d93721433582e10d320fb2f468 | reader |
---------------------------------- --------
[root@controller01 conf.d]# openstack role assignment list
---------------------------------- ---------------------------------- ------- ---------------------------------- -------- -------- -----------
| Role | User | Group | Project | Domain | System | Inherited |
---------------------------------- ---------------------------------- ------- ---------------------------------- -------- -------- -----------
| 2f37516c3592405eb0c55736560d8419 | 4e1b497157304132baf57bdb054aa251 | | ceb19536c29f4e2094c1a729e7121b50 | | | False |
| 7f26aba8e14842b184a8e5b3d63f566b | 9a997ebdd0244ce1ab07c970f5941e5a | | a1f6ca90da2f4562b9c1388a95f3bd00 | | | False |
| 7f26aba8e14842b184a8e5b3d63f566b | 9a997ebdd0244ce1ab07c970f5941e5a | | | | all | False |
---------------------------------- ---------------------------------- ------- ---------------------------------- -------- -------- ----------- openstack client 环境变量脚本 admin-openrc
代码语言:javascript复制[root@controller01 ~]# cat admin-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller01:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller01 ~]# chmod u x admin-openrc
[root@controller01 ~]# source admin-openrc
[root@controller01 ~]# openstack domain list
---------------------------------- --------- --------- --------------------
| ID | Name | Enabled | Description |
---------------------------------- --------- --------- --------------------
| 6e77b351784b479b8fba509ac96a7648 | example | True | An Example Domain |
| default | Default | True | The default domain |
---------------------------------- --------- --------- --------------------
[root@controller01 ~]# openstack token issue
------------ -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| Field | Value |
------------ -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| expires | 2019-11-25T10:05:48 0000 |
| id | gAAAAABd25lsHXz8Evv_EIWYXweY-I8c67ZKz4W9ztKO9P75edhiHw5kVGE2vIKZWdjUz2jhUms7mHHXGGlYfFAmPh6Kin0a2mWvAg36jd9OzkQxP_vVgn-e_G2--IrEdkF6jyLrcBdT-mu57tcqcXKXc5kk0JaxV33fGZhk_xAS0FxXffsWErc |
| project_id | a1f6ca90da2f4562b9c1388a95f3bd00 |
| user_id | 9a997ebdd0244ce1ab07c970f5941e5a |
------------ ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- demo-openrc
代码语言:javascript复制[root@controller01 ~]# cat demo-openrc
export OS_PROJECT_DOMAIN_NAME=Default
export OS_USER_DOMAIN_NAME=Default
export OS_PROJECT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=123456
export OS_AUTH_URL=http://controller01:5000/v3
export OS_IDENTITY_API_VERSION=3
export OS_IMAGE_API_VERSION=2
[root@controller01 ~]# chmod u x demo-openrc
[root@controller01 ~]# openstack token issue
------------ -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| Field | Value |
------------ -----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
| expires | 2019-11-25T10:06:48 0000 |
| id | gAAAAABd25moqldgU1V3KGU3sfAMs9atlKOWXaVTzP3HlSXAfXT0hlYE-AHsEoXiR4lE1ShSTrppHv8c1BmKsvwaLkStDbM7sECHTcZrTCt4AFooGVQUzsjW6rccG6FsiplJeNN0p5rK19EzmRIiaSWYs-zMLds3nfDerYdQZxBZki4ys1hIIjs |
| project_id | ceb19536c29f4e2094c1a729e7121b50 |
| user_id | 4e1b497157304132baf57bdb054aa251 |
------------ ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 
