部署keystone

2022-12-13 12:18:52 浏览数 (1)

部署keystone

完成基础环境配置后,应先部署keystone组件,只需在controller节点上部署。 1、创建数据库实例和数据库用户 在MySQL中创建数据库keystone,同时创建数据库用户,并授权权限。 [root@controller ~]# mysql -u root -p000000 Welcome to the MariaDB monitor. Commands end with ; or g. Your MariaDB connection id is 15 Server version: 10.3.20-MariaDB MariaDB Server

Copyright © 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type ‘help;’ or ‘h’ for help. Type ‘c’ to clear the current input statement.

MariaDB [(none)]> CREATE DATABASE keystone; Query OK, 1 row affected (0.001 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘localhost’ IDENTIFIED BY ‘keystone’;* Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@‘controller’ IDENTIFIED BY ‘keystonee’;* Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone. TO ‘keystone’@’%’ IDENTIFIED BY ‘keystone’;* Query OK, 0 rows affected (0.000 sec)

MariaDB [(none)]> exit Bye 2、安装keystone软件包 [root@controller ~]# yum install -y openstack-keystone httpd mod_wsgi 3、配置keystone [root@controller ~]# vim /etc/keystone/keystone.conf [database] connection=mysql pymysql://keystone:keystone@controller/keystone //添加此行命令 [token] provider=fernet//添加此行命令 4、初始化认证服务数据库 [root@controller ~]# su -s /bin/sh -c “keystone-manage db_sync” keystone 验证数据库是否同步成功 [root@controller ~]# mysql -h 192.168.16.128 -u keystone -pkeystone -e “USE keystone; SHOW TABLES;” ±----------------------------------- | Tables_in_keystone | ±----------------------------------- | access_rule | | access_token | | application_credential | | application_credential_access_rule | | application_credential_role | | assignment | | config_register | | consumer | | credential | | endpoint | | endpoint_group | | federated_user | | federation_protocol | | group | | id_mapping | | identity_provider | | idp_remote_ids | | implied_role | | limit | | local_user | | mapping | | migrate_version | | nonlocal_user | | password | | policy | | policy_association | | project | | project_endpoint | | project_endpoint_group | | project_option | | project_tag | | region | | registered_limit | | request_token | | revocation_event | | role | | role_option | | sensitive_config | | service | | service_provider | | system_assignment | | token | | trust | | trust_role | | user | | user_group_membership | | user_option | | whitelisted_config | ±----------------------------------- 5、初始化Fernet keys Fernet keys是用于API令牌的安全信息格式 [root@controller ~]# keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone [root@controller ~]# keystone-manage credential_setup --keystone-user keystone --keystone-group keystone 6、配置bootstrap身份认证服务 [root@controller ~]# keystone-manage bootstrap --bootstrap-password 000000 --bootstrap-admin-url http://controller:35357/v3/ --bootstrap-internal-url http://controller:5000/v3/ --bootstrap-public-url http://controller:5000/v3/ --bootstrap-region-id RegionOne 7、配置Apache HTTP服务器 (1)修改服务器主机名 [root@controller ~]# vim /etc/httpd/conf/httpd.conf 修改前#ServerName www.example.com:80 修改后ServerName controller 保存退出 (2)创建配置文件 [root@controller ~]# ln -s /usr/share/keystone/wsgi-keystone.conf /etc/httpd/conf.d/ (3)启动服务并设置开机自启 [root@controller ~]# systemctl start httpd.service [root@controller ~]# systemctl enable httpd.service Created symlink from /etc/systemd/system/multi-user.target.wants/httpd.service to /usr/lib/systemd/system/httpd.service. 8、配置管理员账户的环境变量 [root@controller ~]# export OS_USERNAME=admin [root@controller ~]# export OS_PASSWORD=000000 [root@controller ~]# export OS_PROJECT_NAME=admin [root@controller ~]# export OS_USER_DOMAIN_NAME=Default [root@controller ~]# export OS_PROJECT_DOMAIN_NAME=Default [root@controller ~]# export OS_AUTH_URL=http://controller:5000/v3 [root@controller ~]# export OS_IDENTITY_API_VERSION=3 9、创建OpenStack域、项目、用户、角色 [root@controller ~]# openstack project create --domain default --description “Service Project” service //创建service项目 ±------------±--------------------------------- | Field | Value | ±------------±--------------------------------- | description | Service Project | | domain_id | default | | enabled | True | | id | 034564ee72e6440ebe7f32e7e6156aa2 | | is_domain | False | | name | service | | options | {} | | parent_id | default | | tags | [] | ±------------±--------------------------------- [root@controller ~]# openstack project create --domain default --description “Demo Project” demo //创建demo项目 ±------------±--------------------------------- | Field | Value | ±------------±--------------------------------- | description | Demo Project | | domain_id | default | | enabled | True | | id | 5350cda310b9484680c28fcfc92587e9 | | is_domain | False | | name | demo | | options | {} | | parent_id | default | | tags | [] | ±------------±--------------------------------- [root@controller ~]# openstack user create --domain default --password-prompt demo //创建demo用户 User Password:000000 Repeat User Password:000000 ±--------------------±--------------------------------- | Field | Value | ±--------------------±--------------------------------- | domain_id | default | | enabled | True | | id | d34d1f0450c24546b157f624b2adb33f | | name | demo | | options | {} | | password_expires_at | None | ±--------------------±--------------------------------- [root@controller ~]# openstack role create user //创建user用户 ±------------±--------------------------------- | Field | Value | ±------------±--------------------------------- | description | None | | domain_id | None | | id | 1f43962ba43244058f25dad2b7150129 | | name | user | | options | {} | ±------------±--------------------------------- [root@controller ~]# openstack role add --project demo --user demo user //添加demo用户到demo项目和user角色 10、验证认证服务 (1)鉴于安全因素,出去临时的令牌认证授权机制 编辑/etc/keystone/keystone-paste.ini配置文件,将[pipeline:public_api]、[pipeline:admin_api]、[pipeline:api_v3]中的admin_token值删除 (2)取消临时环境变量 [root@controller ~]# unset OS_AUTH_URL OS_PASSWORD (3)以admin用户身份请求令牌 [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 –os-project-domain-name default --os-user-domain-name default –os-project-name admin --os-username admin token issue Password: 000000 Password: 000000 ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Field | Value | ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | expires | 2020-05-08T13:56:14 0000 | | id | gAAAAABetVbuwnOJRVKoaPPfHOmowVHRwgGzzhL0trOrLnUdSgAHlVX_QWpnNdnVAX_nsfqpPvVYyH7y9nvXMdCsCubfY0ElgAaiUVSxrZ3BndNfoM9jZOpOmzMU-9k0Dlixt5CaymMgXDba4yNXsUAUv-Wb2UgYZrmH3ukVznio-aENViOeQx8 | | project_id | fa7f256af0d447f1977ec4a781502e38 | | user_id | 6e3faf98b03a480e862c340753855ae4 | ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- (4)以demo用户身份请求令牌 [root@controller ~]# openstack --os-auth-url http://controller:5000/v3 –os-project-domain-name default --os-user-domain-name default –os-project-name demo --os-username demo token issue Password: 000000 Password: 000000 ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Field | Value | ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | expires | 2020-05-08T13:58:17 0000 | | id | gAAAAABetVdpGLwJsqGWyustkFtb5elYYJnErdPbSBoVBVA8k1FUkMvRVYkdUOvEdUzxklTVJS7Qvst-kKOSRo_gL0U8-gmKaRDUUcwTlosEntMw_2KMjeB1wx-BT-j-aT82oHYOM-dH_IhJo2okvm1YzY_HABew0XBHO65LM7ve_yUUj2539xw | | project_id | 5350cda310b9484680c28fcfc92587e9 | | user_id | d34d1f0450c24546b157f624b2adb33f | ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- (5)创建环境脚本,命令如下 ①创建admin用户环境脚本 [root@controller ~]# vim admin-openrc [root@controller ~]# cat admin-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=000000 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ②创建demo用户环境脚本,命令如下: [root@controller ~]# vim demo-openrc [root@controller ~]# cat demo-openrc export OS_PROJECT_DOMAIN_NAME=Default export OS_USER_DOMAIN_NAME=Default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=000000 export OS_AUTH_URL=http://controller:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2 ③给环境脚本增加可执行权限,命令如下: [root@controller ~]# chmod x admin-openrc [root@controller ~]# chmod x demo-openrc (6)验证管理员admin环境脚本 ①执行管理员admin的环境脚本 [root@controller ~]# ./admin-openrc ②给予脚本中的环境变量,直接请求令牌 [root@controller ~]# openstack token issue Missing value auth-url required for auth plugin password 解决办法: 在admin-openrc目录下执行 [root@controller ~]# source admin-openrc [root@controller ~]# openstack token issue ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | Field | Value | ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | expires | 2020-05-08T14:09:19 0000 | | id | gAAAAABetVn_XtdknvviCFdNnESEBM7CZcQBrf-mCSoUKq-LVkwP2ajb9B65BwXWGKMMd8-aR2M6nVX3mNsXviG42OaE8_mjaaDpvTZv-6TpqqTbxbawUVbOUqm3qw8M13_hH-E3cOlKiDXtiVGvcs418nU1pXJQuCyfWKF8rNCTy8HkbydDZxE | | project_id | fa7f256af0d447f1977ec4a781502e38 | | user_id | 6e3faf98b03a480e862c340753855ae4 | ±-----------±---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 至此,部署Keystone完成。

0 人点赞