Centos7 install Openstack - (第二节)添加认证服务(Keystone)

我的blog地址:http://www.cnblogs.com/caoguo

根据openstack官方文档配置

官方文档地址: http://docs.openstack.org/juno/install-guide/install/yum/content/#

0x01.认证服务安装与配置(控制节点)

[root@controller ~]# mysql -uroot -p

MariaDB [(none)]> CREATE DATABASE keystone;

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \

-> IDENTIFIED BY 'KEYSTONE_DBPASS';

MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \

-> IDENTIFIED BY 'KEYSTONE_DBPASS';

MariaDB [(none)]> flush privileges;
[root@controller ~]# openssl rand -hex 

cdda1486bf623ac74d53

[root@controller ~]# yum install -y openstack-keystone python-keystoneclient

[root@controller ~]# cp -rf /etc/keystone/keystone.conf /etc/keystone/keystone.conf.old
[root@controller ~]# vi /etc/keystone/keystone.conf   #增加一下配置就可以了

[DEFAULT]

admin_token = cdda1486bf623ac74d53

verbose = True

[database]

connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone

[token]

provider = keystone.token.providers.uuid.Provider

driver = keystone.token.persistence.backends.sql.Token

[revoke]

driver = keystone.contrib.revoke.backends.sql.Revoke
[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone

[root@controller ~]# chown -R keystone:keystone /var/log/keystone

[root@controller ~]# chown -R keystone:keystone /etc/keystone/ssl

[root@controller ~]# chmod -R o-rwx /etc/keystone/ssl

[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone

[root@controller ~]# systemctl enable openstack-keystone.service

[root@controller ~]# systemctl start openstack-keystone.service

0x02. Create tenants, users, and roles(控制节点)

[root@controller ~]# export OS_SERVICE_TOKEN=cdda1486bf623ac74d53

[root@controller ~]# export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0

2-1. Create an administrative tenant, user, and role for administrative operations in your environment:
  a. Create the admin tenant:(创建租户admin)

[root@controller ~]# keystone tenant-create --name admin --description "Admin Tenant"

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| description | Admin Tenant |

| enabled | True |

| id | f42937a2fd484d638ce58e67fef59b67 |

| name | admin |

+-------------+----------------------------------+

  b. Create the admin user:(创建用户admin)

[root@controller ~]# keystone user-create --name admin --pass ADMIN_PASS --email admin@example.com

+----------+----------------------------------+

| Property | Value |

+----------+----------------------------------+

| email | admin@example.com |

| enabled | True |

| id | cc58749f0ecb402d9f627ee72bda5afb |

| name | admin |

| username | admin |

+----------+----------------------------------+

  c. Create the admin role:(创建角色admin)

[root@controller ~]# keystone role-create --name admin

+----------+----------------------------------+

| Property | Value |

+----------+----------------------------------+

| id | 4fa15a3b9fc6464694696fa75696b191 |

| name | admin |

+----------+----------------------------------+

  d. Add the admin role to the admin tenant and user:(添加用户到租户以及角色中)

[root@controller ~]# keystone user-role-add --user admin --tenant admin --role admin

2-2. Create a demo tenant and user for typical operations in your environment:
  a. Create the demo tenant:(创建租户demo)

[root@controller ~]# keystone tenant-create --name demo --description "Demo Tenant"

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| description | Demo Tenant |

| enabled | True |

| id | e15976585a8b45c4984f4ebd9db90b5c |

| name | demo |

+-------------+----------------------------------+

  b. Create the demo user under the demo tenant:(添加demo用户到租户demo中)

[root@controller ~]# keystone user-create --name demo --tenant demo --pass DEMO_PASS --email demo@example.com

+----------+----------------------------------+

| Property | Value |

+----------+----------------------------------+

| email | demo@example.com |

| enabled | True |

| id | 5c8155359c20422c96e7bcd6aa6388ba |

| name | demo |

| tenantId | e15976585a8b45c4984f4ebd9db90b5c |

| username | demo |

+----------+----------------------------------+

2-3.OpenStack services also require a tenant, user, and role to interact with other services.
Each service typically requires creating one or more unique users with the admin role
under the service tenant

 a. Create the service tenant:(创建租户service)

[root@controller ~]# keystone tenant-create --name service --description "Service Tenant"

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| description | Service Tenant |

| enabled | True |

| id | 6826a4d9fa7f4e438f3c79010ad80dcd |

| name | service |

+-------------+----------------------------------+

0x03. Create the service entity and API endpoint(控制节点)
  3-1. Create the service entity for the Identity service:

[root@controller ~]# keystone service-create --name keystone --type identity \

--description "OpenStack Identity"

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| description | OpenStack Identity |

| enabled | True |

| id | 5da5b6f72df341a7959ee7b42131c082 |

| name | keystone |

| type | identity |

+-------------+----------------------------------+

  3-2. Create the Identity service API endpoints:

[root@controller ~]# keystone endpoint-create \

--service-id $(keystone service-list | awk '/ identity / {print $2}') \

--publicurl http://controller:5000/v2.0 \

--internalurl http://controller:5000/v2.0 \

--adminurl http://controller:35357/v2.0 \

--region regionOne

+-------------+----------------------------------+

| Property | Value |

+-------------+----------------------------------+

| adminurl | http://controller:35357/v2.0 |

| id | 90af99e76cc54249b5ac3ec4269b0d99 |

| internalurl | http://controller:5000/v2.0 |

| publicurl | http://controller:5000/v2.0 |

| region | regionOne |

| service_id | 5da5b6f72df341a7959ee7b42131c082 |

+-------------+----------------------------------+

0x04. 确认以上操作(控制节点)
  4-1. 销毁变量

[root@controller ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT

  4-2. 验证token

[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \

--os-auth-url http://controller:35357/v2.0 token-get

+-----------+----------------------------------+

| Property | Value |

+-----------+----------------------------------+

| expires | --01T09::34Z |

| id | 6ce0cc1d7cf94cd39f66f8cad8d78da1 |

| tenant_id | f42937a2fd484d638ce58e67fef59b67 |

| user_id | cc58749f0ecb402d9f627ee72bda5afb |

+-----------+----------------------------------+

  4-3.租户列表

[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \

--os-auth-url http://controller:35357/v2.0 tenant-list

+----------------------------------+---------+---------+

| id | name | enabled |

+----------------------------------+---------+---------+

| f42937a2fd484d638ce58e67fef59b67 | admin | True |

| e15976585a8b45c4984f4ebd9db90b5c | demo | True |

| 6826a4d9fa7f4e438f3c79010ad80dcd | service | True |

+----------------------------------+---------+---------+

  

  4-4. 用户列表

[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \

--os-auth-url http://controller:35357/v2.0 user-list

+----------------------------------+-------+---------+------------------+

| id | name | enabled | email |

+----------------------------------+-------+---------+------------------+

| cc58749f0ecb402d9f627ee72bda5afb | admin | True | admin@example.com |

| 5c8155359c20422c96e7bcd6aa6388ba | demo | True | demo@example.com |

+----------------------------------+-------+---------+------------------+

  4-5. 角色列表

[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \

--os-auth-url http://controller:35357/v2.0 role-list

+----------------------------------+----------+

| id | name |

+----------------------------------+----------+

| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |

| 4fa15a3b9fc6464694696fa75696b191 | admin |

+----------------------------------+----------+

  4-6.  demo用户获取token

[root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS \

--os-auth-url http://controller:35357/v2.0 token-get

+-----------+----------------------------------+

| Property | Value |

+-----------+----------------------------------+

| expires | --01T10::54Z |

| id | 8beacb3ab30e402583b9e1ff2bdf05ba |

| tenant_id | e15976585a8b45c4984f4ebd9db90b5c |

| user_id | 5c8155359c20422c96e7bcd6aa6388ba |

+-----------+----------------------------------+

  4-7. 尝试无权限访问

[root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS \

> --os-auth-url http://controller:35357/v2.0 user-list

You are not authorized to perform the requested action: admin_required (HTTP )

0x05. Create OpenStack client environment scripts(控制节点)
  5-1. 添加admin的环境变量

[root@controller ~]# vi admin-openrc.s

export OS_TENANT_NAME=admin

export OS_USERNAME=admin

export OS_PASSWORD=ADMIN_PASS

export OS_AUTH_URL=http://controller:35357/v2.0

  5-2. 添加demo用户的环境变量

[root@controller ~]# vi demo-openrc.sh

export OS_TENANT_NAME=demo

export OS_USERNAME=demo

export OS_PASSWORD=DEMO_PASS

export OS_AUTH_URL=http://controller:5000/v2.0

Centos7 Openstack - (第二节)添加认证服务(Keystone)的更多相关文章

  1. Centos7 Openstack - (第一节)基本环境配置

    Centos7 install Openstack - (第一节)基本环境配置 我的blog地址:http://www.cnblogs.com/caoguo 根据openstack官方文档配置 官方文 ...

  2. 【openstack N版】——认证服务keystone

    一. 基础环境 1.1环境介绍 linux-node1(控制节点) #系统版本 [root@linux-node1 ~]# cat /etc/redhat-release CentOS Linux r ...

  3. Centos7 install Openstack - (第四节)添加计算服务(Nova)

    Centos7 install Openstack - (第四节)添加计算服务(Nova) 我的blog地址:http://www.cnblogs.com/caoguo 该文根据openstack官方 ...

  4. Centos7 install Openstack - (第三节)添加镜像服务(Glance)

    Centos7 install Openstack - (第三节)添加镜像服务(Glance) 我的blog地址:http://www.cnblogs.com/caoguo 该文根据openstack ...

  5. OpenStack实践系列②认证服务Keystone

    OpenStack实践系列②认证服务Keystone 三.实战OpenStack之控制节点3.1 CentOS7的时间同步服务器chrony 下载chrony # yum install -y chr ...

  6. OpenStack入门篇(七)之认证服务Keystone

    一.Keystone的概述 Keystone是Openstack的组件之一,用于为Openstack家族中的其它组件成员提供统一的认证服务,包括身份验证,令牌的发放和校验,服务列表,用户权限的定义等. ...

  7. [ Openstack ] OpenStack-Mitaka 高可用之 认证服务(keystone)

    目录 Openstack-Mitaka 高可用之 概述    Openstack-Mitaka 高可用之 环境初始化    Openstack-Mitaka 高可用之 Mariadb-Galera集群 ...

  8. OpenStack 认证服务 KeyStone 服务注册(五)

    创建服务实体和API端点 创建服务 openstack service create --name keystone --description "OpenStack Identity&qu ...

  9. OpenStack Swift集群与Keystone的整合使用说明

    之前已经介绍了OpenStack Swift集群和Keystone的安装部署,最后来讲一讲Swift集群与Keystone的整合使用吧. 1. 简介 本文档描述了Keystone与Swift集群的整合 ...

随机推荐

  1. Ubuntu 16.04下MySQL 5.7.18取消开机启动(解决无法使用Sysvinit(update-rc.d/sysv-rc-conf)脚本关闭)

    首先了解以下运行级别对应工具的变化历史: 1.Ubuntu 6.10及以前版本使用Sysvinit. 2.Ubuntu 14.10及以前版本使用Upstart但是还留着Sysvinit并存. http ...

  2. ArcGIS ArcMap “ Add Data” 打开后,一直卡死,无内容

    打开ArcMap能打开,Add Data 或打开mxd就出Runtime Error对话框.打开ArcCatlog或者ArcGlobe出现Runtime Error对话框Runtime Error!P ...

  3. VB的程序如何破解

    VB的程序,不会告诉你这个VB写的,但是从界面来看就很像VB,一般是单文件的EXE,然后软件还比较小(早期的傻瓜式软件写的东西)   比如说我们想要知道这个"手动采集"按钮干了什么 ...

  4. VBS调用Windows API函数

    Demon's Blog 忘记了,喜欢一个人的感觉 Demon's Blog  »  程序设计  »  VBS调用Windows API函数 « 用VBS修改Windows用户密码 在VB中创建和使用 ...

  5. Linux下一款可以使用命令行的pdf阅读器

    Zathura是linux下一款用命令行控制打pdf阅读器,并且基本打使用方法和vim很相似.对于喜欢键盘操作的用户来说的确是一个不错的选择. ubuntu下的安装命令: sudo apt-get i ...

  6. 进销存管理系统, 刚学C++

    各位大神们.有什么补充的能够评论一下吗? #include<iostream> #include<string> using namespace std; int G=0;// ...

  7. Qt 开发程序后的公布问题

    Qt 开发程序后的公布问题 Qt 是一套跨平台 C++ 图形用户界面应用程序开发框架,利用它能够很方便的开发各种类型的应用程序.可是随着 Qt 的发展.功能越来越强大,公布时须要文件也越来越多.公布时 ...

  8. Getting console.log output with Selenium Python API bindings

    持久化存储 Getting console.log output from Chrome with Selenium Python API bindings - Stack Overflow http ...

  9. 一个尖括号能干什么,画一个笑脸开始(为了支持交互,它又增添了JavaScript。HTML页面也越来越臃肿。于是CSS便诞生了。API和核心代码的出现使HTML能够访问更复杂的软件功能--支持更高级的交互和云服务集成。这就是今天的HTML5)

    一个尖括号 < 一个尖括号能干什么 < ? 你可以编出一顶帽子 <(:-p 或一张笑脸 :-> 再或者更直接一些 20世纪90年代初,html作为一种简单标记语言面世,用于在互 ...

  10. 继承自TWinControl的控件不能在设计期间接受子控件,用代码设置子控件却可以(它的自绘是直接改写PaintWindow虚函数,而不是覆盖Paint函数——对TWinControl.WMPaint又有新解了)

    这个控件直接继承自TWinControl,因此不是改写Paint;函数,而是直接改写PaintWindow虚函数,它在VCL框架里被直接调用,直接就把自己画好了(不用走给控件Perform(WM_Pa ...