Centos7 Openstack - (第二节)添加认证服务(Keystone)
Centos7 install Openstack - (第二节)添加认证服务(Keystone)
我的blog地址:http://www.cnblogs.com/caoguo
根据openstack官方文档配置
官方文档地址: http://docs.openstack.org/juno/install-guide/install/yum/content/#
0x01.认证服务安装与配置(控制节点)
[root@controller ~]# mysql -uroot -p
MariaDB [(none)]> CREATE DATABASE keystone; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' \
-> IDENTIFIED BY 'KEYSTONE_DBPASS'; MariaDB [(none)]> GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' \
-> IDENTIFIED BY 'KEYSTONE_DBPASS'; MariaDB [(none)]> flush privileges;
[root@controller ~]# openssl rand -hex
cdda1486bf623ac74d53
[root@controller ~]# yum install -y openstack-keystone python-keystoneclient
[root@controller ~]# cp -rf /etc/keystone/keystone.conf /etc/keystone/keystone.conf.old
[root@controller ~]# vi /etc/keystone/keystone.conf #增加一下配置就可以了
[DEFAULT]
admin_token = cdda1486bf623ac74d53
verbose = True [database]
connection = mysql://keystone:KEYSTONE_DBPASS@controller/keystone [token]
provider = keystone.token.providers.uuid.Provider
driver = keystone.token.persistence.backends.sql.Token [revoke]
driver = keystone.contrib.revoke.backends.sql.Revoke
[root@controller ~]# keystone-manage pki_setup --keystone-user keystone --keystone-group keystone
[root@controller ~]# chown -R keystone:keystone /var/log/keystone
[root@controller ~]# chown -R keystone:keystone /etc/keystone/ssl
[root@controller ~]# chmod -R o-rwx /etc/keystone/ssl
[root@controller ~]# su -s /bin/sh -c "keystone-manage db_sync" keystone [root@controller ~]# systemctl enable openstack-keystone.service
[root@controller ~]# systemctl start openstack-keystone.service
0x02. Create tenants, users, and roles(控制节点)
[root@controller ~]# export OS_SERVICE_TOKEN=cdda1486bf623ac74d53
[root@controller ~]# export OS_SERVICE_ENDPOINT=http://controller:35357/v2.0
2-1. Create an administrative tenant, user, and role for administrative operations in your environment:
a. Create the admin tenant:(创建租户admin)
[root@controller ~]# keystone tenant-create --name admin --description "Admin Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Admin Tenant |
| enabled | True |
| id | f42937a2fd484d638ce58e67fef59b67 |
| name | admin |
+-------------+----------------------------------+
b. Create the admin user:(创建用户admin)
[root@controller ~]# keystone user-create --name admin --pass ADMIN_PASS --email admin@example.com +----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | admin@example.com |
| enabled | True |
| id | cc58749f0ecb402d9f627ee72bda5afb |
| name | admin |
| username | admin |
+----------+----------------------------------+
c. Create the admin role:(创建角色admin)
[root@controller ~]# keystone role-create --name admin
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| id | 4fa15a3b9fc6464694696fa75696b191 |
| name | admin |
+----------+----------------------------------+
d. Add the admin role to the admin tenant and user:(添加用户到租户以及角色中)
[root@controller ~]# keystone user-role-add --user admin --tenant admin --role admin
2-2. Create a demo tenant and user for typical operations in your environment:
a. Create the demo tenant:(创建租户demo)
[root@controller ~]# keystone tenant-create --name demo --description "Demo Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Demo Tenant |
| enabled | True |
| id | e15976585a8b45c4984f4ebd9db90b5c |
| name | demo |
+-------------+----------------------------------+
b. Create the demo user under the demo tenant:(添加demo用户到租户demo中)
[root@controller ~]# keystone user-create --name demo --tenant demo --pass DEMO_PASS --email demo@example.com
+----------+----------------------------------+
| Property | Value |
+----------+----------------------------------+
| email | demo@example.com |
| enabled | True |
| id | 5c8155359c20422c96e7bcd6aa6388ba |
| name | demo |
| tenantId | e15976585a8b45c4984f4ebd9db90b5c |
| username | demo |
+----------+----------------------------------+
2-3.OpenStack services also require a tenant, user, and role to interact with other services.
Each service typically requires creating one or more unique users with the admin role
under the service tenant
a. Create the service tenant:(创建租户service)
[root@controller ~]# keystone tenant-create --name service --description "Service Tenant"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | Service Tenant |
| enabled | True |
| id | 6826a4d9fa7f4e438f3c79010ad80dcd |
| name | service |
+-------------+----------------------------------+
0x03. Create the service entity and API endpoint(控制节点)
3-1. Create the service entity for the Identity service:
[root@controller ~]# keystone service-create --name keystone --type identity \
--description "OpenStack Identity"
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | 5da5b6f72df341a7959ee7b42131c082 |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
3-2. Create the Identity service API endpoints:
[root@controller ~]# keystone endpoint-create \
--service-id $(keystone service-list | awk '/ identity / {print $2}') \
--publicurl http://controller:5000/v2.0 \
--internalurl http://controller:5000/v2.0 \
--adminurl http://controller:35357/v2.0 \
--region regionOne
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| adminurl | http://controller:35357/v2.0 |
| id | 90af99e76cc54249b5ac3ec4269b0d99 |
| internalurl | http://controller:5000/v2.0 |
| publicurl | http://controller:5000/v2.0 |
| region | regionOne |
| service_id | 5da5b6f72df341a7959ee7b42131c082 |
+-------------+----------------------------------+
0x04. 确认以上操作(控制节点)
4-1. 销毁变量
[root@controller ~]# unset OS_SERVICE_TOKEN OS_SERVICE_ENDPOINT
4-2. 验证token
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \
--os-auth-url http://controller:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | --01T09::34Z |
| id | 6ce0cc1d7cf94cd39f66f8cad8d78da1 |
| tenant_id | f42937a2fd484d638ce58e67fef59b67 |
| user_id | cc58749f0ecb402d9f627ee72bda5afb |
+-----------+----------------------------------+
4-3.租户列表
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \
--os-auth-url http://controller:35357/v2.0 tenant-list
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| f42937a2fd484d638ce58e67fef59b67 | admin | True |
| e15976585a8b45c4984f4ebd9db90b5c | demo | True |
| 6826a4d9fa7f4e438f3c79010ad80dcd | service | True |
+----------------------------------+---------+---------+
4-4. 用户列表
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \
--os-auth-url http://controller:35357/v2.0 user-list
+----------------------------------+-------+---------+------------------+
| id | name | enabled | email |
+----------------------------------+-------+---------+------------------+
| cc58749f0ecb402d9f627ee72bda5afb | admin | True | admin@example.com |
| 5c8155359c20422c96e7bcd6aa6388ba | demo | True | demo@example.com |
+----------------------------------+-------+---------+------------------+
4-5. 角色列表
[root@controller ~]# keystone --os-tenant-name admin --os-username admin --os-password ADMIN_PASS \
--os-auth-url http://controller:35357/v2.0 role-list
+----------------------------------+----------+
| id | name |
+----------------------------------+----------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ |
| 4fa15a3b9fc6464694696fa75696b191 | admin |
+----------------------------------+----------+
4-6. demo用户获取token
[root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS \
--os-auth-url http://controller:35357/v2.0 token-get
+-----------+----------------------------------+
| Property | Value |
+-----------+----------------------------------+
| expires | --01T10::54Z |
| id | 8beacb3ab30e402583b9e1ff2bdf05ba |
| tenant_id | e15976585a8b45c4984f4ebd9db90b5c |
| user_id | 5c8155359c20422c96e7bcd6aa6388ba |
+-----------+----------------------------------+
4-7. 尝试无权限访问
[root@controller ~]# keystone --os-tenant-name demo --os-username demo --os-password DEMO_PASS \
> --os-auth-url http://controller:35357/v2.0 user-list
You are not authorized to perform the requested action: admin_required (HTTP )
0x05. Create OpenStack client environment scripts(控制节点)
5-1. 添加admin的环境变量
[root@controller ~]# vi admin-openrc.s
export OS_TENANT_NAME=admin
export OS_USERNAME=admin
export OS_PASSWORD=ADMIN_PASS
export OS_AUTH_URL=http://controller:35357/v2.0
5-2. 添加demo用户的环境变量
[root@controller ~]# vi demo-openrc.sh
export OS_TENANT_NAME=demo
export OS_USERNAME=demo
export OS_PASSWORD=DEMO_PASS
export OS_AUTH_URL=http://controller:5000/v2.0
Centos7 Openstack - (第二节)添加认证服务(Keystone)的更多相关文章
- Centos7 Openstack - (第一节)基本环境配置
Centos7 install Openstack - (第一节)基本环境配置 我的blog地址:http://www.cnblogs.com/caoguo 根据openstack官方文档配置 官方文 ...
- 【openstack N版】——认证服务keystone
一. 基础环境 1.1环境介绍 linux-node1(控制节点) #系统版本 [root@linux-node1 ~]# cat /etc/redhat-release CentOS Linux r ...
- Centos7 install Openstack - (第四节)添加计算服务(Nova)
Centos7 install Openstack - (第四节)添加计算服务(Nova) 我的blog地址:http://www.cnblogs.com/caoguo 该文根据openstack官方 ...
- Centos7 install Openstack - (第三节)添加镜像服务(Glance)
Centos7 install Openstack - (第三节)添加镜像服务(Glance) 我的blog地址:http://www.cnblogs.com/caoguo 该文根据openstack ...
- OpenStack实践系列②认证服务Keystone
OpenStack实践系列②认证服务Keystone 三.实战OpenStack之控制节点3.1 CentOS7的时间同步服务器chrony 下载chrony # yum install -y chr ...
- OpenStack入门篇(七)之认证服务Keystone
一.Keystone的概述 Keystone是Openstack的组件之一,用于为Openstack家族中的其它组件成员提供统一的认证服务,包括身份验证,令牌的发放和校验,服务列表,用户权限的定义等. ...
- [ Openstack ] OpenStack-Mitaka 高可用之 认证服务(keystone)
目录 Openstack-Mitaka 高可用之 概述 Openstack-Mitaka 高可用之 环境初始化 Openstack-Mitaka 高可用之 Mariadb-Galera集群 ...
- OpenStack 认证服务 KeyStone 服务注册(五)
创建服务实体和API端点 创建服务 openstack service create --name keystone --description "OpenStack Identity&qu ...
- OpenStack Swift集群与Keystone的整合使用说明
之前已经介绍了OpenStack Swift集群和Keystone的安装部署,最后来讲一讲Swift集群与Keystone的整合使用吧. 1. 简介 本文档描述了Keystone与Swift集群的整合 ...
随机推荐
- [bzoj1563][NOI2009]诗人小G(决策单调性优化)
题目:http://www.lydsy.com:808/JudgeOnline/problem.php?id=1563 分析: 首先可得朴素的方程:f[i]=min{f[j]+|s[j]-j-s[i] ...
- 洛谷 P2853 [USACO06DEC]牛的野餐Cow Picnic
P2853 [USACO06DEC]牛的野餐Cow Picnic 题目描述 The cows are having a picnic! Each of Farmer John's K (1 ≤ K ≤ ...
- token的生成规则
1.token生成规则要添加时间戳,timestamp,以便解析token时,可以根据判断时间超过30分钟不予处理.像session过期时间一样.
- 用两种方法(递归和DP)实现了青蛙跳台阶
做了这道题目: https://www.nowcoder.net/practice/8c82a5b80378478f9484d87d1c5f12a4?tpId=13&tqId=11161&am ...
- splay专题复习——bzoj 3224 & 1862 & 1503 题解
[前言]快要省选二试了.上次去被虐出翔了~~这次即便是打酱油.也要打出风採!于是暂停新东西的学习.然后開始复习曾经的知识,为骗分做准备.PS:区间翻转的临时跳过,就算学了也来不及巩固了. [BZOJ3 ...
- POJ 2007 Scrambled Polygon(简单极角排序)
水题,根本不用凸包,就是一简单的极角排序. 叉乘<0,逆时针. #include <iostream> #include <cstdio> #include <cs ...
- 从基于 SQL 的 CURD 操作转移到基于语义 Web 的 CURD 操作
中文名称 CURD 含义 数据库技术中的缩写词 操作对象 一般的项目开发的各种参数 作用 用于处理数据的基本原子操作 它代表创建(Create).更新(Update).读取(Retrieve) ...
- Linux 学习之路:认识shell和bash
一.shell 计算机硬件的直接控制者是操作系统的内核(kernel),因为内核的重要性,所以作为用户的我们是无法直接操作内核的,所以我们需要shell调用应用程序或者双击打开安装的应用软件与内核之 ...
- 01-S3C2440学习入门概念+环境搭建【转】
本文转载自:http://blog.csdn.net/fengyuwuzu0519/article/details/54754812 一.心得: 这两年学过很多东西,有点杂,总感觉不够踏实,于是准备写 ...
- maven 国内完整源
<?xml version="1.0" encoding="UTF-8"?> <project xmlns="http://mave ...