Openstack_O版(otaka)部署_认证服务keystone部署
安装和配置服务
1. 建keystone库建用户
在控制节点执行
mysql -uroot -p123456 CREATE DATABASE keystone; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'localhost' IDENTIFIED BY ''; GRANT ALL PRIVILEGES ON keystone.* TO 'keystone'@'%' IDENTIFIED BY ''; flush privileges;
2.软件安装
yum install openstack-keystone httpd mod_wsgi -y
3. 编辑配置文件
vim /etc/keystone/keystone.conf
[DEFAULT]
admin_token = b4164396208d7fe6d48b # 建议用命令制作 token:openssl rand -hex 10
[database]
connection = mysql+pymysql://keystone:123456@controller01/keystone
[token]
provider = fernet
4. 同步修改到数据库
su -s /bin/sh -c "keystone-manage db_sync" keystone
5. 初始化fernet keys
keystone-manage fernet_setup --keystone-user keystone --keystone-group keystone
6. 配置apache服务
vim /etc/httpd/conf/httpd.conf
ServerName controller01
vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen 5000
Listen 35357
<VirtualHost *:5000>
WSGIDaemonProcess keystone-public processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias / /usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
<VirtualHost *:35357>
WSGIDaemonProcess keystone-admin processes=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias / /usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat "%{cu}t %M"
ErrorLog /var/log/httpd/keystone-error.log
CustomLog /var/log/httpd/keystone-access.log combined
<Directory /usr/bin>
Require all granted
</Directory>
</VirtualHost>
7. 启动Web服务
systemctl enable httpd.service
systemctl restart httpd.service
创建服务实体和访问端点
1. 实现配置管理员环境变量,用于获取后面创建的权限
export OS_TOKEN=b4164396208d7fe6d48b export OS_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3
2. 基于上一步给的权限,创建认证服务实体(目录服务)
openstack service create --name keystone --description "OpenStack Identity" identity +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | OpenStack Identity |
| enabled | True |
| id | aa47cd781e53430dad37b0c9944b688b |
| name | keystone |
| type | identity |
+-------------+----------------------------------+
3. 基于上一步建立的服务实体,创建访问该实体的三个api端点
openstack endpoint create --region RegionOne identity public http://controller01:5000/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 41fee09de7cc4e9b8d08c0b73e9f39d3 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+ openstack endpoint create --region RegionOne identity internal http://controller01:5000/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | d5dcf1954a414131913f7fa4ea5182ee |
| interface | internal |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:5000/v3 |
+--------------+----------------------------------+ openstack endpoint create --region RegionOne identity admin http://controller01:35357/v3 +--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
| id | 93fe3d113327455f9c973d3b42579268 |
| interface | admin |
| region | RegionOne |
| region_id | RegionOne |
| service_id | aa47cd781e53430dad37b0c9944b688b |
| service_name | keystone |
| service_type | identity |
| url | http://controller01:35357/v3 |
+--------------+----------------------------------+
创建域,租户,用户,角色,把四个元素关联到一起
1. 建立一个公共的域名
openstack domain create --description "Default Domain" default +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Default Domain |
| enabled | True |
| id | 135e691ebbb74fefb5086970eac74706 |
| name | default |
+-------------+----------------------------------+
2. 建立一个管理员
openstack project create --domain default --description "Admin Project" admin +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Admin Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | a3f24ce750034504876c0132c427306e |
| is_domain | False |
| name | admin |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+ openstack user create --domain default --password-prompt admin +---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 1a1f6cf671474f45b81bf4150d8f6a67 |
| name | admin |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
3. 建立一个角色:admin
openstack role create admin +-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | a442951d5ed044b78c80c223aef2bf3a |
| name | admin |
+-----------+----------------------------------+ openstack role add --project admin --user admin admin
4. 建立一个普通用户
openstack project create --domain default --description "Demo Project" demo +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Demo Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 890abe6826374c4d94b371d035f3f6ee |
| is_domain | False |
| name | demo |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+ openstack user create --domain default --password-prompt demo +---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 8f26fad523ed4b6e9c30fbfa21cc8544 |
| name | demo |
| options | {} |
| password_expires_at | None |
+---------------------+----------------------------------+
5. 建立一个普通角色
openstack role create user +-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
| id | 3065224e5e32425a8d84775fe0fadbbc |
| name | user |
+-----------+----------------------------------+ openstack role add --project demo --user demo user
6. 为后续的服务创建统一租户service
# 解释:后面每搭建一个新的服务都需要在keystone中执行四种操作:1.建租户 2.建用户 3.建角色 4.做关联 # 后面所有的服务公用一个租户service,都是管理员角色admin,所以实际上后续的服务安装关于keysotne的操作只剩2,4 openstack project create --domain default --description "Service Project" service +-------------+----------------------------------+
| Field | Value |
+-------------+----------------------------------+
| description | Service Project |
| domain_id | 135e691ebbb74fefb5086970eac74706 |
| enabled | True |
| id | 38fce9de65f2455088be6196678e2090 |
| is_domain | False |
| name | service |
| parent_id | 135e691ebbb74fefb5086970eac74706 |
+-------------+----------------------------------+
验证操作
vim /etc/keystone/keystone-paste.ini
在[pipeline:public_api], [pipeline:admin_api], and [pipeline:api_v3] 三个地方
移走:admin_token_auth
unset OS_TOKEN OS_URL
openstack --os-auth-url http://controller01:35357/v3 --os-project-domain-name default --os-user-domain-name default --os-project-name admin --os-username admin token issue
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Field | Value |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| expires | 2018-02-02T02:45:24+0000 |
| id | gAAAAABac8K0yoQzaByOrSYlzDGUAASjSuz-4mcyk6neOMNoCh_pkqXZH20wW3n6RXOQ4fk2IZQyM1yt0MMghtYakyurzghBFsuVYBw- |
| | 76mA2yQRGDTtL_3XTcg8AHD2Oaw0_UTZ59ROda_l6deP_BFGnyxIvO80pcUXBqp6HN7xzgP5ssnnXkQ |
| project_id | a3f24ce750034504876c0132c427306e |
| user_id | 1a1f6cf671474f45b81bf4150d8f6a67 |
+------------+------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
新建客户端脚本文件
管理员:admin-openrc
vim admin-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=admin export OS_USERNAME=admin export OS_PASSWORD=123456 export OS_AUTH_URL=http://controller01:35357/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
普通用户demo:demo-openrc
vim demo-openrc
export OS_PROJECT_DOMAIN_NAME=default export OS_USER_DOMAIN_NAME=default export OS_PROJECT_NAME=demo export OS_USERNAME=demo export OS_PASSWORD=che001 export OS_AUTH_URL=http://controller01:5000/v3 export OS_IDENTITY_API_VERSION=3 export OS_IMAGE_API_VERSION=2
效果:
source admin-openrc openstack token issue
Openstack_O版(otaka)部署_认证服务keystone部署的更多相关文章
- Openstack_O版(otaka)部署_准备环境和依赖软件
架构介绍 本次案列为基本的三节点部署 一:网络: 1.管理网络:192.168.198.0/24 2.数据网络:10.0.0.0/24 二:操作系统: CentOS Linux release 7.3 ...
- Openstack_O版(otaka)部署_镜像服务glance部署
安装和配置服务 1. 建库建用户 mysql -u root -p CREATE DATABASE glance; GRANT ALL PRIVILEGES ON glance.* TO '; GRA ...
- Openstack_O版(otaka)部署_网络服务Neutron部署
控制节点配置 1. 建库建用户 CREATE DATABASE neutron; GRANT ALL PRIVILEGES ON neutron.* TO '; GRANT ALL PRIVILEGE ...
- Openstack_O版(otaka)部署_Nova部署
控制节点配置 1. 建库建用户 CREATE DATABASE nova_api; CREATE DATABASE nova; GRANT ALL PRIVILEGES ON nova_api.* T ...
- Openstack_O版(otaka)部署_Horizon部署
控制节点 1. 安装软件包 yum install openstack-dashboard -y 2. 修改配置文件 vim /etc/openstack-dashboard/local_settin ...
- OpenStack 认证服务 KeyStone部署(三)
Keystone 介绍 Keystone作用: 用户与认证:用户权限与用户行为跟踪: 服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 SOA相关知识 Keystone主要两大功能用户认证 ...
- OpenStack 认证服务 KeyStone部署 (四)
Keystone作用: 用户与认证:用户权限与用户行为跟踪: 服务目录:提供一个服务目录,包括所有服务项和相关Api的断点 SOA相关知识 Keystone主要两大功能用户认证和服务目录(相当于一个注 ...
- openstack项目【day24】:keystone部署及操作
阅读目录 一 前言 二 版本信息 三 部署keystone 四 keystone操作 五 验证 六 创建脚本 七 keystone使用套路总结 一 前言 任何软件的部署都是没有技术含量的,任何就部署讲 ...
- keystone系列四:keystone部署及操作
一 前言 任何软件的部署都是没有技术含量的,任何就部署讲部署的人都是江湖骗子. 部署的本质就是拷贝,粘贴,回车.我们家养了条狗,它可以胜任这件事情. 我们搞技术的,一定不能迂腐:轻信或者一概不信. 轻 ...
随机推荐
- Eclipse去掉对JS文件的Validation
Eclipse不去掉对JS文件的Validation,编译时会花费很长的时间,有时甚至会导致编译失败. 可以按照如下的方式去掉对JS文件的Validation. 一.window->prefer ...
- 《深入理解Java虚拟机》学习笔记(二)
垃圾回收的前提是判断对象是否存活,对象不再存活时将会被回收,下面是2种判断的方法. 引用计数法: 主流的Java虚拟机并没有使用引用计数法来管理内存,重要的原因就是循环引用的问题难以解决. 可达性分析 ...
- BZOJ 4555: [Tjoi2016&Heoi2016]求和 [FFT 组合计数 容斥原理]
4555: [Tjoi2016&Heoi2016]求和 题意:求\[ \sum_{i=0}^n \sum_{j=0}^i S(i,j)\cdot 2^j\cdot j! \\ S是第二类斯特林 ...
- CF528D. Fuzzy Search [FFT]
CF528D. Fuzzy Search 题意:DNA序列,在母串s中匹配模式串t,对于s中每个位置i,只要s[i-k]到s[i+k]中有c就认为匹配了c.求有多少个位置匹配了t 预处理\(f[i][ ...
- 网络编程之socketserver
网络编程之socketserver """ socketserver.py 中的5个基础类 +------------+ | BaseServer | +-------- ...
- [Python Study Notes]磁盘信息和IO性能
''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' ...
- 解决PhpStorm卡顿的问题
以前的开发一直使用phpstorm.可谓是情有独钟,但是发现随着开发phpStorm逐渐变得卡顿,也试过其他的编译器,但是都感觉没有PhpSrom好用,网上百度了一下,看到不一样的回答.只要修改两个J ...
- Maven文件配置
Maven文件路径的配置 默认设置 修改之后的设置 Maven文件内容的配置 对于Maven 的 settings.xml 文件,需要注意. <mirror>镜像元素之间是互斥的,优先级是 ...
- OpenCV亚像素角点cornerSubPixel()源代码分析
上一篇博客中讲到了goodFeatureToTrack()这个API函数能够获取图像中的强角点.但是获取的角点坐标是整数,但是通常情况下,角点的真实位置并不一定在整数像素位置,因此为了获取更为精确的角 ...
- Windows Server 2016-存储新增功能
本章给大家介绍有关Windows Server 2016 中存储方面的新增功能,具体内容如下: 1.Storage Spaces Direct: 存储空间直通允许通过使用具有本地存储的服务器构建高可用 ...