4-opensatck之keystone下
4.1 查看修改的keystone的配置文件
|
1
2
3
4
5
6
7
8
|
[root@linux-node1~]
# grep -En '^[a-Z]'/etc/keystone/keystone.conf
152:debug =
true
default模块
17:admin_token= 0eed56d434cbac30394c DEFAULT模块,token机制
640:connection= mysql:
//keystone
:keystone@192.168.56.11
/keystone
#database模块 认证数据库所在的地址
1472:servers= 192.168.56.11:11211 memcache模块,token存放的地址
2294:driver= sql
#revoke 模块
2655:provider= uuid
#token模块
2665:driver= memcache
#token模块
|
4.2 启动memcache服务
|
1
2
|
[root@linux-node1~]
# systemctl start memcached.service
[root@linux-node1 ~]
# systemctl enable memcached.service
|
4.3配置keystone的web界面,通过apache代理python
4.3.1 apache的住配置文件
|
1
2
|
[root@linux-host1~]
# vim /etc/httpd/conf/httpd.conf
95 ServerName 192.168.10.11:80
|
4.3.2增加配置文件
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
[root@linux-host1~]
# vim /etc/httpd/conf.d/wsgi-keystone.conf
Listen5000
Listen35357
<VirtualHost*:5000>
WSGIDaemonProcess keystone-publicprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-public
WSGIScriptAlias
//usr/bin/keystone-wsgi-public
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat
"%{cu}t %M"
ErrorLog
/var/log/httpd/keystone-error
.log
CustomLog
/var/log/httpd/keystone-access
.log combined
<Directory
/usr/bin
>
Require all granted
<
/Directory
>
<
/VirtualHost
>
<VirtualHost*:35357>
WSGIDaemonProcess keystone-adminprocesses=5 threads=1 user=keystone group=keystone display-name=%{GROUP}
WSGIProcessGroup keystone-admin
WSGIScriptAlias
//usr/bin/keystone-wsgi-admin
WSGIApplicationGroup %{GLOBAL}
WSGIPassAuthorization On
ErrorLogFormat
"%{cu}t %M"
ErrorLog
/var/log/httpd/keystone-error
.log
CustomLog
/var/log/httpd/keystone-access
.log combined
<Directory
/usr/bin
>
Require all granted
<
/Directory
>
<
/VirtualHost
>
|
4.3.3 启动httpd服务
|
1
2
3
|
[root@linux-node1~]
# systemctl enable httpd
Createdsymlink from
/etc/systemd/system/multi-user
.target.wants
/httpd
.service to
/usr/lib/systemd/system/httpd
.service.
[root@linux-node1~]
# systemctl restart httpd
|
4.4.4 查看启动的结果
|
1
2
3
4
5
6
7
|
[root@linux-node1~]
#
Keystone的端口5000和35357 5000外部访问 35357 管理端口
[root@linux-node1~]
# netstat -lntup |grep httpd
tcp6 0 0 :::80 :::* LISTEN 17731
/httpd
tcp6 0 0 :::35357 :::* LISTEN 17731
/httpd
tcp6 0 0 :::5000 :::* LISTEN 17731
/httpd
|
4.5 创建keystone的域 项目 角色 用户
keystone默认没有管理员,通过自己设置的token登陆设置
4.5.1 设置环境变量
|
1
2
3
|
[root@linux-node1bin]
# export OS_TOKEN=0eed56d434cbac30394c
[root@linux-node1bin]
# export OS_URL=http://192.168.56.11:35357/v3
[root@linux-node1bin]
# export OS_IDENTITY_API_VERSION=3
|
4.5.2 首先查看下用户
|
1
2
3
4
|
查看有哪些用户(没有)
[root@linux-node1bin]
# openstack user list
[root@linux-node1bin]
#
|
4.5.3 创建默认的域
|
1
2
3
4
5
6
7
8
9
10
|
[root@linux-node1bin]
# openstack domain create --description "Default Domain" default
+-------------+----------------------------------+
|Field | Value |
+-------------+----------------------------------+
|description | Default Domain |
|enabled | True |
|
id
| d1d9728ef1d64905b1ebf54982dc7991 |
|name | default |
+-------------+----------------------------------+
[root@linux-node1bin]
#
|
4.5.4 创建项目
|
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@linux-node1bin]
# openstack project create --domain default --description "AdminProject" admin
+-------------+----------------------------------+
|Field | Value |
+-------------+----------------------------------+
|description | Admin Project |
|domain_id | d1d9728ef1d64905b1ebf54982dc7991|
|enabled | True |
|
id
| 83504041aae94275a03600bb38e9f43a |
|is_domain | False |
|name | admin |
|parent_id | d1d9728ef1d64905b1ebf54982dc7991|
+-------------+----------------------------------+
|
4.5.4 创建一个角色
|
1
2
3
4
5
6
7
8
9
|
[root@linux-node1bin]
# openstack role create admin
+-----------+----------------------------------+
|Field | Value |
+-----------+----------------------------------+
|domain_id | None |
|
id
| 0d07754d4422483a87285c2eaf7216ed |
|name | admin |
+-----------+----------------------------------+
[root@linux-node1bin]
#
|
4.5.5 创建一个用户
|
1
|
openstack user create --domain default--password-prompt admin
|
4.5.6 将admin用户授予admin项目的admin角色,即给admin项目添加一个用户叫admin,并将其添加至admin角色,角色是权限的一种集合
|
1
|
[root@linux-node1bin]
# openstack role add --project admin --user admin admin
|
4.7 demo用户
4.7.1 demo项目创建
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@linux-node1bin]
# openstack project create --domain default --description "DemoProject" demo
+-------------+----------------------------------+
|Field | Value |
+-------------+----------------------------------+
|description | Demo Project |
|domain_id |d1d9728ef1d64905b1ebf54982dc7991 |
|enabled | True |
|
id
| 553af6a94bb64d918c21cfe7b84bd4fe |
|is_domain | False |
|name | demo |
|parent_id |d1d9728ef1d64905b1ebf54982dc7991 |
+-------------+----------------------------------+
[root@linux-node1bin]
#
|
4.7.2 user 角色
|
1
2
3
4
5
6
7
8
|
[root@linux-node1 bin]
# openstack role create user
+-----------+----------------------------------+
| Field | Value |
+-----------+----------------------------------+
| domain_id | None |
|
id
| 1064c9c2f8e44c6f87daa05eda7a418d |
| name | user |
+-----------+-------
|
4.7.3 demo用户
|
1
2
3
4
5
6
7
8
9
10
11
12
|
[root@linux-node1 bin]
# openstack user create --domain default --password-prompt demo
User Password:
Repeat User Password:
+---------------------+----------------------------------+
| Field | Value |
+---------------------+----------------------------------+
| domain_id | d1d9728ef1d64905b1ebf54982dc7991 |
| enabled | True |
|
id
| ce8d50b126b446bcbbf948bfa6c78ddd |
| name | demo |
| password_expires_at | None |
+---------------------+----------------------------------+
|
4.7.4 把demo用户赋予user的角色,添加到demo项目里面
|
1
|
[root@linux-node1 bin]
# openstack role add --project demo --user demo user
|
4.7.5 查看用户
|
1
2
3
4
5
6
7
8
9
|
[root@linux-node1 ~]
# openstack user list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 49f7496df3da4892b78903021b733541 | admin |
| ce8d50b126b446bcbbf948bfa6c78ddd | demo |
+----------------------------------+-------+
[root@linux-node1 ~]
#
[root@linux-node1 ~]
#
|
4.7.6 查看角色
|
1
2
3
4
5
6
7
8
|
[root@linux-node1 ~]
# openstack role list
+----------------------------------+-------+
| ID | Name |
+----------------------------------+-------+
| 0d07754d4422483a87285c2eaf7216ed | admin |
| 1064c9c2f8e44c6f87daa05eda7a418d | user |
+----------------------------------+-------+
[root@linux-node1 ~]
#
|
4.7.7 查看项目
|
1
2
3
4
5
6
7
8
9
|
[root@linux-node1 ~]
# openstack project list
+----------------------------------+---------+
| ID | Name |
+----------------------------------+---------+
| 553af6a94bb64d918c21cfe7b84bd4fe | demo |
| 83504041aae94275a03600bb38e9f43a | admin |
| 8437cbb8cd8d4982bedb6ef944d9423b | service |
+----------------------------------+---------+
[root@linux-node1 ~]
#
|
4.8 keystone本身也会往keystone注册
|
1
2
3
4
5
6
7
8
9
10
11
|
创建keystone
[root@linux-node1bin]
# openstack service create --namekeystone --description "OpenStack Identity" identity
+-------------+----------------------------------+
|Field | Value |
+-------------+----------------------------------+
|description | OpenStack Identity |
|enabled | True |
|
id
| fb736ae810e44272956dfd24307aa903 |
|name | keystone |
|
type
| identity |
+-------------+----------------------------------+
|
4.9 keystone管理
4.9.1 公共管理点,可以是公网的IP
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
|
[root@linux-node1 bin]
# openstack endpoint create --region RegionOne
identity public http:
//192
.168.56.11:5000
/v3
+--------------+----------------------------------+
| Field | Value |
+--------------+----------------------------------+
| enabled | True |
|
id
| c1a69a3fc8494e839dea7d1f13b06815 |
| interface | public |
| region | RegionOne |
| region_id | RegionOne |
| service_id | fb736ae810e44272956dfd24307aa903 |
| service_name | keystone |
| service_type | identity |
| url | http:
//192
.168.56.11:5000
/v3
|
+--------------+----------------------------------+
|
4.9.2 内部的管理点
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@linux-node1bin]
# openstack endpoint create --region RegionOne identity internalhttp://192.168.56.11:5000/v3
+--------------+----------------------------------+
|Field | Value |
+--------------+----------------------------------+
|enabled | True |
|
id
| ce3c353e9e924f32bcbc15af2c3169d4 |
|interface | internal |
|region | RegionOne |
|region_id | RegionOne |
|service_id |fb736ae810e44272956dfd24307aa903 |
|service_name | keystone |
|service_type | identity |
|url |http:
//192
.168.56.11:5000
/v3
|
+--------------+----------------------------------
|
4.9.3 管理员节点
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
|
[root@linux-node1bin]
# openstack endpoint create --region RegionOne identity adminhttp://192.168.56.11:35357/v3
+--------------+----------------------------------+
|Field | Value |
+--------------+----------------------------------+
|enabled | True |
|
id
| c57c406393104470860775514fe601c3 |
|interface | admin |
| region | RegionOne |
|region_id | RegionOne |
|service_id |fb736ae810e44272956dfd24307aa903 |
|service_name | keystone |
|service_type | identity |
|url |http:
//192
.168.56.11:35357
/v3
|
+--------------+----------------------------------+
|
4.9.5 查看所有节点
|
1
2
3
4
5
6
7
8
9
10
|
[root@linux-node1 ~]
# openstack endpoint list
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
| ID | Region | Service Name | Service Type | Enabled | Interface | URL |
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
| 2c3b5ab42845453e82cc47945a447667 | RegionOne | keystone | identity | True | public | http:
//192
.168.56.11:5000
/v3
|
| ac8478dc89ce4368932fcdab58d84747 | RegionOne | keystone | identity | True | admin | http:
//192
.168.56.11:35357
/v3
|
| ce3c353e9e924f32bcbc15af2c3169d4 | RegionOne | keystone | identity | True | internal | http:
//192
.168.56.11:5000
/v3
|
| fd0f6d73af444e67b322b047d060c783 | RegionOne | keystone | identity | True | admin | http:
//192
.168.56.11:35357
/v3
|
+----------------------------------+-----------+--------------+--------------+---------+-----------+-------------------------------+
[root@linux-node1 ~]
#
|
备注:如果后边发现添加错了,可以删除 openstack endpoint ID(例如:
|
1
|
2c3b5ab42845453e82cc47945a447667) 但是得保证前面三个
export
环境变量存在
|
4.10 测试keystone(不用token登录了,取消环境变脸)
|
1
2
|
[root@linux-node1 ~]
# unset OS_TOKEN
[root@linux-node1 ~]
# unset OS_URL
|
测试是否能拿到token
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
[root@linux-node1bin]
# openstack --os-auth-url http://192.168.56.11:35357/v3 \
>--os-project-domain-name default --os-user-domain-name default \
>--os-project-name admin --os-username admin token issue
Password:
#此处是admin
+------------+----------------------------------+
|Field | Value |
+------------+----------------------------------+
|expires | 2016-12-1714:01:09+00:00 |
|
id
| 0b5c3d0dd9d14bc4b096d09f856cba40 |
|project_id | 83504041aae94275a03600bb38e9f43a |
|user_id |49f7496df3da4892b78903021b733541 |
+------------+----------------------------------+
[root@linux-node1bin]
#
|
4.11 设置用户变量,以后不用这样验证了麻烦
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
[root@linux-node1 ~]
# cat admin-openstack.sh
export
OS_PROJECT_DOMAIN_NAME=default
export
OS_USER_DOMAIN_NAME=default
export
OS_PROJECT_NAME=admin
export
OS_USERNAME=admin
export
OS_PASSWORD=admin
export
OS_AUTH_URL=http:
//192
.168.56.11:35357
/v3
export
OS_IDENTITY_API_VERSION=3
export
OS_IMAGE_API_VERSION=2
[root@linux-node1 ~]
# cat demo-openstack.sh
export
OS_PROJECT_DOMAIN_NAME=default
export
OS_USER_DOMAIN_NAME=default
export
OS_PROJECT_NAME=demo
export
OS_USERNAME=demo
export
OS_PASSWORD=demo
export
OS_AUTH_URL=http:
//192
.168.56.11:5000
/v3
export
OS_IDENTITY_API_VERSION=3
export
OS_IMAGE_API_VERSION=2
[root@linux-node1 ~]
#
[root@linux-node1 ~]
# chmod +x demo-openstack.sh admin-openstack.sh
[root@linux-node1 ~]
# source admin-openstack.sh
[root@linux-node1 ~]
# openstack token issue
+------------+----------------------------------+
| Field | Value |
+------------+----------------------------------+
| expires | 2016-12-17 14:59:36+00:00 |
|
id
| af6d349000414d60b6f2141e7468cccf |
| project_id | 83504041aae94275a03600bb38e9f43a |
| user_id | 49f7496df3da4892b78903021b733541 |
+------------+----------------------------------+
[root@linux-node1 ~]
#
|
本文转自 小小三郎1 51CTO博客,原文链接:http://blog.51cto.com/wsxxsl/1883649,如需转载请自行联系原作者
