项目三 认证服务

一、通过请求身份令牌来验证服务

[root@controller ~]# keystone  --os-username=admin  --os-password=000000  --os-auth-url=http://192.168.154.10:35357/v2.0 token-get

结果如下

|    id    | MIIC8QYJKoZIhvcNAQcCoIIC4jCCAt4CAQExCTAHBgUrDgMCGjCCAUcGCSqGSIb3DQEHAaCCATgEggE0eyJhY2Nlc3MiOiB7InRva2VuIjogeyJpc3N1ZWRfYXQiOiAiMjAxOC0wNi0xMlQyMTowODoxMS4wNDc2ODgiLCAiZXhwaXJlcyI6ICIyMDE4LTA2LTEyVDIyOjA4OjExWiIsICJpZCI6ICJwbGFjZWhvbGRlciJ9LCAic2VydmljZUNhdGFsb2ciOiBbXSwgInVzZXIiOiB7InVzZXJuYW1lIjogImFkbWluIiwgInJvbGVzX2xpbmtzIjogW10sICJpZCI6ICIwNWQ5ZjA5NGQ4NjQ0ZGZkYTQ1N2RiZDJhN2ViYTQxYiIsICJyb2xlcyI6IFtdLCAibmFtZSI6ICJhZG1pbiJ9LCAibWV0YWRhdGEiOiB7ImlzX2FkbWluIjogMCwgInJvbGVzIjogW119fX0xggGBMIIBfQIBATBcMFcxCzAJBgNVBAYTAlVTMQ4wDAYDVQQIDAVVbnNldDEOMAwGA1UEBwwFVW5zZXQxDjAMBgNVBAoMBVVuc2V0MRgwFgYDVQQDDA93d3cuZXhhbXBsZS5jb20CAQEwBwYFKw4DAhowDQYJKoZIhvcNAQEBBQAEggEAMU0a99cRwgSB-4+SH+Yv9bL06gJR0epceIX0hHuSqFQdu-NjwpoHHrMGpg3LYWiFmFhbIPyWDJ2kPhKeqaY2hClYIsJqZjBHlbuRIPfQJctYN6RnW-mCfvKwaxCy55oj964h4+aIjcL3lZuINfbBJu-84qxdAcCVQ29J82dRV31+Nv4jgh4nzrWMxNkb8RqPN-k0aAbQiyF-4D49tBtSpMlg4F0760qo1MA6lg6L3RM9LJIPRDAag4GdAu5tXH8TdZsSZ0zUgMOScTga2cUONW-O96OgokMpRghnqqJDT0sJ30nFCzA7pkHIBGnKhktVG0kDs47lBMVe57JNqfZylw== |
| user_id  |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                           05d9f094d8644dfda457dbd2a7eba41b  

二、管理认证用户

1、创建用户

[root@controller ~]# keystone user-create --name=alice --pass=mypassword123 --email=alice@example.com

结果如下

+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |        alice@example.com         |
| enabled  |               True               |
|    id    | b144ae459617419787a14defe8fd7481 |
|   name   |              alice               |
| username |              alice               |
+----------+----------------------------------+

如果出现如下情况，运行以下命令，使其生效。

[root@controller ~]# source /etc/keystone/admin-openrc.sh

Expecting an auth URL via either --os-auth-url or env[OS_AUTH_URL]

2、创建租户

[root@controller ~]# keystone tenant-create --name=acme

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |                                  |
|   enabled   |               True               |
|      id     | 0de923dec82f4445acfbf0ebe2c87087 |
|     name    |               acme               |
+-------------+----------------------------------+

3、创建角色

[root@controller ~]# keystone role-create --name=compute-user

+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|    id    | 5c2683be261242f1a76829bbc02e1939 |
|   name   |           compute-user           |
+----------+----------------------------------+

4、绑定用户和租户权限

[root@controller ~]# keystone user-role-add --user=alice --role=compute-user --tenant-id=0de923dec82f4445acfbf0ebe2c87087       //这里的tenant-id是acme的id

[root@controller ~]# keystone user-list

+----------------------------------+------------+---------+-------------------+
|                id                |    name    | enabled |       email       |
+----------------------------------+------------+---------+-------------------+
| 05d9f094d8644dfda457dbd2a7eba41b |   admin    |   True  |                   |
| b144ae459617419787a14defe8fd7481 |   alice    |   True  | alice@example.com |
| dee8860edd3a4755b8fedf5689f36a1e | ceilometer |   True  |                   |
| 46a8a85fef894cbeb02e60d6b0d1673c |   cinder   |   True  |                   |
| 3d3177160dc64db1ae4e032d2b247092 |   glance   |   True  |                   |
| ed9e6ab4204a4f1fa54bac1b9b0b6954 |    heat    |   True  |                   |
| ed8dcac9518546879977f246a16ed452 |  neutron   |   True  |                   |
| b318880c12524c1a8959aebd7e597856 |    nova    |   True  |                   |
| f1deb3904f16412db165e93d5c3e5b9f |   swift    |   True  |                   |
+----------------------------------+------------+---------+-------------------+

任务二、创建租户、用户并绑定用户权限

1、创建租户

创建项目研发部RD_Dept、业务部BS_Dept、IT工程部IT_Dept

通过dashboard创建RD_Dept

通过shell界面为业务部创建BS_Dept

[root@controller ~]# keystone tenant-create --name BS_Dept --description 业务部门

+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |             业务部门             |
|   enabled   |               True               |
|      id     | 4558b6a46ccb4b1fa573beb46b93acba |
|     name    |             BS_Dept              |
+-------------+----------------------------------+

[root@controller ~]# keystone tenant-get BS_Dept    //获取租户详细信息
+-------------+----------------------------------+
|   Property  |              Value               |
+-------------+----------------------------------+
| description |             业务部门             |
|   enabled   |               True               |
|      id     | 4558b6a46ccb4b1fa573beb46b93acba |
|     name    |             BS_Dept              |
+-------------+----------------------------------+

通过脚本创建IT_Dept租户

···
[root@controller ~]# chmod +x *.sh
[root@controller ~]# ./Keystone-manage-tenant.sh

Please Input new tenant name : eg (openstack)
IT_Dept //输入部门名称
Please Input tenant description : eg (openstack description)
IT工程部门 //部门描述
+-------------+----------------------------------+
| Property | Value |
+-------------+----------------------------------+
| description | IT工程部门 |
| enabled | True |
| id | 7e299c705c3c453fbf7dff01129f6597 |
| name | IT_Dept |
+-------------+----------------------------------+
Keystone All Tenant List
+----------------------------------+---------+---------+
| id | name | enabled |
+----------------------------------+---------+---------+
| 4558b6a46ccb4b1fa573beb46b93acba | BS_Dept | True |
| 7e299c705c3c453fbf7dff01129f6597 | IT_Dept | True |
| 2531f81345bb44f4ba134788e1349633 | RD_Dept | True |
| 0de923dec82f4445acfbf0ebe2c87087 | acme | True |
| 8544088d07944679bbd25416e1f518f5 | admin | True |
| 5c73d9684df54084af80333c63f013dc | service | True |
+----------------------------------+---------+---------+
···

2、创建用户账号

创建rduser001_{rduser050,密码为cloudpasswd，bsuser001}bsuser045,cloudpasswd,ituser001~ituser005,cloudpasswd

通过dashboard创建rduser001,密码cloudpasswd

通过shell创建rduser003,密码为cloudpasswd.

[root@controller ~]# keystone user-create --name rduser002 --pass cloudpasswd --email rduser002@example.com
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |      rduser002@example.com       |
| enabled  |               True               |
|    id    | 820789e352134102a9ef226162f60aea |
|   name   |            rduser002             |
| username |            rduser002             |
+----------+----------------------------------+

通过执行shell脚本创建rduser003-050

[root@controller ~]# ./Keystone-manage-user.sh 


Please Input New User Name : eg (username) 
rduser 
Please Input User Password: eg (000000) 
cloudpasswd
Please Input User Email Address,If don't need  press enter: eg (openstack.com) 
example.com
Please Input User   Beginning And End  Number: eg (001-002) 
003-050
Please enter the User belong Roles Name, Press enter for '_member_' role by default: eg (admin) 

Please Input User belong Tenant Name: eg (tenantname) 
RD_Dept
+----------+----------------------------------+
| Property |              Value               |
+----------+----------------------------------+
|  email   |      rduser003@example.com       |
| enabled  |               True               |
|    id    | 84b9042a33334e76a622e3d8ddfaba14 |
|   name   |            rduser003             |
| username |            rduser003             |
+----------+----------------------------------+

创建bsuser001_{bsuser045,ituser001}ituser005

3、绑定用户权限

通过dashboard为rduser001绑定普通用户权限。

通过shell命令行将rduser002绑定普通用户权限。

[root@controller ~]# keystone user-role-add --user rduser002 --tenant RD_Dept --role _member_
[root@controller ~]# keystone user-role-list --user rduser002 --tenant RD_Dept
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 820789e352134102a9ef226162f60aea | 2531f81345bb44f4ba134788e1349633 |
+----------------------------------+----------+----------------------------------+----------------------------------+

通过shell脚本将IT工程部ituser001~ituser005绑定普通用户和管理员用户权限

[root@controller ~]# ./Keystone-manage-add-role.sh


Please Enter The User Name 
ituser
Please Input User  Beginning And End  Number: eg (001-002) 
001-005
Please Enter the Tenant Name 
IT_Dept
Please Enter the  Role Name 
admin
Keystone user ituser001 tenant IT_Dept role list 
+----------------------------------+----------+----------------------------------+----------------------------------+
|                id                |   name   |             user_id              |            tenant_id             |
+----------------------------------+----------+----------------------------------+----------------------------------+
| 9fe2ff9ee4384b1894a90878d3e92bab | _member_ | 67d178d9b53a4bf48efec1b30cf845fe | 7e299c705c3c453fbf7dff01129f6597 |
| 50391b0f36784a8595361e6b553a2921 |  admin   | 67d178d9b53a4bf48efec1b30cf845fe | 7e299c705c3c453fbf7dff01129f6597 |
+----------------------------------+----------+----------------------------------+----------------------------------+